syzbot

 sign-in | mailing list | source | docs
🐞 Open [1501]
Subsystems
🐞 Fixed [6528]
🐞 Invalid [16646]
Missing Backports [205]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

possible deadlock in mgmt_remove_adv_monitor_complete

Status: upstream: reported C repro on 2024/05/03 01:13
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+e8651419c44dbc2b8768@syzkaller.appspotmail.com
First crash: 485d, last: 101d
Cause bisection: introduced by (bisect log) [no-op commit]:
commit a0695853e5906a9558eef9f79856e07659b7a1e6
Author: Jerome Brunet <jbrunet@baylibre.com>
Date: Wed Apr 28 12:26:31 2021 +0000

  ASoC: stm32: do not request a new clock consummer reference

Crash: invalid opcode in corrupted (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Tue Jun 3 20:12:39 2025 +0000

  Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete

  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [bluetooth?] possible deadlock in mgmt_remove_adv_monitor_complete 0 (3) 2025/06/17 17:36
[syzbot] Monthly bluetooth report (Dec 2024) 0 (1) 2024/12/17 09:47
Last patch testing requests (8)
Created Duration User Patch Repo Result
2025/06/20 18:22 34m retest repro net OK log
2025/06/20 18:22 24m retest repro net OK log
2025/04/11 17:02 19m retest repro net report log
2025/04/11 17:02 18m retest repro net report log
2025/01/31 11:31 1h11m retest repro net report log
2025/01/31 11:31 24m retest repro net OK log
2025/01/31 11:31 17m retest repro net report log
2025/01/31 11:31 17m retest repro net report log
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2025/06/17 09:28 8h07m bisect fix net OK (1) job log
2025/05/18 01:59 2h40m bisect fix net OK (0) job log log
2025/04/17 14:17 2h49m bisect fix net OK (0) job log log
2025/03/18 07:06 2h02m bisect fix net OK (0) job log log
2025/02/16 03:35 2h28m bisect fix net OK (0) job log log

Sample crash report:
============================================
WARNING: possible recursive locking detected
6.13.0-rc3-syzkaller-00301-gbcde95ce32b6 #0 Not tainted
--------------------------------------------
syz.4.423/7568 is trying to acquire lock:
ffff888068c48078 (&hdev->lock){+.+.}-{4:4}, at: mgmt_remove_adv_monitor_complete+0x9e/0x2e0 net/bluetooth/mgmt.c:5524

but task is already holding lock:
ffff888068c48078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3ab/0x11a0 net/bluetooth/hci_sync.c:5200

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&hdev->lock);
  lock(&hdev->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

3 locks held by syz.4.423/7568:
 #0: ffff888068c48d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:480
 #1: ffff888068c48078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3ab/0x11a0 net/bluetooth/hci_sync.c:5200
 #2: ffff888068c48690 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}, at: hci_cmd_sync_dequeue+0x50/0x1f0 net/bluetooth/hci_sync.c:887

stack backtrace:
CPU: 1 UID: 0 PID: 7568 Comm: syz.4.423 Not tainted 6.13.0-rc3-syzkaller-00301-gbcde95ce32b6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_deadlock_bug+0x2e3/0x410 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain kernel/locking/lockdep.c:3891 [inline]
 __lock_acquire+0x2117/0x3c40 kernel/locking/lockdep.c:5226
 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
 __mutex_lock_common kernel/locking/mutex.c:585 [inline]
 __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735
 mgmt_remove_adv_monitor_complete+0x9e/0x2e0 net/bluetooth/mgmt.c:5524
 _hci_cmd_sync_cancel_entry.constprop.0+0x6c/0x1d0 net/bluetooth/hci_sync.c:645
 hci_cmd_sync_dequeue+0x178/0x1f0 net/bluetooth/hci_sync.c:890
 cmd_complete_rsp+0x46/0x1e0 net/bluetooth/mgmt.c:1469
 mgmt_pending_foreach+0xdf/0x140 net/bluetooth/mgmt_util.c:259
 __mgmt_power_off+0x12a/0x2c0 net/bluetooth/mgmt.c:9550
 hci_dev_close_sync+0xcbb/0x11a0 net/bluetooth/hci_sync.c:5208
 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:482
 hci_dev_close+0x183/0x1e0 net/bluetooth/hci_core.c:507
 hci_sock_ioctl+0x2b5/0x7d0 net/bluetooth/hci_sock.c:1128
 sock_do_ioctl+0x116/0x280 net/socket.c:1209
 sock_ioctl+0x228/0x6c0 net/socket.c:1328
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl fs/ioctl.c:892 [inline]
 __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fce98985d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fce99732038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fce98b75fa0 RCX: 00007fce98985d29
RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000e
RBP: 00007fce98a01aa8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fce98b75fa0 R15: 00007ffefc6c2228
 </TASK>

Crashes (39):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/12/23 10:38 upstream bcde95ce32b6 b4fbdbd4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/26 16:35 upstream 2c22dc1ee3a1 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/19 17:04 upstream 158f238aa69d 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/07 23:45 upstream ff7afaeca1a1 c069283c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/25 08:08 upstream ae90f6a6170d c79b8ca5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/24 22:10 upstream c2ee9f594da8 9fc8fe02 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/23 00:26 upstream c2ee9f594da8 9d74f456 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/10 14:16 upstream d3d1556696c1 8fbfc0c8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root possible deadlock in mgmt_remove_adv_monitor_complete
2024/07/17 15:44 upstream 51835949dda3 03114f55 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root possible deadlock in mgmt_remove_adv_monitor_complete
2025/01/17 01:31 upstream ce69b4019001 f9e07a6e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/29 12:17 upstream 059dd502b263 d3ccff63 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/29 01:30 upstream e42b1a9a2557 5fe1d0f5 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/24 06:11 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in mgmt_remove_adv_monitor_complete
2024/04/29 01:09 upstream 245c8e81741b 07b455f9 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/13 21:18 net 150b567e0d57 7cbfbb3a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/08 08:50 net 4c49f38e20a5 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/08 08:05 net 4c49f38e20a5 9ac0fdc6 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/06 19:05 net 11776cff0b56 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/06 19:01 net 11776cff0b56 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/06 12:53 net 896d8946da97 946d28f0 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/05 20:57 net 31f1b55d5d7e 6e50d07b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/04 16:04 net 5eb7de8cd58e b50eb251 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/04 14:38 net af8edaeddbc5 b50eb251 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/02 20:45 net 28866d6e84b8 bb326ffb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/01 19:34 net c44daa7e3c73 68914665 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/28 06:05 net 5dfd7d940094 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/24 21:56 net 9efc44fb2dba 9fc8fe02 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/20 05:04 net 07d6bf634bc8 cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/13 01:12 net 174714f0e505 084d8178 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/07/22 19:54 net d7e78951a8b8 f063dfd9 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2025/01/05 22:11 net-next 3e5908172c05 f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2025/01/04 19:59 net-next 356939999438 f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2025/01/03 00:11 net-next 9268abe611b0 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/27 17:51 net-next 9268abe611b0 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/05 03:47 net-next ecf99864ea6b 509da429 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/31 11:30 net-next d30b56c8666d fb888278 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/30 12:46 net-next 2b1d193a5a57 66aeb999 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/11 10:42 net-next 59ae83dcf102 cd942402 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce possible deadlock in mgmt_remove_adv_monitor_complete
2024/12/05 20:17 linux-next af2ea8ab7a54 6e50d07b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root possible deadlock in mgmt_remove_adv_monitor_complete
* Struck through repros no longer work on HEAD.