syzbot


WARNING: held lock freed in l2cap_conn_del

Status: upstream: reported C repro on 2022/09/24 03:07
Reported-by: syzbot+1d8ec443b7c1a10628fd@syzkaller.appspotmail.com
First crash: 825d, last: 676d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: held lock freed in l2cap_conn_del bluetooth C done error 13 793d 825d 0/28 auto-obsoleted due to no activity on 2023/04/13 19:20
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2023/02/19 22:39 29m bisect fix linux-4.14.y OK (0) job log log
2023/01/20 15:55 22m bisect fix linux-4.14.y OK (0) job log log
2022/10/28 15:00 25m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
Bluetooth: hci0 hardware error 0xff
=========================
WARNING: held lock freed!
4.14.294-syzkaller #0 Not tainted
-------------------------
kworker/u5:2/7972 is freeing memory ffff888095be1500-ffff888095be1cff, with a lock still held there!
 (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_chan_lock include/net/bluetooth/l2cap.h:806 [inline]
 (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_conn_del+0x363/0x690 net/bluetooth/l2cap_core.c:1754
7 locks held by kworker/u5:2/7972:
 #0:  ("%s"hdev->name){+.+.}, at: [<ffffffff81364eb0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
 #1:  ((&hdev->error_reset)){+.+.}, at: [<ffffffff81364ee6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
 #2:  (&hdev->req_lock){+.+.}, at: [<ffffffff86616978>] hci_dev_do_close+0xa8/0xd80 net/bluetooth/hci_core.c:1589
 #3:  (&hdev->lock){+.+.}, at: [<ffffffff86616b34>] hci_dev_do_close+0x264/0xd80 net/bluetooth/hci_core.c:1628
 #4:  (hci_cb_list_lock){+.+.}, at: [<ffffffff8662c34a>] hci_disconn_cfm include/net/bluetooth/hci_core.h:1228 [inline]
 #4:  (hci_cb_list_lock){+.+.}, at: [<ffffffff8662c34a>] hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1393
 #5:  (&conn->chan_lock){+.+.}, at: [<ffffffff866a1eda>] l2cap_conn_del+0x2aa/0x690 net/bluetooth/l2cap_core.c:1749
 #6:  (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_chan_lock include/net/bluetooth/l2cap.h:806 [inline]
 #6:  (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_conn_del+0x363/0x690 net/bluetooth/l2cap_core.c:1754

stack backtrace:
CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: hci0 hci_error_reset
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_freed_lock_bug kernel/locking/lockdep.c:4463 [inline]
 debug_check_no_locks_freed.cold+0x9c/0xa8 kernel/locking/lockdep.c:4496
 kfree+0xac/0x250 mm/slab.c:3812
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:497 [inline]
 kref_put include/linux/kref.h:70 [inline]
 l2cap_chan_put+0x1c2/0x250 net/bluetooth/l2cap_core.c:521
 l2cap_conn_del+0x3aa/0x690 net/bluetooth/l2cap_core.c:1758
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
 l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
 hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
 hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:185 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x5bd/0x770 kernel/locking/mutex.c:1027
Read of size 8 at addr ffff888095be1988 by task kworker/u5:2/7972

CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: hci0 hci_error_reset
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 __read_once_size include/linux/compiler.h:185 [inline]
 atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
 atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
 __mutex_unlock_slowpath+0x5bd/0x770 kernel/locking/mutex.c:1027
 l2cap_chan_unlock include/net/bluetooth/l2cap.h:811 [inline]
 l2cap_conn_del+0x3b2/0x690 net/bluetooth/l2cap_core.c:1760
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
 l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
 hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
 hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 7972:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 l2cap_chan_create+0x3e/0x580 net/bluetooth/l2cap_core.c:457
 a2mp_chan_open net/bluetooth/a2mp.c:778 [inline]
 amp_mgr_create+0x94/0x930 net/bluetooth/a2mp.c:869
 a2mp_channel_create+0x6e/0x140 net/bluetooth/a2mp.c:901
 l2cap_data_channel net/bluetooth/l2cap_core.c:6921 [inline]
 l2cap_recv_frame+0x43e2/0x93d0 net/bluetooth/l2cap_core.c:7075
 l2cap_recv_acldata+0x8f9/0xa30 net/bluetooth/l2cap_core.c:7632
 hci_acldata_packet net/bluetooth/hci_core.c:4088 [inline]
 hci_rx_work+0x403/0xb40 net/bluetooth/hci_core.c:4271
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 7972:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:497 [inline]
 kref_put include/linux/kref.h:70 [inline]
 l2cap_chan_put+0x1c2/0x250 net/bluetooth/l2cap_core.c:521
 l2cap_conn_del+0x3aa/0x690 net/bluetooth/l2cap_core.c:1758
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
 l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
 hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
 hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
 hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff888095be1500
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1160 bytes inside of
 2048-byte region [ffff888095be1500, ffff888095be1d00)
The buggy address belongs to the page:
page:ffffea000256f800 count:1 mapcount:0 mapping:ffff888095be0400 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888095be0400 0000000000000000 0000000100000003
raw: ffffea0002d144a0 ffff88813fe64948 ffff88813fe74c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888095be1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888095be1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888095be1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888095be1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888095be1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/09/24 03:06 linux-4.14.y 4edbf74132a4 0042f2b4 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-14 WARNING: held lock freed in l2cap_conn_del
* Struck through repros no longer work on HEAD.