KCSAN: data-race in __hci_req_sync / hci_req_sync

KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
Status: moderation: reported on 2020/12/11 10:23
Reported-by: syzbot+33e805418eaf7cfaa0fd@syzkaller.appspotmail.com
First crash: 246d, last: 3d07h

Sample crash report:

==================================================================
BUG: KCSAN: data-race in __hci_req_sync / hci_req_sync_complete

write to 0xffff8880239fea78 of 4 bytes by task 2004 on cpu 0:
 hci_req_sync_complete+0x5c/0x110 net/bluetooth/hci_request.c:110
 hci_event_packet+0x3abb/0x10120 net/bluetooth/hci_event.c:6336
 hci_rx_work+0x354/0x4b0 net/bluetooth/hci_core.c:5088
 process_one_work+0x3e1/0x950 kernel/workqueue.c:2275
 worker_thread+0x616/0xa70 kernel/workqueue.c:2421
 kthread+0x20b/0x230 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

read to 0xffff8880239fea78 of 4 bytes by task 8402 on cpu 1:
 __hci_req_sync+0x15e/0x420 net/bluetooth/hci_request.c:234
 hci_req_sync+0x71/0x90 net/bluetooth/hci_request.c:280
 hci_dev_cmd+0x244/0x590 net/bluetooth/hci_core.c:2051
 hci_sock_ioctl+0x2e4/0x630 net/bluetooth/hci_sock.c:1052
 sock_do_ioctl+0x4d/0x210 net/socket.c:1039
 sock_ioctl+0x321/0x510 net/socket.c:1179
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xcb/0x140 fs/ioctl.c:739
 __x64_sys_ioctl+0x3f/0x50 fs/ioctl.c:739
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 8402 Comm: syz-executor.2 Not tainted 5.12.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================
IPVS: ftp: loaded support on port[0] = 21
chnl_net:caif_netlink_parms(): no params data found
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_1 entered promiscuous mode
bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
team0: Port device team_slave_0 added
team0: Port device team_slave_1 added
batman_adv: batadv0: Adding interface: batadv_slave_0
batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
batman_adv: batadv0: Adding interface: batadv_slave_1
batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
device hsr_slave_0 entered promiscuous mode
device hsr_slave_1 entered promiscuous mode
debugfs: Directory 'hsr0' with parent 'hsr' already present!
Cannot create hsr debugfs directory
netdevsim netdevsim2 netdevsim0: renamed from eth0
netdevsim netdevsim2 netdevsim1: renamed from eth1
netdevsim netdevsim2 netdevsim2: renamed from eth2
netdevsim netdevsim2 netdevsim3: renamed from eth3
8021q: adding VLAN 0 to HW filter on device bond0
8021q: adding VLAN 0 to HW filter on device team0
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
8021q: adding VLAN 0 to HW filter on device batadv0
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
device veth0_macvtap entered promiscuous mode
device veth1_macvtap entered promiscuous mode
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0

Crashes (23):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Title
ci2-upstream-kcsan-gce	2021/04/12 00:29	upstream	7d900724	6a81331a	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/03/31 09:29	upstream	5e46d1b7	6a81331a	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/03/05 08:00	upstream	280d542f	9d751681	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/02/18 04:15	upstream	f40ddce8	14052202	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/02/15 17:49	upstream	f40ddce8	98682e5e	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/02/12 14:01	upstream	dcc0b490	a5f86b15	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/01/29 21:26	upstream	bec4c296	fc9fd31e	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/01/25 23:01	upstream	f8ad8187	52e37319	.config	log	report	info	KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
ci2-upstream-kcsan-gce	2021/01/11 23:16	upstream	7c53f6b6	2c1f2513	.config	log	report	info
ci2-upstream-kcsan-gce	2021/01/10 02:43	upstream	2ff90100	2c1f2513	.config	log	report	info
ci2-upstream-kcsan-gce	2020/12/27 13:35	upstream	f838f8d2	2242f77f	.config	log	report	info
ci2-upstream-kcsan-gce	2020/12/12 14:05	upstream	7f376f19	bca53db9	.config	log	report	info
ci2-upstream-kcsan-gce	2020/11/18 11:13	upstream	0fa8ee0d	09323409	.config	log	report	info
ci2-upstream-kcsan-gce	2020/11/14 17:04	upstream	f01c30de	1bf9a662	.config	log	report	info
ci2-upstream-kcsan-gce	2020/10/29 07:02	upstream	23859ae4	f24824d3	.config	log	report	info
ci2-upstream-kcsan-gce	2020/10/21 09:53	upstream	c4d6fe73	e761439e	.config	log	report	info
ci2-upstream-kcsan-gce	2020/10/15 04:08	upstream	3e4fb434	fc7735a2	.config	log	report	info
ci2-upstream-kcsan-gce	2020/10/09 00:04	upstream	3d006ee4	92390980	.config	log	report	info
ci2-upstream-kcsan-gce	2020/09/28 18:56	upstream	a1b8638b	6bfdbe89	.config	log	report	info
ci2-upstream-kcsan-gce	2020/09/26 11:07	upstream	7c7ec322	2d5ea0cb	.config	log	report	info
ci2-upstream-kcsan-gce	2020/09/03 06:55	upstream	fc3abb53	abf9ba4f	.config	log	report
ci2-upstream-kcsan-gce	2020/08/21 06:52	upstream	da2968ff	1d75fe45	.config	log	report
ci2-upstream-kcsan-gce	2020/08/11 19:27	upstream	00e4db51	5d3ebca9	.config	log	report