syzbot


KCSAN: data-race in __hci_req_sync / hci_req_sync_complete

Status: auto-closed as invalid on 2021/05/17 00:30
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+33e805418eaf7cfaa0fd@syzkaller.appspotmail.com
First crash: 1315d, last: 1072d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __hci_req_sync / hci_req_sync_complete

write to 0xffff8880239fea78 of 4 bytes by task 2004 on cpu 0:
 hci_req_sync_complete+0x5c/0x110 net/bluetooth/hci_request.c:110
 hci_event_packet+0x3abb/0x10120 net/bluetooth/hci_event.c:6336
 hci_rx_work+0x354/0x4b0 net/bluetooth/hci_core.c:5088
 process_one_work+0x3e1/0x950 kernel/workqueue.c:2275
 worker_thread+0x616/0xa70 kernel/workqueue.c:2421
 kthread+0x20b/0x230 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

read to 0xffff8880239fea78 of 4 bytes by task 8402 on cpu 1:
 __hci_req_sync+0x15e/0x420 net/bluetooth/hci_request.c:234
 hci_req_sync+0x71/0x90 net/bluetooth/hci_request.c:280
 hci_dev_cmd+0x244/0x590 net/bluetooth/hci_core.c:2051
 hci_sock_ioctl+0x2e4/0x630 net/bluetooth/hci_sock.c:1052
 sock_do_ioctl+0x4d/0x210 net/socket.c:1039
 sock_ioctl+0x321/0x510 net/socket.c:1179
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xcb/0x140 fs/ioctl.c:739
 __x64_sys_ioctl+0x3f/0x50 fs/ioctl.c:739
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 8402 Comm: syz-executor.2 Not tainted 5.12.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================
IPVS: ftp: loaded support on port[0] = 21
chnl_net:caif_netlink_parms(): no params data found
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_1 entered promiscuous mode
bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
team0: Port device team_slave_0 added
team0: Port device team_slave_1 added
batman_adv: batadv0: Adding interface: batadv_slave_0
batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
batman_adv: batadv0: Adding interface: batadv_slave_1
batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
device hsr_slave_0 entered promiscuous mode
device hsr_slave_1 entered promiscuous mode
debugfs: Directory 'hsr0' with parent 'hsr' already present!
Cannot create hsr debugfs directory
netdevsim netdevsim2 netdevsim0: renamed from eth0
netdevsim netdevsim2 netdevsim1: renamed from eth1
netdevsim netdevsim2 netdevsim2: renamed from eth2
netdevsim netdevsim2 netdevsim3: renamed from eth3
8021q: adding VLAN 0 to HW filter on device bond0
8021q: adding VLAN 0 to HW filter on device team0
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
8021q: adding VLAN 0 to HW filter on device batadv0
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
device veth0_macvtap entered promiscuous mode
device veth1_macvtap entered promiscuous mode
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0

Crashes (23):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/04/12 00:29 upstream 7d900724913c 6a81331a .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/03/31 09:29 upstream 5e46d1b78a03 6a81331a .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/03/05 08:00 upstream 280d542f6ffa 9d751681 .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/02/18 04:15 upstream f40ddce88593 14052202 .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/02/15 17:49 upstream f40ddce88593 98682e5e .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/02/12 14:01 upstream dcc0b49040c7 a5f86b15 .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/01/29 21:26 upstream bec4c2968fce fc9fd31e .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/01/25 23:01 upstream f8ad8187c3b5 52e37319 .config console log report info ci2-upstream-kcsan-gce KCSAN: data-race in __hci_req_sync / hci_req_sync_complete
2021/01/11 23:16 upstream 7c53f6b671f4 2c1f2513 .config console log report info ci2-upstream-kcsan-gce
2021/01/10 02:43 upstream 2ff90100ace8 2c1f2513 .config console log report info ci2-upstream-kcsan-gce
2020/12/27 13:35 upstream f838f8d2b694 2242f77f .config console log report info ci2-upstream-kcsan-gce
2020/12/12 14:05 upstream 7f376f1917d7 bca53db9 .config console log report info ci2-upstream-kcsan-gce
2020/11/18 11:13 upstream 0fa8ee0d9ab9 09323409 .config console log report info ci2-upstream-kcsan-gce
2020/11/14 17:04 upstream f01c30de86f1 1bf9a662 .config console log report info ci2-upstream-kcsan-gce
2020/10/29 07:02 upstream 23859ae44402 f24824d3 .config console log report info ci2-upstream-kcsan-gce
2020/10/21 09:53 upstream c4d6fe731176 e761439e .config console log report info ci2-upstream-kcsan-gce
2020/10/15 04:08 upstream 3e4fb4346c78 fc7735a2 .config console log report info ci2-upstream-kcsan-gce
2020/10/09 00:04 upstream 3d006ee42dde 92390980 .config console log report info ci2-upstream-kcsan-gce
2020/09/28 18:56 upstream a1b8638ba132 6bfdbe89 .config console log report info ci2-upstream-kcsan-gce
2020/09/26 11:07 upstream 7c7ec3226f5f 2d5ea0cb .config console log report info ci2-upstream-kcsan-gce
2020/09/03 06:55 upstream fc3abb53250a abf9ba4f .config console log report ci2-upstream-kcsan-gce
2020/08/21 06:52 upstream da2968ff879b 1d75fe45 .config console log report ci2-upstream-kcsan-gce
2020/08/11 19:27 upstream 00e4db51259a 5d3ebca9 .config console log report ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.