syzbot


possible deadlock in sco_conn_del

Status: upstream: reported C repro on 2022/04/07 22:08
Reported-by: syzbot+b825d87fe2d043e3e652@syzkaller.appspotmail.com
First crash: 183d, last: 2h04m

Cause bisection: introduced by (bisect log) :
commit 92b8aa6d18f7a9ae36a0f71d31742aeef201207a
Author: Ying Hsu <yinghsu@chromium.org>
Date: Sat Mar 26 07:09:28 2022 +0000

  Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout

Crash: possible deadlock in sco_conn_del (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2022/04/12 01:54 11m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/ d12d7e1cfe38 OK
2022/04/11 23:27 8m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/ d12d7e1cfe38 report log

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
6.0.0-rc4-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor229/3645 is trying to acquire lock:
ffff88807835d130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1712 [inline]
ffff88807835d130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0x12c/0x2b0 net/bluetooth/sco.c:197

but task is already holding lock:
ffffffff8d9cfb68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1776 [inline]
ffffffff8d9cfb68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xd5/0x260 net/bluetooth/hci_conn.c:2366

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (hci_cb_list_lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x12f/0x1350 kernel/locking/mutex.c:747
       hci_connect_cfm+0x26/0x140 include/net/bluetooth/hci_core.h:1761
       hci_remote_features_evt+0x494/0x900 net/bluetooth/hci_event.c:3757
       hci_event_func net/bluetooth/hci_event.c:7443 [inline]
       hci_event_packet+0x952/0xfd0 net/bluetooth/hci_event.c:7495
       hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007
       process_one_work+0x991/0x1610 kernel/workqueue.c:2289
       worker_thread+0x665/0x1080 kernel/workqueue.c:2436
       kthread+0x2e4/0x3a0 kernel/kthread.c:376
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

-> #1 (&hdev->lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x12f/0x1350 kernel/locking/mutex.c:747
       sco_sock_connect+0x1e6/0xa70 net/bluetooth/sco.c:593
       __sys_connect_file+0x14f/0x190 net/socket.c:1976
       __sys_connect+0x161/0x190 net/socket.c:1993
       __do_sys_connect net/socket.c:2003 [inline]
       __se_sys_connect net/socket.c:2000 [inline]
       __x64_sys_connect+0x6f/0xb0 net/socket.c:2000
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3095 [inline]
       check_prevs_add kernel/locking/lockdep.c:3214 [inline]
       validate_chain kernel/locking/lockdep.c:3829 [inline]
       __lock_acquire+0x2a43/0x56d0 kernel/locking/lockdep.c:5053
       lock_acquire kernel/locking/lockdep.c:5666 [inline]
       lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
       lock_sock_nested+0x36/0xf0 net/core/sock.c:3393
       lock_sock include/net/sock.h:1712 [inline]
       sco_conn_del+0x12c/0x2b0 net/bluetooth/sco.c:197
       sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1379
       hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline]
       hci_conn_hash_flush+0x122/0x260 net/bluetooth/hci_conn.c:2366
       hci_dev_close_sync+0x55d/0x1130 net/bluetooth/hci_sync.c:4476
       hci_dev_do_close+0x2d/0x70 net/bluetooth/hci_core.c:554
       hci_rfkill_set_block+0x15d/0x1c0 net/bluetooth/hci_core.c:947
       rfkill_set_block+0x1f9/0x540 net/rfkill/core.c:345
       rfkill_fop_write+0x2c3/0x570 net/rfkill/core.c:1286
       vfs_write+0x2d7/0xdd0 fs/read_write.c:576
       ksys_write+0x1e8/0x250 fs/read_write.c:631
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

Chain exists of:
  sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(hci_cb_list_lock);
                               lock(&hdev->lock);
                               lock(hci_cb_list_lock);
  lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);

 *** DEADLOCK ***

4 locks held by syz-executor229/3645:
 #0: ffffffff8dbc1ec8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x15c/0x570 net/rfkill/core.c:1278
 #1: ffff888020568fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x25/0x70 net/bluetooth/hci_core.c:552
 #2: ffff888020568078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x268/0x1130 net/bluetooth/hci_sync.c:4463
 #3: ffffffff8d9cfb68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1776 [inline]
 #3: ffffffff8d9cfb68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xd5/0x260 net/bluetooth/hci_conn.c:2366

stack backtrace:
CPU: 0 PID: 3645 Comm: syz-executor229 Not tainted 6.0.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3095 [inline]
 check_prevs_add kernel/locking/lockdep.c:3214 [inline]
 validate_chain kernel/locking/lockdep.c:3829 [inline]
 __lock_acquire+0x2a43/0x56d0 kernel/locking/lockdep.c:5053
 lock_acquire kernel/locking/lockdep.c:5666 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
 lock_sock_nested+0x36/0xf0 net/core/sock.c:3393
 lock_sock include/net/sock.h:1712 [inline]
 sco_conn_del+0x12c/0x2b0 net/bluetooth/sco.c:197
 sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1379
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline]
 hci_conn_hash_flush+0x122/0x260 net/bluetooth/hci_conn.c:2366
 hci_dev_close_sync+0x55d/0x1130 net/bluetooth/hci_sync.c:4476
 hci_dev_do_close+0x2d/0x70 net/bluetooth/hci_core.c:554
 hci_rfkill_set_block+0x15d/0x1c0 net/bluetooth/hci_core.c:947
 rfkill_set_block+0x1f9/0x540 net/rfkill/core.c:345
 rfkill_fop_write+0x2c3/0x570 net/rfkill/core.c:1286
 vfs_write+0x2d7/0xdd0 fs/read_write.c:576
 ksys_write+0x1e8/0x250 fs/read_write.c:631
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0ebc349499
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe75b17ba8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0ebc349499
RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000150 R09: 0000000000000150
R10: 0000000000000150 R11: 0000000000000246 R12: 00005555565882b8
R13: 0000000000000011 R14: 00007ffe75b17c10 R15: 0000000000000000
 </TASK>

Crashes (133):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2022/09/05 19:38 upstream 7e18e42e4b28 922294ab .config log report syz C possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/08/15 06:29 upstream 7ebfc85e2cd7 8dfcaa3d .config log report syz C possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/08/07 09:26 upstream 200e340f2196 88e3a122 .config log report syz C possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/08/05 12:37 upstream 200e340f2196 1c9013ac .config log report syz C possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/06/29 08:35 upstream 941e3e791269 496a8536 .config log report syz C possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/06/20 11:22 upstream a111daf0c53a 8f633d84 .config log report syz C possible deadlock in sco_conn_del
ci-upstream-linux-next-kasan-gce-root 2022/08/04 01:17 linux-next cb71b93c2dc3 1c9013ac .config log report syz C possible deadlock in sco_conn_del
ci-upstream-linux-next-kasan-gce-root 2022/04/11 18:50 linux-next d12d7e1cfe38 af01ee7d .config log report syz C possible deadlock in sco_conn_del
ci-upstream-gce-arm64 2022/09/06 07:10 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 85413d1e802e 9dcd38fc .config log report syz C possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/04 02:22 upstream d895ec7938c4 28811d0a .config log report syz possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/10/03 20:06 upstream 4fe89d07dcc2 feb56351 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/09/28 10:01 upstream 46452d3786a8 75c78242 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/27 12:25 upstream a1375562c0a8 87840e00 .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream 2022/09/26 13:26 upstream f76349cf4145 d59ba983 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/23 22:06 upstream 1707c39ae309 0042f2b4 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/09/18 22:12 upstream 38eddeedbbea dd9a85ff .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/15 08:09 upstream 3245cb65fd91 dd9a85ff .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream 2022/09/13 09:47 upstream e839a756012b a08652b0 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/09/11 04:42 upstream b96fbd602d35 356d8217 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/09/10 16:21 upstream ce888220d5c7 356d8217 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/10 10:38 upstream ce888220d5c7 356d8217 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/09/07 13:41 upstream 0066f1b0e275 c5b7bc57 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/04 06:02 upstream 65eea2c060ae 28811d0a .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/09/02 16:11 upstream 42e66b1cc3a0 25194605 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/09/01 13:56 upstream c5e4d5e99162 86c46e46 .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream 2022/08/29 18:01 upstream b90cb1053190 94da0b6b .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/28 11:24 upstream 10d4879f9ef0 07177916 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/27 18:19 upstream e022620b5d05 07177916 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/25 14:13 upstream c40e8341e3b3 e5fb9cf5 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/08/24 08:21 upstream df0219d11b6f cea8b0f7 .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream 2022/08/21 07:31 upstream f31c32efd57c 26a13b38 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/21 04:55 upstream 15b3f48a4339 26a13b38 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-smack-root 2022/08/20 02:30 upstream 4c2d0b039c5c 26a13b38 .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream 2022/08/16 05:35 upstream 568035b01cfb 7a7cb304 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/13 12:19 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-selinux-root 2022/08/13 06:13 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/09 13:45 upstream 200e340f2196 da700653 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/09 06:39 upstream 200e340f2196 da700653 .config log report info possible deadlock in sco_conn_del
ci-upstream-kasan-gce-root 2022/08/03 00:08 upstream 7d0d3fa7339e 1c9013ac .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream-386 2022/09/25 20:36 upstream 5e049663f678 0042f2b4 .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream-386 2022/09/19 10:35 upstream 521a547ced64 dd9a85ff .config log report info possible deadlock in sco_conn_del
ci-qemu-upstream-386 2022/09/04 20:40 upstream 7726d4c3e60b 28811d0a .config log report info possible deadlock in sco_conn_del
ci-upstream-net-this-kasan-gce 2022/09/06 11:09 net 42b998d4aa59 65aea2b9 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-this-kasan-gce 2022/08/26 06:57 net 4c612826bec1 15195ea3 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-this-kasan-gce 2022/08/25 01:24 net 0c4a95417ee4 514514f6 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-this-kasan-gce 2022/08/21 19:33 net e82c649e851c 26a13b38 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-this-kasan-gce 2022/08/06 01:01 net 8eaa1d110800 e853abd9 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-this-kasan-gce 2022/08/02 19:35 net c67cc4315a8e 1c9013ac .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/09/27 13:51 net-next 6627a2074d5c 87840e00 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/09/27 11:05 net-next 6627a2074d5c 87840e00 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/09/22 15:12 net-next 3cae32b480d1 0042f2b4 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/09/17 04:17 net-next 862deb68c1bc dd9a85ff .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/09/13 22:23 net-next c9ae520ac3fa b884348d .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/09/03 09:08 net-next 2e5fb3223261 49e94a20 .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/08/29 22:17 net-next f97e971dbdc7 5b44472d .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/08/12 19:59 net-next 7ebfc85e2cd7 402cd70d .config log report info possible deadlock in sco_conn_del
ci-upstream-net-kasan-gce 2022/08/11 05:30 net-next 3c47fb2f4c4d a6201f11 .config log report info possible deadlock in sco_conn_del
ci-upstream-linux-next-kasan-gce-root 2022/04/04 03:35 linux-next 696206280c5e 79a2a8fc .config log report info possible deadlock in sco_conn_del
ci-upstream-linux-next-kasan-gce-root 2022/04/03 22:02 linux-next e5071887cd22 79a2a8fc .config log report info possible deadlock in sco_conn_del
ci-upstream-gce-arm64 2022/09/26 15:54 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c194837ebb57 d59ba983 .config log report info possible deadlock in sco_conn_del
ci-upstream-gce-arm64 2022/09/25 10:19 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c194837ebb57 0042f2b4 .config log report info possible deadlock in sco_conn_del
ci-upstream-gce-arm64 2022/09/20 08:26 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a6b443748715 7c41a9ba .config log report info possible deadlock in sco_conn_del
ci-upstream-gce-arm64 2022/09/03 03:00 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 85413d1e802e 49e94a20 .config log report info possible deadlock in sco_conn_del
* Struck through repros no longer work on HEAD.