KASAN: null-ptr-deref Write in l2cap_chan

KASAN: null-ptr-deref Write in l2cap_chan_put
Status: upstream: reported syz repro on 2020/08/08 09:46
Reported-by: syzbot+452e9465a3b2817fa4c2@syzkaller.appspotmail.com
First crash: 434d, last: 21d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: syz .config

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: wild-memory-access Write in l2cap_chan_put				2	229d	252d	0/22	auto-closed as invalid on 2021/06/30 01:30

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/03/22 09:43	10m	ducheng2@gmail.com	patch	upstream	report log
2021/03/22 08:40	12m	ducheng2@gmail.com	patch	upstream	report log
2021/03/22 08:05	12m	ducheng2@gmail.com	patch	upstream	report log
2021/03/18 05:01	10m	ducheng2@gmail.com	patch	upstream	report log
2021/03/18 02:34	12m	ducheng2@gmail.com	patch	upstream	report log
2021/03/15 08:12	10m	ducheng2@gmail.com	patch	upstream	report log
2021/03/15 04:53	9m	ducheng2@gmail.com		upstream	report log
2020/09/06 08:00	10m	anant.thazhemadam@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	report log
2020/09/02 05:15	10m	anant.thazhemadam@gmail.com		https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	report log

Sample crash report:

==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test include/linux/refcount.h:266 [inline]
BUG: KASAN: null-ptr-deref in refcount_dec_and_test include/linux/refcount.h:294 [inline]
BUG: KASAN: null-ptr-deref in kref_put include/linux/kref.h:64 [inline]
BUG: KASAN: null-ptr-deref in l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
Write of size 4 at addr 0000000000000018 by task kworker/0:2/7081

CPU: 0 PID: 7081 Comm: kworker/0:2 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:517 [inline]
 kasan_report.cold+0x5/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1217
 l2cap_chan_timeout+0x1c1/0x450 net/bluetooth/l2cap_core.c:438
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7081 Comm: kworker/0:2 Tainted: G    B             5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 panic+0x347/0x7c0 kernel/panic.c:231
 end_report+0x4d/0x53 mm/kasan/report.c:104
 __kasan_report mm/kasan/report.c:520 [inline]
 kasan_report.cold+0xd/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 instrument_atomic_write include/linux/instrumented.h:71 [inline]
 atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline]
 refcount_sub_and_test include/linux/refcount.h:266 [inline]
 refcount_dec_and_test include/linux/refcount.h:294 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x28/0x230 net/bluetooth/l2cap_core.c:502
 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1217
 l2cap_chan_timeout+0x1c1/0x450 net/bluetooth/l2cap_core.c:438
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro
ci-upstream-kasan-gce-root	2021/09/25 16:56	upstream	7d42e9818258	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/08/26 12:06	upstream	73f3af7b4611	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/07/19 20:08	upstream	2734d6c1b1a0	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/06/19 19:46	upstream	d9403d307dba	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/05/19 23:37	upstream	c3d0e3fd41b7	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/04/19 19:38	upstream	bf05bf16c76b	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/03/13 12:15	upstream	f296bfd5cd04	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2021/01/24 11:05	upstream	e1ae4b0be158	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/12/25 10:47	upstream	71c5f03154ac	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/11/25 10:30	upstream	127c501a03d5	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/10/26 10:12	upstream	3650b228f83a	abf9ba4f	.config	log	report	syz

Crashes (7):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	VM info	Title
ci-upstream-kasan-gce-root	2020/09/05 20:38	upstream	c70672d8d316	abf9ba4f	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2020/08/08 09:27	upstream	5631c5e0eb90	ff51e522	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2020/08/08 09:20	upstream	5631c5e0eb90	ff51e522	.config	log	report	syz
ci-upstream-linux-next-kasan-gce-root	2020/09/08 14:46	linux-next	7a6956579ce6	abf9ba4f	.config	log	report	syz
ci-upstream-net-kasan-gce	2021/03/20 19:18	net-next	d773b7957e4f	17810eae	.config	log	report		info	KASAN: null-ptr-deref Write in l2cap_chan_put
ci-upstream-net-kasan-gce	2021/07/27 10:36	net-next	268ca4129d8d	fd511809	.config	log	report		info	KASAN: wild-memory-access Write in l2cap_chan_put
ci-upstream-net-kasan-gce	2020/09/26 09:54	net-next	6fba737a9320	4a006f63	.config	log	report		info