WARNING: locking bug in l2cap_chan

WARNING: locking bug in l2cap_chan_del
Status: upstream: reported syz repro on 2020/08/07 07:07
Reported-by: syzbot+01d7fc00b2a0419d01cc@syzkaller.appspotmail.com
First crash: 257d, last: 8d17h

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in lock_sock_nested (log)
Repro: syz .config

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	WARNING: locking bug in l2cap_chan_del				1	221d	221d	0/1	auto-closed as invalid on 2021/01/09 22:04

Sample crash report:

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 0 PID: 5 at kernel/locking/lockdep.c:183 hlock_class kernel/locking/lockdep.c:183 [inline]
WARNING: CPU: 0 PID: 5 at kernel/locking/lockdep.c:183 hlock_class kernel/locking/lockdep.c:172 [inline]
WARNING: CPU: 0 PID: 5 at kernel/locking/lockdep.c:183 check_wait_context kernel/locking/lockdep.c:4100 [inline]
WARNING: CPU: 0 PID: 5 at kernel/locking/lockdep.c:183 __lock_acquire+0x1674/0x5640 kernel/locking/lockdep.c:4376
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 panic+0x2e3/0x75c kernel/panic.c:231
 __warn.cold+0x20/0x45 kernel/panic.c:600
 report_bug+0x1bd/0x210 lib/bug.c:198
 handle_bug+0x38/0x90 arch/x86/kernel/traps.c:235
 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:255
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:hlock_class kernel/locking/lockdep.c:183 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:172 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4100 [inline]
RIP: 0010:__lock_acquire+0x1674/0x5640 kernel/locking/lockdep.c:4376
Code: d2 0f 85 f1 36 00 00 44 8b 15 f0 8e 57 09 45 85 d2 0f 85 1c fa ff ff 48 c7 c6 80 af 4b 88 48 c7 c7 80 aa 4b 88 e8 ce 36 eb ff <0f> 0b e9 02 fa ff ff c7 44 24 38 fe ff ff ff 41 bf 01 00 00 00 c7
RSP: 0018:ffffc90000cbf8e0 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: ffff8880a95a2140 RSI: ffffffff815d8eb7 RDI: fffff52000197f0e
RBP: ffff8880a95a2ab0 R08: 0000000000000000 R09: ffffffff89bcb3c3
R10: 00000000000007d2 R11: 0000000000000001 R12: 0000000000000000
R13: 00000000000019a1 R14: ffff8880a95a2140 R15: 0000000000040000
 lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:5005
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:3040
 l2cap_sock_teardown_cb+0x88/0x400 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro
ci-upstream-net-this-kasan-gce	2021/04/12 14:37	net	6628ddfe	bc15f7db	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2021/03/12 04:14	net	7a1468ba	bc15f7db	.config	log	report	syz
ci-upstream-net-this-kasan-gce	2021/01/17 02:17	net	bcd0cf19	bc15f7db	.config	log	report	syz

Crashes (83):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	VM info
ci-upstream-net-this-kasan-gce	2020/08/13 05:23	net	06a7a37b	bc15f7db	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2020/12/12 21:40	upstream	7b1b868e	bca53db9	.config	log	report		info
ci-upstream-kasan-gce-selinux-root	2020/12/08 17:54	upstream	cd796ed3	a7f7f4a4	.config	log	report		info
ci-upstream-kasan-gce-selinux-root	2020/11/29 11:49	upstream	45e885c4	a0092f9d	.config	log	report		info
ci-upstream-kasan-gce-selinux-root	2020/10/07 07:01	upstream	c85fb28b	1880b4a9	.config	log	report		info
ci-qemu-upstream	2020/09/14 00:07	upstream	e4c26faa	2d3cdd63	.config	log	report
ci-qemu-upstream	2020/09/12 11:45	upstream	729e3d09	21d289c2	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/09/10 17:28	upstream	7fe10096	409809d8	.config	log	report
ci-upstream-kasan-gce-smack-root	2020/09/09 10:57	upstream	34d4ddd3	0ea7a887	.config	log	report
ci-qemu-upstream	2020/09/07 00:13	upstream	fffe3ae0	abf9ba4f	.config	log	report
ci-upstream-kasan-gce-root	2020/08/11 09:23	upstream	00e4db51	bacaf5fa	.config	log	report
ci-upstream-kasan-gce-root	2020/08/10 18:18	upstream	fc80c51f	7adc7b65	.config	log	report
ci-upstream-kasan-gce-root	2020/08/07 01:02	upstream	47ec5303	1f122f88	.config	log	report
ci-qemu-upstream-386	2020/12/13 21:08	upstream	ec6f5e0e	8f160dd5	.config	log	report		info
ci-qemu-upstream-386	2020/11/04 21:51	upstream	4ef8451b	64069d48	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/12/09 18:26	net	72d05c00	c090b4da	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/11/23 05:24	net	f9b03653	0d27f508	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/11/17 02:10	net	e2142ef2	1bf9a662	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/10/03 21:57	net	ab0faf5f	1a3f9408	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/10/01 21:25	net	bb13a800	9602ddf4	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/09/26 09:15	net	5e46e43c	4a006f63	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/09/21 14:49	net	e1b81391	9e1fa68e	.config	log	report		info
ci-upstream-net-this-kasan-gce	2020/09/11 19:12	net	ee460417	adfb8b4e	.config	log	report
ci-upstream-net-this-kasan-gce	2020/09/09 01:27	net	19162fd4	abf9ba4f	.config	log	report
ci-upstream-net-this-kasan-gce	2020/09/02 05:33	net	a609d025	abf9ba4f	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/31 06:31	net	c8146fe2	d5a3ae1f	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/28 00:47	net	af8ea111	816e0689	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/12 00:16	net	c79f428d	bacaf5fa	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/10 00:12	net	7c7ab580	70301872	.config	log	report
ci-upstream-net-this-kasan-gce	2020/08/08 19:53	net	1c3b63f1	f721e4a0	.config	log	report
ci-upstream-net-kasan-gce	2020/12/15 03:00	net-next	13458ffe	97183ed7	.config	log	report		info
ci-upstream-net-kasan-gce	2020/12/13 02:57	net-next	00f7763a	bca53db9	.config	log	report		info
ci-upstream-net-kasan-gce	2020/12/03 03:25	net-next	6b4f5031	8c9190ef	.config	log	report		info
ci-upstream-net-kasan-gce	2020/11/25 02:40	net-next	d5a05e69	e34b696c	.config	log	report		info
ci-upstream-net-kasan-gce	2020/11/19 03:05	net-next	2b8473d2	0767f13f	.config	log	report		info
ci-upstream-net-kasan-gce	2020/11/14 10:22	net-next	774626fa	1bf9a662	.config	log	report		info
ci-upstream-net-kasan-gce	2020/11/09 23:17	net-next	bff6f1db	64069d48	.config	log	report		info
ci-upstream-net-kasan-gce	2020/11/06 12:42	net-next	c9448e82	64069d48	.config	log	report		info
ci-upstream-net-kasan-gce	2020/10/12 10:26	net-next	bc081a69	4a77ae0b	.config	log	report		info
ci-upstream-net-kasan-gce	2020/09/22 05:36	net-next	b696db59	9e1fa68e	.config	log	report		info
ci-upstream-net-kasan-gce	2020/09/21 06:51	net-next	3cec0369	9564d2e9	.config	log	report		info
ci-upstream-net-kasan-gce	2020/09/18 12:02	net-next	529d1fdf	38962c8b	.config	log	report		info
ci-upstream-net-kasan-gce	2020/09/17 23:39	net-next	b948577b	8247808b	.config	log	report		info
ci-upstream-net-kasan-gce	2020/09/12 05:43	net-next	12913f74	79fb24e2	.config	log	report
ci-upstream-net-kasan-gce	2020/09/10 00:14	net-next	b599a5b9	409809d8	.config	log	report
ci-upstream-net-kasan-gce	2020/09/09 05:59	net-next	c1f1f16c	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/09 02:41	net-next	4349abdb	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/07 14:55	net-next	02a20d4f	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/07 12:42	net-next	02a20d4f	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/07 08:06	net-next	02a20d4f	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/06 23:18	net-next	be239c4d	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/09/02 12:18	net-next	dc1a9bf2	abf9ba4f	.config	log	report
ci-upstream-net-kasan-gce	2020/08/31 00:54	net-next	0f091e43	d5a3ae1f	.config	log	report
ci-upstream-net-kasan-gce	2020/08/12 19:33	net-next	bfdd5aaa	bc15f7db	.config	log	report
ci-upstream-net-kasan-gce	2020/08/10 00:17	net-next	bfdd5aaa	70301872	.config	log	report
ci-upstream-net-kasan-gce	2020/08/08 12:33	net-next	bfdd5aaa	ff51e522	.config	log	report
ci-upstream-net-kasan-gce	2020/08/08 09:43	net-next	bfdd5aaa	ff51e522	.config	log	report
ci-upstream-net-kasan-gce	2020/08/07 22:29	net-next	bfdd5aaa	cb436c69	.config	log	report
ci-upstream-net-kasan-gce	2020/08/06 22:34	net-next	c1055b76	1f122f88	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/09/14 06:10	linux-next	d5b2251d	2d3cdd63	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/09/11 08:46	linux-next	d5b2251d	adfb8b4e	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/08/30 08:47	linux-next	b36c9697	d5a3ae1f	.config	log	report