bisecting fixing commit since 449dc8c97089a6e09fb2dac4d92b1b7ac0eb7c1e building syzkaller on f721e4a097714a9054b9fe1aadf427afbbd2c157 testing commit 449dc8c97089a6e09fb2dac4d92b1b7ac0eb7c1e compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: dcf315b472bd5660cd3609791f1c6eecf7e2d881682a9de498a5ab489730de86 all runs: crashed: WARNING: refcount bug in l2cap_global_chan_by_psm testing current HEAD c500bee1c5b2f1d59b1081ac879d73268ab0ff17 testing commit c500bee1c5b2f1d59b1081ac879d73268ab0ff17 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: f8d5ec53bab2c7fc22def9cd4fbc7121b738da64674467ad9b948cf53d618695 all runs: crashed: WARNING: refcount bug in l2cap_global_chan_by_psm revisions tested: 2, total time: 20m22.446285346s (build: 11m42.158139002s, test: 7m50.727680004s) the crash still happens on HEAD commit msg: Linux 5.14-rc4 crash: WARNING: refcount bug in l2cap_global_chan_by_psm ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 7381 at lib/refcount.c:25 refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Modules linked in: CPU: 1 PID: 7381 Comm: kworker/u5:1 Not tainted 5.14.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci2 hci_rx_work RIP: 0010:refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Code: 13 d2 fb 06 01 e8 93 40 fe 03 0f 0b eb 9d 80 3d 02 d2 fb 06 00 75 94 48 c7 c7 a0 b6 33 88 c6 05 f2 d1 fb 06 01 e8 73 40 fe 03 <0f> 0b e9 7a ff ff ff 80 3d dc d1 fb 06 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffffc900048c7988 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888125bf4018 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff8833f0e0 RDI: fffff52000918f23 RBP: 0000000000000002 R08: 0000000000000001 R09: ffff8881f6530e47 R10: ffffed103eca61c8 R11: 746e756f63666572 R12: dffffc0000000000 R13: 0000000000000001 R14: ffff888125bf4021 R15: ffffffff8a43bc88 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004dc324 CR3: 000000011afa0000 CR4: 0000000000350ee0 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] l2cap_chan_hold net/bluetooth/l2cap_core.c:497 [inline] l2cap_global_chan_by_psm+0x35a/0x3c0 net/bluetooth/l2cap_core.c:1986 l2cap_conless_channel net/bluetooth/l2cap_core.c:7611 [inline] l2cap_recv_frame+0xa23/0x9d20 net/bluetooth/l2cap_core.c:7681 hci_acldata_packet net/bluetooth/hci_core.c:4934 [inline] hci_rx_work+0x386/0x940 net/bluetooth/hci_core.c:5125 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 irq event stamp: 41083 hardirqs last enabled at (41105): [] console_unlock+0x72b/0x9c0 kernel/printk/printk.c:2668 hardirqs last disabled at (41132): [] console_unlock+0x62b/0x9c0 kernel/printk/printk.c:2589 softirqs last enabled at (41130): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (41130): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last enabled at (41130): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 softirqs last disabled at (41149): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (41149): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last disabled at (41149): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 ---[ end trace 4e216950e786ebd4 ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 7381 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 7381 Comm: kworker/u5:1 Tainted: G W 5.14.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci2 hci_rx_work RIP: 0010:refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Code: 40 fe 03 0f 0b e9 53 ff ff ff 48 89 df e8 dd 7a 43 fe e9 23 ff ff ff 48 c7 c7 00 b7 33 88 c6 05 a3 d1 fb 06 01 e8 25 40 fe 03 <0f> 0b e9 2c ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 RSP: 0018:ffffc900048c7a70 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888125bf4018 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff8833f0e0 RDI: fffff52000918f40 RBP: 0000000000000003 R08: 0000000000000001 R09: ffff8881f6530e47 R10: ffffed103eca61c8 R11: 0000000063666572 R12: ffff888125bf4000 R13: ffff888125bf4018 R14: ffff888103f7d700 R15: ffff88811f0be014 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004dc324 CR3: 0000000113d08000 CR4: 0000000000350ee0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] l2cap_chan_put net/bluetooth/l2cap_core.c:504 [inline] l2cap_conless_channel net/bluetooth/l2cap_core.c:7634 [inline] l2cap_recv_frame+0xb8e/0x9d20 net/bluetooth/l2cap_core.c:7681 hci_acldata_packet net/bluetooth/hci_core.c:4934 [inline] hci_rx_work+0x386/0x940 net/bluetooth/hci_core.c:5125 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 irq event stamp: 42253 hardirqs last enabled at (42261): [] console_unlock+0x72b/0x9c0 kernel/printk/printk.c:2668 hardirqs last disabled at (42278): [] __schedule+0x116e/0x2170 kernel/sched/core.c:5836 softirqs last enabled at (42304): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (42304): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last enabled at (42304): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 softirqs last disabled at (42317): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (42317): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last disabled at (42317): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 ---[ end trace 4e216950e786ebd5 ]---