bisecting fixing commit since 449dc8c97089a6e09fb2dac4d92b1b7ac0eb7c1e building syzkaller on f721e4a097714a9054b9fe1aadf427afbbd2c157 testing commit 449dc8c97089a6e09fb2dac4d92b1b7ac0eb7c1e with gcc (GCC) 8.4.1 20210217 kernel signature: dcf315b472bd5660cd3609791f1c6eecf7e2d881682a9de498a5ab489730de86 all runs: crashed: WARNING: refcount bug in l2cap_global_chan_by_psm testing current HEAD e04360a2ea01bf42aa639b65aad81f502e896c7f testing commit e04360a2ea01bf42aa639b65aad81f502e896c7f with gcc (GCC) 10.2.1 20210217 kernel signature: a036f8c8999bdcd38e0aa08e9cab10d304eb1e228979f93a2166f2fc59ea69d2 all runs: crashed: WARNING: refcount bug in l2cap_global_chan_by_psm revisions tested: 2, total time: 22m11.916203803s (build: 14m0.024145044s, test: 7m15.173300576s) the crash still happens on HEAD commit msg: Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma crash: WARNING: refcount bug in l2cap_global_chan_by_psm ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 7389 at lib/refcount.c:25 refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Modules linked in: CPU: 1 PID: 7389 Comm: kworker/u5:1 Not tainted 5.13.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci3 hci_rx_work RIP: 0010:refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Code: b2 36 fe 06 01 e8 08 6e fa 03 0f 0b eb 9d 80 3d a1 36 fe 06 00 75 94 48 c7 c7 40 78 33 88 c6 05 91 36 fe 06 01 e8 e8 6d fa 03 <0f> 0b e9 7a ff ff ff 80 3d 7b 36 fe 06 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffffc90004ca7988 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881269df018 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffffffff8833b220 RDI: fffff52000994f23 RBP: 0000000000000002 R08: 0000000000000001 R09: ffff8881f6530e07 R10: ffffed103eca61c0 R11: 746e756f63666572 R12: dffffc0000000000 R13: 0000000000000001 R14: ffff8881269df021 R15: ffffffff8a431b08 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000027c7808 CR3: 000000010465c000 CR4: 0000000000350ee0 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] l2cap_chan_hold net/bluetooth/l2cap_core.c:497 [inline] l2cap_global_chan_by_psm+0x35a/0x3c0 net/bluetooth/l2cap_core.c:1986 l2cap_conless_channel net/bluetooth/l2cap_core.c:7611 [inline] l2cap_recv_frame+0xa1e/0x9ff0 net/bluetooth/l2cap_core.c:7681 hci_acldata_packet net/bluetooth/hci_core.c:4934 [inline] hci_rx_work+0x38f/0x930 net/bluetooth/hci_core.c:5125 process_one_work+0x84c/0x13e0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 irq event stamp: 17419 hardirqs last enabled at (17441): [] console_unlock+0x72b/0x9c0 kernel/printk/printk.c:2668 hardirqs last disabled at (17462): [] console_unlock+0x62b/0x9c0 kernel/printk/printk.c:2589 softirqs last enabled at (17484): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (17484): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last enabled at (17484): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 softirqs last disabled at (17495): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (17495): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last disabled at (17495): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 ---[ end trace c2631ec05ae8f2e3 ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 7389 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 7389 Comm: kworker/u5:1 Tainted: G W 5.13.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci3 hci_rx_work RIP: 0010:refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Code: 6d fa 03 0f 0b e9 53 ff ff ff 48 89 df e8 8d 1e 46 fe e9 23 ff ff ff 48 c7 c7 a0 78 33 88 c6 05 42 36 fe 06 01 e8 9a 6d fa 03 <0f> 0b e9 2c ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 RSP: 0018:ffffc90004ca7a70 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8881269df018 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffff52000994f40 RBP: 0000000000000003 R08: 0000000000000001 R09: ffff8881f652095b R10: ffffed103eca412b R11: 0000000063666572 R12: ffff8881269df000 R13: ffff8881269df018 R14: ffff888101cc8014 R15: ffff88811b1d4540 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000027c7808 CR3: 000000010465c000 CR4: 0000000000350ee0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] l2cap_chan_put net/bluetooth/l2cap_core.c:504 [inline] l2cap_conless_channel net/bluetooth/l2cap_core.c:7634 [inline] l2cap_recv_frame+0xb89/0x9ff0 net/bluetooth/l2cap_core.c:7681 hci_acldata_packet net/bluetooth/hci_core.c:4934 [inline] hci_rx_work+0x38f/0x930 net/bluetooth/hci_core.c:5125 process_one_work+0x84c/0x13e0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 irq event stamp: 18831 hardirqs last enabled at (18847): [] console_unlock+0x72b/0x9c0 kernel/printk/printk.c:2668 hardirqs last disabled at (18876): [] __schedule+0x1162/0x2190 kernel/sched/core.c:5836 softirqs last enabled at (18872): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (18872): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last enabled at (18872): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 softirqs last disabled at (18895): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (18895): [] __irq_exit_rcu kernel/softirq.c:636 [inline] softirqs last disabled at (18895): [] irq_exit_rcu+0x229/0x270 kernel/softirq.c:648 ---[ end trace c2631ec05ae8f2e4 ]---