bisecting fixing commit since 449dc8c97089a6e09fb2dac4d92b1b7ac0eb7c1e
building syzkaller on f721e4a097714a9054b9fe1aadf427afbbd2c157
testing commit 449dc8c97089a6e09fb2dac4d92b1b7ac0eb7c1e with gcc (GCC) 8.1.0
kernel signature: 7093320e357a3e3e0753632e69759a4365e532d2f47708c1548fd5ff24ed1177
all runs: crashed: WARNING: refcount bug in l2cap_global_chan_by_psm
testing current HEAD 34d4ddd359dbcdf6c5fb3f85a179243d7a1cb7f8
testing commit 34d4ddd359dbcdf6c5fb3f85a179243d7a1cb7f8 with gcc (GCC) 8.1.0
kernel signature: 3ed24061bc7f62299769db4811c18c3e69b2c27844086c482bbcc2d69a223983
all runs: crashed: WARNING: refcount bug in l2cap_global_chan_by_psm
revisions tested: 2, total time: 17m20.502574295s (build: 10m4.433539031s, test: 6m42.620789899s)
the crash still happens on HEAD
commit msg: Merge tag 'linux-kselftest-5.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
crash: WARNING: refcount bug in l2cap_global_chan_by_psm
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 8245 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 lib/refcount.c:25
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8245 Comm: kworker/u5:3 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci2 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xa3/0xcc lib/dump_stack.c:118
 panic+0x135/0x31a kernel/panic.c:231
 __warn.cold.13+0x20/0x25 kernel/panic.c:600
 report_bug+0xc0/0xf0 lib/bug.c:198
 handle_bug+0x35/0x90 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x13/0x60 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:refcount_warn_saturate+0x80/0xe0 lib/refcount.c:25
Code: 05 8d 35 91 02 01 e8 3a 8b 4f ff 0f 0b c3 80 3d 7d 35 91 02 00 75 b8 48 c7 c7 38 65 f1 83 c6 05 6d 35 91 02 01 e8 1b 8b 4f ff <0f> 0b c3 80 3d 60 35 91 02 00 75 99 48 c7 c7 10 65 f1 83 c6 05 50
RSP: 0018:ffffc90000eb3cc8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000080000002 RSI: ffffffff8401d1c9 RDI: 00000000ffffffff
RBP: ffff88810f77f000 R08: 0000000000000001 R09: 0000000000000001
R10: ffff88810f3ac180 R11: 0dafe73bccca87f3 R12: 0000000000000000
R13: 0000000000000001 R14: ffffffff84559d08 R15: 0000000000000000
 refcount_add include/linux/refcount.h:204 [inline]
 refcount_inc include/linux/refcount.h:241 [inline]
 kref_get include/linux/kref.h:45 [inline]
 l2cap_chan_hold net/bluetooth/l2cap_core.c:495 [inline]
 l2cap_global_chan_by_psm+0x1f8/0x220 net/bluetooth/l2cap_core.c:1978
 l2cap_conless_channel net/bluetooth/l2cap_core.c:7595 [inline]
 l2cap_recv_frame+0x532/0x2b70 net/bluetooth/l2cap_core.c:7665
 hci_acldata_packet net/bluetooth/hci_core.c:4703 [inline]
 hci_rx_work+0x1d3/0x500 net/bluetooth/hci_core.c:4894
 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269
 worker_thread+0x38/0x380 kernel/workqueue.c:2415
 kthread+0x148/0x170 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..