[syzbot] BUG: corrupted list in kobject_add_internal (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: a1f92694 Add linux-next specific files for 20210518
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13c97d6fd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d612e75ffd53a6d3
dashboard link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1369f4d7d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16027cd7d00000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12359310300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=11359310300000
console output: https://syzkaller.appspot.com/x/log.txt?x=16359310300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+66264b...@syzkaller.appspotmail.com

list_add double add: new=ffff88802037a420, prev=ffff88802037a420, next=ffff8881400e1000.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:29!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8479 Comm: kworker/u5:4 Not tainted 5.13.0-rc2-next-20210518-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci5 hci_rx_work
RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
Code: 68 f3 eb fa 4c 89 e1 48 c7 c7 e0 1c e3 89 e8 aa 88 f2 ff 0f 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 20 1e e3 89 e8 93 88 f2 ff <0f> 0b 48 89 f1 48 c7 c7 a0 1d e3 89 4c 89 e6 e8 7f 88 f2 ff 0f 0b
RSP: 0018:ffffc9000181f7d8 EFLAGS: 00010286
RAX: 0000000000000058 RBX: ffff8881400e1000 RCX: 0000000000000000
RDX: ffff88801f295580 RSI: ffffffff815dbea5 RDI: fffff52000303eed
RBP: ffff88802037a420 R08: 0000000000000058 R09: 0000000000000000
R10: ffffffff815d5cee R11: 0000000000000000 R12: ffff8881400e1000
R13: ffff8880198b1340 R14: ffff88802037a438 R15: ffff88802037a420
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001f16748 CR3: 0000000027b36000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
kobj_kset_join lib/kobject.c:196 [inline]
kobject_add_internal+0x18d/0xa60 lib/kobject.c:246
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
device_add+0x36a/0x2100 drivers/base/core.c:3253
hci_conn_add_sysfs+0x97/0x190 net/bluetooth/hci_sysfs.c:53
hci_sync_conn_complete_evt.isra.0+0x54a/0x810 net/bluetooth/hci_event.c:4390
hci_event_packet+0xf32/0x7c50 net/bluetooth/hci_event.c:6278
hci_rx_work+0x4f8/0xd30 net/bluetooth/hci_core.c:5115
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace 47d0cc8ab1bc8524 ]---
RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
Code: 68 f3 eb fa 4c 89 e1 48 c7 c7 e0 1c e3 89 e8 aa 88 f2 ff 0f 0b 48 89 f2 4c 89 e1 48 89 ee 48 c7 c7 20 1e e3 89 e8 93 88 f2 ff <0f> 0b 48 89 f1 48 c7 c7 a0 1d e3 89 4c 89 e6 e8 7f 88 f2 ff 0f 0b
RSP: 0018:ffffc9000181f7d8 EFLAGS: 00010286
RAX: 0000000000000058 RBX: ffff8881400e1000 RCX: 0000000000000000
RDX: ffff88801f295580 RSI: ffffffff815dbea5 RDI: fffff52000303eed
RBP: ffff88802037a420 R08: 0000000000000058 R09: 0000000000000000
R10: ffffffff815d5cee R11: 0000000000000000 R12: ffff8881400e1000
R13: ffff8880198b1340 R14: ffff88802037a438 R15: ffff88802037a420
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001f16748 CR3: 000000000be8e000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Because of the area of code being tested and similarities in the repro,
I suspect that we might still hit either

inconsistent lock state in sco_sock_timeout:
https://syzkaller.appspot.com/bug?id=9089d89de0502e120f234ca0fc8a703f7368b31e

or BUG: sleeping function called from invalid context in
lock_sock_nested (2):
https://syzkaller.appspot.com/bug?id=42449ffe0b47ac85234265954c8004ec7fa2a83c

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

inconsistent lock state in sco_sock_timeout

================================
WARNING: inconsistent lock state
5.13.0-rc7-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.4/10549 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff888033ab20a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff888033ab20a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: sco_sock_timeout+0x33/0x1b0 net/bluetooth/sco.c:83
{SOFTIRQ-ON-W} state was registered at:
lock_acquire kernel/locking/lockdep.c:5512 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
sco_conn_ready net/bluetooth/sco.c:1087 [inline]
sco_connect_cfm+0x149/0x930 net/bluetooth/sco.c:1177
hci_connect_cfm include/net/bluetooth/hci_core.h:1484 [inline]
hci_sync_conn_complete_evt.isra.0+0x2b7/0x830 net/bluetooth/hci_event.c:4420
hci_event_packet+0xf41/0x7d60 net/bluetooth/hci_event.c:6271
hci_rx_work+0x511/0xd30 net/bluetooth/hci_core.c:5098
process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
worker_thread+0x64c/0x1120 kernel/workqueue.c:2422

kthread+0x3b1/0x4a0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

irq event stamp: 188
hardirqs last enabled at (188): [<ffffffff89200c02>] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:647
hardirqs last disabled at (187): [<ffffffff8916d14b>] sysvec_apic_timer_interrupt+0xb/0xc0 arch/x86/kernel/apic/apic.c:1100
softirqs last enabled at (0): [<ffffffff8143a667>] copy_process+0x1d77/0x7120 kernel/fork.c:2062
softirqs last disabled at (167): [<ffffffff8145d326>] invoke_softirq kernel/softirq.c:433 [inline]
softirqs last disabled at (167): [<ffffffff8145d326>] __irq_exit_rcu+0x136/0x200 kernel/softirq.c:637

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
<Interrupt>
lock(slock-AF_BLUETOOTH-BTPROTO_SCO);

*** DEADLOCK ***

1 lock held by syz-executor.4/10549:
#0: ffffc90000dc0d70 ((&sk->sk_timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline]
#0: ffffc90000dc0d70 ((&sk->sk_timer)){+.-.}-{0:0}, at: call_timer_fn+0xd5/0x6b0 kernel/time/timer.c:1421

stack backtrace:
CPU: 1 PID: 10549 Comm: syz-executor.4 Not tainted 5.13.0-rc7-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
print_usage_bug kernel/locking/lockdep.c:203 [inline]
valid_state kernel/locking/lockdep.c:3820 [inline]
mark_lock_irq kernel/locking/lockdep.c:4023 [inline]
mark_lock.cold+0x61/0x8e kernel/locking/lockdep.c:4480
mark_usage kernel/locking/lockdep.c:4375 [inline]
__lock_acquire+0x11aa/0x5230 kernel/locking/lockdep.c:4856
lock_acquire kernel/locking/lockdep.c:5512 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
sco_sock_timeout+0x33/0x1b0 net/bluetooth/sco.c:83
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1431
expire_timers kernel/time/timer.c:1476 [inline]
__run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1745
__run_timers kernel/time/timer.c:1726 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1758
__do_softirq+0x29b/0x9f6 kernel/softirq.c:559
invoke_softirq kernel/softirq.c:433 [inline]
__irq_exit_rcu+0x136/0x200 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:647
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:191
Code: 74 24 10 e8 1a e7 40 f8 48 89 ef e8 b2 5f 41 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 23 55 35 f8 65 8b 05 1c 57 e8 76 85 c0 74 0a 5b 5d c3 e8 00 50
RSP: 0018:ffffc9000baf7a38 EFLAGS: 00000206
RAX: 0000000000000006 RBX: 0000000000000200 RCX: 1ffffffff1a92811
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffff8880340d0918 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817ae8e8 R11: 0000000000000001 R12: 0000000000000202
R13: ffff8880340d0918 R14: ffff8880b9c35640 R15: ffff8880340d0048
try_to_wake_up+0x618/0x14b0 kernel/sched/core.c:3485
wake_up_process kernel/sched/core.c:3552 [inline]
wake_up_q+0x96/0x100 kernel/sched/core.c:597
futex_wake+0x3e9/0x490 kernel/futex.c:1634
do_futex+0x2a1/0x1750 kernel/futex.c:3737
__do_sys_futex kernel/futex.c:3805 [inline]
__se_sys_futex kernel/futex.c:3786 [inline]
__x64_sys_futex+0x1c6/0x4f0 kernel/futex.c:3786
do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3c77a18218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000056bf8c
RBP: 000000000056bf80 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 000000000056bf8c
R13: 00007fff00ae88cf R14: 00007f3c77a18300 R15: 0000000000022000


Tested on:

commit: 7426cedc Merge tag 'spi-fix-v5.13-rc7' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=106158b4300000
kernel config: https://syzkaller.appspot.com/x/.config?x=3932cedd2c2d4a69
dashboard link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=1440e064300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Testing the patch for this bug, but also adding on the proposed patch to
handle the inconsistent lock state.

Best,
Desmond

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

patch is already applied


Tested on:

commit: 2734d6c1 Linux 5.14-rc2
git tree: upstream

dashboard link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=15d3565c300000

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Previous diff didn't apply properly.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+66264b...@syzkaller.appspotmail.com

Tested on:

commit: 2734d6c1 Linux 5.14-rc2
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=645f71be8c205e5e

dashboard link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=1465a8f8300000

Note: testing is done by a robot and is best-effort only.

[Desmond Cheong Zhi Xi]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git
master

Testing the fix for another bug that's caught by this reproducer.

Best,
Desmond

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+66264b...@syzkaller.appspotmail.com

Tested on:

commit: 654e6f77 Bluetooth: btusb: Enable MSFT extension for M..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=f33f0d2f032e926b
dashboard link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
patch: https://syzkaller.appspot.com/x/patch.diff?x=11b145c6300000