KASAN: use-after-free Write in hci_sock_bind (2)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: f8788d86 Linux 5.6-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=120cfd29e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9833e26bab355358
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04e804...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:239 [inline]
BUG: KASAN: use-after-free in hci_sock_bind+0x642/0x12d0 net/bluetooth/hci_sock.c:1250
Write of size 4 at addr ffff888040ed9078 by task syz-executor.2/21693

CPU: 1 PID: 21693 Comm: syz-executor.2 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
__kasan_check_write+0x14/0x20 mm/kasan/common.c:101
atomic_inc include/asm-generic/atomic-instrumented.h:239 [inline]
hci_sock_bind+0x642/0x12d0 net/bluetooth/hci_sock.c:1250
__sys_bind+0x239/0x290 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x73/0xb0 net/socket.c:1671
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c449
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fef96e6bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007fef96e6c6d4 RCX: 000000000045c449
RDX: 0000000000000006 RSI: 00000000200007c0 RDI: 0000000000000006
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c28c9 R15: 000000000076bf2c

Allocated by task 21692:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_alloc_dev+0x43/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x101/0x5d0 drivers/bluetooth/hci_vhci.c:99
vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2d0/0x470 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x4d3/0x770 fs/read_write.c:483
__vfs_write+0xe1/0x110 fs/read_write.c:496
vfs_write+0x268/0x5d0 fs/read_write.c:558
ksys_write+0x14f/0x290 fs/read_write.c:611
__do_sys_write fs/read_write.c:623 [inline]
__se_sys_write fs/read_write.c:620 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:620
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 21688:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
bt_host_release+0x19/0x30 net/bluetooth/hci_sysfs.c:86
device_release+0x7a/0x210 drivers/base/core.c:1358
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1ff/0x2e0 lib/kobject.c:739
put_device+0x20/0x30 drivers/base/core.c:2586
hci_free_dev+0x19/0x20 net/bluetooth/hci_core.c:3345
vhci_release+0x7e/0xf0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x316/0x380 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
do_syscall_64+0x676/0x790 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888040ed8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of
8192-byte region [ffff888040ed8000, ffff888040eda000)
The buggy address belongs to the page:
page:ffffea000103b600 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0000fe6b08 ffffea0000fb5408 ffff8880aa4021c0
raw: 0000000000000000 ffff888040ed8000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888040ed8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888040ed8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888040ed9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888040ed9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888040ed9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 770fbb32 Add linux-next specific files for 20200228
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=108618ade00000
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11fc5e75e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10707013e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04e804...@syzkaller.appspotmail.com

==================================================================

BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250
Write of size 4 at addr ffff888089679078 by task syz-executor918/10028

CPU: 1 PID: 10028 Comm: syz-executor918 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]

dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x128/0x190 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250
__sys_bind+0x20e/0x250 net/socket.c:1662

__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]

__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4435a9
Code: e8 1c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd328c7b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004435a9
RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 0000000000000005 R08: 00000000000003e8 R09: 00000000000003e8
R10: 00000000000003e8 R11: 0000000000000246 R12: 0000000000dc6914
R13: 000000000000000b R14: 0000000000000000 R15: 0000000000000000

Allocated by task 10029:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551

kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]

hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99

vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]

vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10029:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
device_release+0x71/0x200 drivers/base/core.c:1358

kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]

kobject_put+0x1e7/0x2e0 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2586
vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2da/0x850 fs/file_table.c:280
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888089678000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of

8192-byte region [ffff888089678000, ffff88808967a000)

The buggy address belongs to the page:

page:ffffea0002259e00 refcount:1 mapcount:0 mapping:00000000baf255d8 index:0x0 head:ffffea0002259e00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002a19608 ffffea0002500e08 ffff8880aa0021c0
raw: 0000000000000000 ffff888089678000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888089678f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888089678f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888089679000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888089679080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888089679100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[syzbot]

syzbot has bisected this bug to:

commit 7d13eca09ed5e477f6ecfd97a35058762228b5e4
Author: Florian Fainelli <f.fai...@gmail.com>
Date: Sat Aug 27 22:34:20 2016 +0000

Documentation: networking: dsa: Remove platform device TODO

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1746f3f9e00000
start commit: 770fbb32 Add linux-next specific files for 20200228
git tree: linux-next
final crash: https://syzkaller.appspot.com/x/report.txt?x=14c6f3f9e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=10c6f3f9e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11fc5e75e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10707013e00000

Reported-by: syzbot+04e804...@syzkaller.appspotmail.com
Fixes: 7d13eca09ed5 ("Documentation: networking: dsa: Remove platform device TODO")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Hillf Danton]

On Sun, 22 Mar 2020 15:10:13 -0700
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: 770fbb32 Add linux-next specific files for 20200228
> git tree: linux-next

> console output: https://syzkaller.appspot.com/x/log.txt?x=108618ade00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

> dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11fc5e75e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10707013e00000
>

> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+04e804...@syzkaller.appspotmail.com
>
> ==================================================================

> BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
> BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
> BUG: KASAN: use-after-free in hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250
> Write of size 4 at addr ffff888089679078 by task syz-executor918/10028
>

> CPU: 1 PID: 10028 Comm: syz-executor918 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]

> dump_stack+0x188/0x20d lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
> __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
> kasan_report+0xe/0x20 mm/kasan/common.c:618
> check_memory_region_inline mm/kasan/generic.c:185 [inline]
> check_memory_region+0x128/0x190 mm/kasan/generic.c:192
> instrument_atomic_write include/linux/instrumented.h:71 [inline]
> atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
> hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250

> __sys_bind+0x20e/0x250 net/socket.c:1662

> __do_sys_bind net/socket.c:1673 [inline]
> __se_sys_bind net/socket.c:1671 [inline]

> __x64_sys_bind+0x6f/0xb0 net/socket.c:1671
> do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4435a9
> Code: e8 1c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007ffd328c7b48 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
> RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004435a9
> RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
> RBP: 0000000000000005 R08: 00000000000003e8 R09: 00000000000003e8
> R10: 00000000000003e8 R11: 0000000000000246 R12: 0000000000dc6914
> R13: 000000000000000b R14: 0000000000000000 R15: 0000000000000000
>
> Allocated by task 10029:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> __kasan_kmalloc mm/kasan/common.c:492 [inline]
> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465

> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551

> kmalloc include/linux/slab.h:555 [inline]
> kzalloc include/linux/slab.h:669 [inline]

> hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
> __vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99

> vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
> vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]

> vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
> call_write_iter include/linux/fs.h:1901 [inline]

> new_sync_write+0x49c/0x700 fs/read_write.c:483
> __vfs_write+0xc9/0x100 fs/read_write.c:496
> vfs_write+0x262/0x5c0 fs/read_write.c:558
> ksys_write+0x127/0x250 fs/read_write.c:611
> do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 10029:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> kasan_set_free_info mm/kasan/common.c:314 [inline]
> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
> __cache_free mm/slab.c:3426 [inline]
> kfree+0x109/0x2b0 mm/slab.c:3757
> bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86

> device_release+0x71/0x200 drivers/base/core.c:1358

> kobject_cleanup lib/kobject.c:693 [inline]
> kobject_release lib/kobject.c:722 [inline]
> kref_put include/linux/kref.h:65 [inline]

> kobject_put+0x1e7/0x2e0 lib/kobject.c:739
> put_device+0x1b/0x30 drivers/base/core.c:2586
> vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
> __fput+0x2da/0x850 fs/file_table.c:280

> task_work_run+0x13f/0x1b0 kernel/task_work.c:113
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]

> exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
> prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
> syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
> do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305

> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> The buggy address belongs to the object at ffff888089678000

> which belongs to the cache kmalloc-8k of size 8192
> The buggy address is located 4216 bytes inside of

> 8192-byte region [ffff888089678000, ffff88808967a000)

> The buggy address belongs to the page:

> page:ffffea0002259e00 refcount:1 mapcount:0 mapping:00000000baf255d8 index:0x0 head:ffffea0002259e00 order:2 compound_mapcount:0 compound_pincount:0
> flags: 0xfffe0000010200(slab|head)

> raw: 00fffe0000010200 ffffea0002a19608 ffffea0002500e08 ffff8880aa0021c0

> raw: 0000000000000000 ffff888089678000 0000000100000001 0000000000000000

> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:

> ffff888089678f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888089678f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888089679000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff888089679080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888089679100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================

A hdev derived from hci_dev_get() can be freed using vhci_fops::release
callback, which indicates a missing hold of hdev on the driver side.

--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -128,6 +128,7 @@ static int __vhci_create_device(struct v
kfree_skb(skb);
return -EBUSY;
}
+ hci_dev_hold(hdev);

hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

WARNING: suspicious RCU usage in ovs_ct_exit

=============================
WARNING: suspicious RCU usage
5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
-----------------------------
net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
3 locks held by kworker/u4:3/129:
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: __write_once_size include/linux/compiler.h:250 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:642 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0 kernel/workqueue.c:2237
#1: ffffc90001367dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0 kernel/workqueue.c:2241
#2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50 net/core/net_namespace.c:551

stack backtrace:
CPU: 0 PID: 129 Comm: kworker/u4:3 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: netns cleanup_net

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

ovs_ct_limit_exit net/openvswitch/conntrack.c:1898 [inline]
ovs_ct_exit+0x3db/0x558 net/openvswitch/conntrack.c:2295
ovs_exit_net+0x1df/0xba0 net/openvswitch/datapath.c:2469
ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:172
cleanup_net+0x511/0xa50 net/core/net_namespace.c:589
process_one_work+0x965/0x16a0 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x388/0x470 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
tipc: TX() has been purged, node left!

=============================
WARNING: suspicious RCU usage
5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
-----------------------------
net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
4 locks held by kworker/u4:3/129:
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: __write_once_size include/linux/compiler.h:250 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:642 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0 kernel/workqueue.c:2237
#1: ffffc90001367dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0 kernel/workqueue.c:2241
#2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50 net/core/net_namespace.c:551
#3: ffffffff8a575aa8 (rtnl_mutex){+.+.}-{3:3}, at: ip6gre_exit_batch_net+0x88/0x700 net/ipv6/ip6_gre.c:1602

stack backtrace:
CPU: 0 PID: 129 Comm: kworker/u4:3 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: netns cleanup_net

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

ipmr_device_event+0x240/0x2b0 net/ipv4/ipmr.c:1757
notifier_call_chain+0xc0/0x230 kernel/notifier.c:83
call_netdevice_notifiers_info net/core/dev.c:1948 [inline]
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1933
call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
call_netdevice_notifiers net/core/dev.c:1974 [inline]
rollback_registered_many+0x75c/0xe70 net/core/dev.c:8810
unregister_netdevice_many.part.0+0x16/0x1e0 net/core/dev.c:9970
unregister_netdevice_many+0x36/0x50 net/core/dev.c:9969
ip6gre_exit_batch_net+0x4e8/0x700 net/ipv6/ip6_gre.c:1605
ops_exit_list.isra.0+0x103/0x150 net/core/net_namespace.c:175
cleanup_net+0x511/0xa50 net/core/net_namespace.c:589
process_one_work+0x965/0x16a0 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x388/0x470 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352


[ [0;32m OK [0m] Started Getty on tty4.
[ [0;32m OK [0m] Started Getty on tty3.
[ [0;32m OK [0m] Started Getty on tty2.
[ [0;32m OK [0m] Started Getty on tty1.
[ [0;32m OK [0m] Started Serial Getty on ttyS0.
[ [0;32m OK [0m] Reached target Login Prompts.
[ [0;32m OK [0m] Reached target Multi-User System.
[ [0;32m OK [0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[ [0;32m OK [0m] Started Update UTMP about System Runlevel Changes.
Starting Load/Save RF Kill Switch Status...


Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.1' (ECDSA) to the list of known hosts.
2020/03/28 10:55:58 fuzzer started
syzkaller login: [ 60.669712][ T7032] as (7032) used greatest stack depth: 23072 bytes left
2020/03/28 10:55:59 connecting to host at 10.128.0.26:40423
2020/03/28 10:55:59 checking machine...
2020/03/28 10:55:59 checking revisions...
2020/03/28 10:55:59 testing simple program...
[ 61.436758][ T7041] IPVS: ftp: loaded support on port[0] = 21
2020/03/28 10:56:00 building call list...
[ 61.670948][ T129]
[ 61.673435][ T129] =============================
[ 61.689720][ T129] WARNING: suspicious RCU usage
[ 61.694796][ T129] 5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
[ 61.719896][ T129] -----------------------------
[ 61.730663][ T129] net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!!
[ 61.740862][ T129]
[ 61.740862][ T129] other info that might help us debug this:
[ 61.740862][ T129]
[ 61.755930][ T129]
[ 61.755930][ T129] rcu_scheduler_active = 2, debug_locks = 1
[ 61.764227][ T129] 3 locks held by kworker/u4:3/129:
[ 61.769560][ T129] #0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0
[ 61.780916][ T129] #1: ffffc90001367dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0
[ 61.791002][ T129] #2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50
[ 61.800496][ T129]
[ 61.800496][ T129] stack backtrace:
[ 61.806486][ T129] CPU: 0 PID: 129 Comm: kworker/u4:3 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0
[ 61.816035][ T129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 61.826111][ T129] Workqueue: netns cleanup_net
[ 61.830878][ T129] Call Trace:
[ 61.834169][ T129] dump_stack+0x188/0x20d
[ 61.838501][ T129] ovs_ct_exit+0x3db/0x558
[ 61.842936][ T129] ovs_exit_net+0x1df/0xba0
[ 61.847445][ T129] ? synchronize_rcu.part.0+0xda/0xf0
[ 61.852827][ T129] ? synchronize_rcu_expedited+0x620/0x620
[ 61.858709][ T129] ? ovs_dp_cmd_del+0x270/0x270
[ 61.863695][ T129] ? ovs_dp_cmd_del+0x270/0x270
[ 61.868552][ T129] ops_exit_list.isra.0+0xa8/0x150
[ 61.873672][ T129] cleanup_net+0x511/0xa50
[ 61.878095][ T129] ? unregister_pernet_device+0x70/0x70
[ 61.883645][ T129] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 61.889624][ T129] ? _raw_spin_unlock_irq+0x1f/0x80
[ 61.894841][ T129] process_one_work+0x965/0x16a0
[ 61.899789][ T129] ? lock_release+0x800/0x800
[ 61.904483][ T129] ? pwq_dec_nr_in_flight+0x310/0x310
[ 61.909868][ T129] ? rwlock_bug.part.0+0x90/0x90
[ 61.914822][ T129] worker_thread+0x96/0xe20
[ 61.919349][ T129] ? process_one_work+0x16a0/0x16a0
[ 61.924550][ T129] kthread+0x388/0x470
[ 61.928617][ T129] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 61.934348][ T129] ret_from_fork+0x24/0x30
[ 62.119737][ T129] tipc: TX() has been purged, node left!
[ 62.161872][ T129]
[ 62.164317][ T129] =============================
[ 62.169188][ T129] WARNING: suspicious RCU usage
[ 62.176411][ T129] 5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
[ 62.183783][ T129] -----------------------------
[ 62.188738][ T129] net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!!
[ 62.213474][ T129]
[ 62.213474][ T129] other info that might help us debug this:
[ 62.213474][ T129]
[ 62.239721][ T129]
[ 62.239721][ T129] rcu_scheduler_active = 2, debug_locks = 1
[ 62.247979][ T129] 4 locks held by kworker/u4:3/129:
[ 62.254325][ T129] #0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0
[ 62.265287][ T129] #1: ffffc90001367dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0
[ 62.275869][ T129] #2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50
[ 62.285857][ T129] #3: ffffffff8a575aa8 (rtnl_mutex){+.+.}-{3:3}, at: ip6gre_exit_batch_net+0x88/0x700
[ 62.296189][ T129]
[ 62.296189][ T129] stack backtrace:
[ 62.302728][ T129] CPU: 0 PID: 129 Comm: kworker/u4:3 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0
[ 62.312302][ T129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 62.322366][ T129] Workqueue: netns cleanup_net
[ 62.327126][ T129] Call Trace:
[ 62.330420][ T129] dump_stack+0x188/0x20d
[ 62.334772][ T129] ipmr_device_event+0x240/0x2b0
[ 62.339728][ T129] ? __sanitizer_cov_trace_switch+0x45/0x70
[ 62.345991][ T129] notifier_call_chain+0xc0/0x230
[ 62.351164][ T129] call_netdevice_notifiers_info+0xb5/0x130
[ 62.357185][ T129] rollback_registered_many+0x75c/0xe70
[ 62.363444][ T129] ? netif_set_real_num_tx_queues+0x700/0x700
[ 62.369526][ T129] ? lock_downgrade+0x840/0x840
[ 62.374389][ T129] unregister_netdevice_many.part.0+0x16/0x1e0
[ 62.380552][ T129] unregister_netdevice_many+0x36/0x50
[ 62.386034][ T129] ip6gre_exit_batch_net+0x4e8/0x700
[ 62.391331][ T129] ? ip6gre_tunnel_link+0xf0/0xf0
[ 62.396374][ T129] ? rcu_read_lock_held_common+0x130/0x130
[ 62.402185][ T129] ? ip6gre_tunnel_link+0xf0/0xf0
[ 62.407300][ T129] ops_exit_list.isra.0+0x103/0x150
[ 62.412508][ T129] cleanup_net+0x511/0xa50
[ 62.416929][ T129] ? unregister_pernet_device+0x70/0x70
[ 62.422480][ T129] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 62.428461][ T129] ? _raw_spin_unlock_irq+0x1f/0x80
[ 62.433666][ T129] process_one_work+0x965/0x16a0
[ 62.438614][ T129] ? lock_release+0x800/0x800
[ 62.443299][ T129] ? pwq_dec_nr_in_flight+0x310/0x310
[ 62.448688][ T129] ? rwlock_bug.part.0+0x90/0x90
[ 62.453638][ T129] worker_thread+0x96/0xe20
[ 62.458168][ T129] ? process_one_work+0x16a0/0x16a0
[ 62.463370][ T129] kthread+0x388/0x470
[ 62.467452][ T129] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 62.473172][ T129] ret_from_fork+0x24/0x30
[ 63.417932][ T7024] can: request_module (can-proto-0) failed.
executing program
[ 65.695504][ T7024] can: request_module (can-proto-0) failed.
[ 65.707008][ T7024] can: request_module (can-proto-0) failed.



Tested on:

commit: 975f7a88 Add linux-next specific files for 20200327
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=3dac46d048050056

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=146ed605e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

/f2fs/built-in.a
CC drivers/net/vxlan.o
CC fs/ocfs2/move_extents.o
CC fs/ocfs2/resize.o
CC drivers/net/virtio_net.o
CC net/netfilter/xt_LED.o
CC drivers/md/dm-sysfs.o
CC fs/xfs/xfs_quotaops.o
CC drivers/media/rc/keymaps/rc-evga-indtube.o
CC drivers/net/geneve.o
CC fs/btrfs/locking.o
CC net/netfilter/xt_LOG.o
CC fs/seq_file.o
CC drivers/net/gtp.o
CC drivers/gpu/drm/i915/display/intel_bw.o
CC fs/xattr.o
CC fs/xfs/xfs_rtalloc.o
CC drivers/media/rc/keymaps/rc-eztv.o
CC fs/xfs/xfs_acl.o
CC fs/xfs/xfs_sysctl.o
CC net/netfilter/xt_NETMAP.o
CC net/netfilter/xt_NFLOG.o
CC fs/ocfs2/slot_map.o
CC drivers/media/rc/keymaps/rc-flydvb.o
CC net/netfilter/xt_NFQUEUE.o
CC drivers/md/dm-stats.o
CC net/netfilter/xt_RATEEST.o
CC fs/xfs/xfs_ioctl32.o
CC drivers/gpu/drm/i915/display/intel_cdclk.o
CC net/netfilter/xt_REDIRECT.o
CC net/netfilter/xt_MASQUERADE.o
CC drivers/media/platform/vivid/vivid-rds-gen.o
CC drivers/media/platform/vivid/vivid-sdr-cap.o
CC drivers/media/platform/vivid/vivid-vbi-cap.o
CC drivers/media/platform/vivid/vivid-vbi-out.o
CC drivers/media/rc/keymaps/rc-flyvideo.o
CC drivers/media/rc/keymaps/rc-fusionhdtv-mce.o
CC fs/btrfs/orphan.o
CC fs/xfs/xfs_pnfs.o
CC drivers/md/dm-rq.o
CC net/netfilter/xt_SECMARK.o
CC drivers/media/rc/keymaps/rc-gadmei-rm008z.o
CC drivers/media/rc/keymaps/rc-geekbox.o
CC drivers/net/nlmon.o
CC fs/ocfs2/suballoc.o
CC net/netfilter/xt_TPROXY.o
CC fs/btrfs/export.o
CC drivers/gpu/drm/i915/display/intel_color.o
CC drivers/net/vrf.o
CC drivers/md/dm-builtin.o
CC fs/libfs.o
CC drivers/gpu/drm/i915/display/intel_combo_phy.o
CC drivers/gpu/drm/i915/display/intel_connector.o
CC drivers/gpu/drm/i915/display/intel_csr.o
CC drivers/gpu/drm/i915/display/intel_display.o
CC drivers/md/dm-bufio.o
CC fs/ocfs2/super.o
AR fs/ceph/built-in.a
CC drivers/md/dm-bio-prison-v1.o
CC fs/ocfs2/symlink.o
CC fs/ocfs2/sysfile.o
CC drivers/media/rc/keymaps/rc-genius-tvgo-a11mce.o
CC fs/ocfs2/uptodate.o
CC fs/ocfs2/quota_local.o
CC drivers/gpu/drm/i915/display/intel_display_power.o
CC drivers/gpu/drm/i915/display/intel_dpio_phy.o
CC drivers/md/dm-bio-prison-v2.o
CC fs/btrfs/tree-log.o
CC fs/btrfs/free-space-cache.o
CC drivers/media/platform/vivid/vivid-osd.o
CC drivers/net/vsockmon.o
CC fs/ocfs2/quota_global.o
CC drivers/net/xen-netfront.o
CC drivers/net/thunderbolt.o
CC drivers/media/platform/vivid/vivid-meta-cap.o
CC fs/fs-writeback.o
CC net/netfilter/xt_TCPMSS.o
CC drivers/md/dm-crypt.o
CC drivers/gpu/drm/i915/display/intel_dpll_mgr.o
CC drivers/media/rc/keymaps/rc-gotview7135.o
CC drivers/media/rc/keymaps/rc-hisi-poplar.o
CC drivers/media/rc/keymaps/rc-hisi-tv-demo.o
CC drivers/media/platform/vivid/vivid-meta-out.o
CC drivers/md/dm-flakey.o
CC drivers/md/dm-path-selector.o
CC net/netfilter/xt_TCPOPTSTRIP.o
CC drivers/gpu/drm/i915/display/intel_dsb.o
CC drivers/gpu/drm/i915/display/intel_fbc.o
CC drivers/gpu/drm/i915/display/intel_fifo_underrun.o
CC drivers/media/rc/keymaps/rc-imon-mce.o
CC fs/btrfs/zlib.o
CC fs/btrfs/lzo.o
CC drivers/media/platform/vivid/vivid-kthread-touch.o
CC net/netfilter/xt_TEE.o
CC drivers/media/rc/keymaps/rc-imon-pad.o
CC drivers/media/platform/vivid/vivid-touch-cap.o
CC net/netfilter/xt_TRACE.o
CC drivers/media/platform/vivid/vivid-cec.o
CC drivers/md/dm-mpath.o
CC drivers/md/dm-round-robin.o
CC drivers/gpu/drm/i915/display/intel_frontbuffer.o
CC fs/pnode.o
CC fs/splice.o
CC drivers/media/rc/keymaps/rc-imon-rsc.o
CC drivers/media/rc/keymaps/rc-iodata-bctv7e.o
CC drivers/media/rc/keymaps/rc-it913x-v1.o
CC drivers/media/rc/keymaps/rc-it913x-v2.o
CC fs/btrfs/zstd.o
CC drivers/md/dm-queue-length.o
CC drivers/media/rc/keymaps/rc-kaiomy.o
CC drivers/md/dm-service-time.o
CC drivers/net/net_failover.o
CC drivers/media/rc/keymaps/rc-khadas.o
CC net/netfilter/xt_IDLETIMER.o
CC fs/ocfs2/xattr.o
CC fs/btrfs/compression.o
CC drivers/gpu/drm/i915/display/intel_global_state.o
CC drivers/media/rc/keymaps/rc-kworld-315u.o
CC net/netfilter/xt_addrtype.o
CC net/netfilter/xt_bpf.o
CC fs/utimes.o
CC fs/sync.o
CC net/netfilter/xt_comment.o
CC drivers/md/dm-snap.o
CC net/netfilter/xt_cluster.o
CC net/netfilter/xt_connbytes.o
CC fs/ocfs2/acl.o
CC drivers/gpu/drm/i915/display/intel_hdcp.o
CC fs/btrfs/delayed-ref.o
CC fs/btrfs/relocation.o
CC drivers/md/dm-exception-store.o
CC drivers/gpu/drm/i915/display/intel_hotplug.o
AR drivers/media/platform/vivid/built-in.a
CC drivers/gpu/drm/i915/display/intel_lpe_audio.o
AR drivers/media/platform/built-in.a
CC net/netfilter/xt_connlimit.o
CC net/netfilter/xt_connlabel.o
CC drivers/media/rc/keymaps/rc-kworld-pc150u.o
CC net/netfilter/xt_conntrack.o
CC fs/d_path.o
CC net/netfilter/xt_cpu.o
CC drivers/media/rc/keymaps/rc-kworld-plus-tv-analog.o
CC drivers/media/rc/keymaps/rc-leadtek-y04g0051.o
CC drivers/md/dm-snap-transient.o
CC fs/stack.o
CC drivers/md/dm-snap-persistent.o
CC fs/btrfs/delayed-inode.o
CC fs/btrfs/scrub.o
drivers/net/tun.o: warning: objtool: __tun_chr_ioctl.cold()+0x1f4: sibling call from callable instruction with modified stack frame
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC fs/btrfs/reada.o
CC net/netfilter/xt_dccp.o
CC drivers/md/dm-raid1.o
CC fs/fs_struct.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC fs/statfs.o
CC fs/ocfs2/filecheck.o
CC fs/fs_pin.o
CC drivers/media/rc/keymaps/rc-lme2510.o
CC fs/ocfs2/stackglue.o
CC net/netfilter/xt_devgroup.o
CC fs/nsfs.o
CC drivers/md/dm-log.o
CC net/netfilter/xt_dscp.o
CC drivers/media/rc/keymaps/rc-manli.o
CC drivers/media/rc/keymaps/rc-medion-x10.o
AR fs/xfs/built-in.a
CC fs/fs_types.o
CC drivers/md/dm-region-hash.o
CC fs/btrfs/backref.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/media/rc/keymaps/rc-medion-x10-digitainer.o
CC net/netfilter/xt_ecn.o
CC drivers/md/dm-zero.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC fs/fs_context.o
CC drivers/gpu/drm/i915/display/intel_tc.o
CC fs/btrfs/ulist.o
CC fs/fs_parser.o
CC drivers/md/dm-raid.o
CC fs/ocfs2/stack_o2cb.o
CC drivers/gpu/drm/i915/display/intel_vga.o
CC net/netfilter/xt_esp.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC net/netfilter/xt_hashlimit.o
CC drivers/media/rc/keymaps/rc-medion-x10-or2x.o
CC fs/ocfs2/stack_user.o
CC drivers/media/rc/keymaps/rc-msi-digivox-ii.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC fs/btrfs/qgroup.o
CC net/netfilter/xt_helper.o
CC net/netfilter/xt_hl.o
CC fs/btrfs/send.o
CC net/netfilter/xt_ipcomp.o
CC fs/buffer.o
CC fs/fsopen.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o
CC drivers/media/rc/keymaps/rc-msi-digivox-iii.o
CC fs/btrfs/dev-replace.o
CC drivers/md/dm-thin.o
CC fs/btrfs/raid56.o
CC drivers/md/dm-thin-metadata.o
CC drivers/md/dm-verity-fec.o
CC fs/btrfs/uuid-tree.o
CC fs/btrfs/props.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere-plus.o
CC drivers/md/dm-verity-target.o
CC drivers/media/rc/keymaps/rc-nebula.o
CC fs/block_dev.o
CC fs/direct-io.o
CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o
CC fs/btrfs/free-space-tree.o
CC drivers/md/dm-cache-target.o
CC net/netfilter/xt_iprange.o
CC net/netfilter/xt_ipvs.o
CC drivers/md/dm-cache-metadata.o
CC drivers/md/dm-cache-policy.o
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC net/netfilter/xt_l2tp.o
CC drivers/md/dm-cache-background-tracker.o
CC fs/mpage.o
CC drivers/media/rc/keymaps/rc-norwood.o
CC fs/btrfs/tree-checker.o
CC net/netfilter/xt_length.o
CC fs/btrfs/space-info.o
CC fs/btrfs/block-rsv.o
CC net/netfilter/xt_limit.o
CC drivers/md/dm-cache-policy-smq.o
CC drivers/media/rc/keymaps/rc-odroid.o
CC fs/btrfs/delalloc-space.o
CC fs/btrfs/block-group.o
CC drivers/media/rc/keymaps/rc-npgtech.o
CC fs/proc_namespace.o
CC drivers/md/dm-clone-target.o
CC drivers/media/rc/keymaps/rc-pctv-sedna.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/media/rc/keymaps/rc-pinnacle-color.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC drivers/md/dm-clone-metadata.o
CC drivers/md/dm-integrity.o
CC drivers/md/dm-zoned-target.o
CC drivers/md/dm-zoned-metadata.o
CC fs/btrfs/discard.o
CC drivers/media/rc/keymaps/rc-pinnacle-grey.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
AR drivers/net/built-in.a
CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
CC drivers/md/dm-zoned-reclaim.o
CC net/netfilter/xt_mac.o
CC net/netfilter/xt_nfacct.o
CC net/netfilter/xt_multiport.o
CC net/netfilter/xt_osf.o
CC net/netfilter/xt_owner.o
CC fs/anon_inodes.o
CC drivers/media/rc/keymaps/rc-pixelview.o
CC fs/eventpoll.o
CC drivers/md/dm-writecache.o
CC fs/btrfs/reflink.o
CC fs/signalfd.o
CC drivers/media/rc/keymaps/rc-pixelview-mk12.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/media/rc/keymaps/rc-pixelview-002t.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC fs/timerfd.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC fs/eventfd.o
CC fs/userfaultfd.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/rc/keymaps/rc-pixelview-new.o
CC net/netfilter/xt_cgroup.o
CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o
CC net/netfilter/xt_physdev.o
CC fs/aio.o
CC fs/io_uring.o
CC net/netfilter/xt_pkttype.o
CC fs/btrfs/acl.o
CC net/netfilter/xt_policy.o
CC fs/io-wq.o
CC fs/dax.o
CC fs/locks.o
CC net/netfilter/xt_quota.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC fs/compat.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/media/rc/keymaps/rc-proteus-2309.o
CC drivers/media/rc/keymaps/rc-purpletv.o
CC fs/binfmt_misc.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC net/netfilter/xt_rateest.o
CC net/netfilter/xt_realm.o
CC net/netfilter/xt_recent.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC net/netfilter/xt_sctp.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC net/netfilter/xt_socket.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/media/rc/keymaps/rc-pv951.o
CC drivers/media/rc/keymaps/rc-hauppauge.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC fs/binfmt_script.o
CC fs/binfmt_elf.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC fs/compat_binfmt_elf.o
CC net/netfilter/xt_state.o
CC drivers/media/rc/keymaps/rc-rc6-mce.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC fs/mbcache.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
CC net/netfilter/xt_statistic.o
CC drivers/media/rc/keymaps/rc-reddo.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC fs/posix_acl.o
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC fs/coredump.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC net/netfilter/xt_string.o
CC net/netfilter/xt_tcpmss.o
CC net/netfilter/xt_time.o
CC fs/drop_caches.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC fs/fhandle.o
CC net/netfilter/xt_u32.o
CC drivers/media/rc/keymaps/rc-tango.o
CC fs/dcookies.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/media/rc/keymaps/rc-videostrong-kii-pro.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
AR net/netfilter/built-in.a
Makefile:1699: recipe for target 'net' failed
make: *** [net] Error 2
make: *** Waiting for unfinished jobs....
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
AR drivers/media/built-in.a
AR fs/btrfs/built-in.a
AR drivers/md/built-in.a
AR fs/ocfs2/built-in.a
AR fs/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
Makefile:1699: recipe for target 'drivers' failed
make: *** [drivers] Error 2


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15f5b5f5e00000

Tested on:

commit: 975f7a88 Add linux-next specific files for 20200327
git tree: linux-next

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=10e855f3e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

WARNING: suspicious RCU usage in ovs_ct_exit

=============================
WARNING: suspicious RCU usage
5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
-----------------------------
net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1

3 locks held by kworker/u4:2/36:

#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: __write_once_size include/linux/compiler.h:250 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:642 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0 kernel/workqueue.c:2237

#1: ffffc90000e97dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0 kernel/workqueue.c:2241

#2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50 net/core/net_namespace.c:551

stack backtrace:

CPU: 1 PID: 36 Comm: kworker/u4:2 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
ovs_ct_limit_exit net/openvswitch/conntrack.c:1898 [inline]
ovs_ct_exit+0x3db/0x558 net/openvswitch/conntrack.c:2295
ovs_exit_net+0x1df/0xba0 net/openvswitch/datapath.c:2469
ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:172
cleanup_net+0x511/0xa50 net/core/net_namespace.c:589
process_one_work+0x965/0x16a0 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x388/0x470 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
tipc: TX() has been purged, node left!

=============================
WARNING: suspicious RCU usage
5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
-----------------------------
net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1

4 locks held by kworker/u4:2/36:

#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: __write_once_size include/linux/compiler.h:250 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:642 [inline]
#0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0 kernel/workqueue.c:2237

#1: ffffc90000e97dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0 kernel/workqueue.c:2241

#2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50 net/core/net_namespace.c:551
#3: ffffffff8a575aa8 (rtnl_mutex){+.+.}-{3:3}, at: ip6gre_exit_batch_net+0x88/0x700 net/ipv6/ip6_gre.c:1602

stack backtrace:

CPU: 0 PID: 36 Comm: kworker/u4:2 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0

Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts.
2020/03/28 12:06:50 fuzzer started
2020/03/28 12:06:52 connecting to host at 10.128.0.26:39281
2020/03/28 12:06:52 checking machine...
2020/03/28 12:06:52 checking revisions...
2020/03/28 12:06:52 testing simple program...
syzkaller login: [ 59.362381][ T7055] IPVS: ftp: loaded support on port[0] = 21
2020/03/28 12:06:52 building call list...
[ 59.574512][ T36]
[ 59.577041][ T36] =============================
[ 59.586692][ T36] WARNING: suspicious RCU usage
[ 59.598574][ T36] 5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
[ 59.624093][ T36] -----------------------------
[ 59.629017][ T36] net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!!
[ 59.638866][ T36]
[ 59.638866][ T36] other info that might help us debug this:
[ 59.638866][ T36]
[ 59.649656][ T36]
[ 59.649656][ T36] rcu_scheduler_active = 2, debug_locks = 1
[ 59.684178][ T36] 3 locks held by kworker/u4:2/36:
[ 59.689384][ T36] #0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0
[ 59.700925][ T36] #1: ffffc90000e97dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0
[ 59.711571][ T36] #2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50
[ 59.721581][ T36]
[ 59.721581][ T36] stack backtrace:
[ 59.729032][ T36] CPU: 1 PID: 36 Comm: kworker/u4:2 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0
[ 59.738495][ T36] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 59.748568][ T36] Workqueue: netns cleanup_net
[ 59.753332][ T36] Call Trace:
[ 59.756630][ T36] dump_stack+0x188/0x20d
[ 59.760965][ T36] ovs_ct_exit+0x3db/0x558
[ 59.765392][ T36] ovs_exit_net+0x1df/0xba0
[ 59.769904][ T36] ? synchronize_rcu.part.0+0xda/0xf0
[ 59.775293][ T36] ? synchronize_rcu_expedited+0x620/0x620
[ 59.781098][ T36] ? ovs_dp_cmd_del+0x270/0x270
[ 59.785953][ T36] ? ovs_dp_cmd_del+0x270/0x270
[ 59.790803][ T36] ops_exit_list.isra.0+0xa8/0x150
[ 59.795933][ T36] cleanup_net+0x511/0xa50
[ 59.800365][ T36] ? unregister_pernet_device+0x70/0x70
[ 59.805916][ T36] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 59.811895][ T36] ? _raw_spin_unlock_irq+0x1f/0x80
[ 59.817188][ T36] process_one_work+0x965/0x16a0
[ 59.822140][ T36] ? lock_release+0x800/0x800
[ 59.826819][ T36] ? pwq_dec_nr_in_flight+0x310/0x310
[ 59.832202][ T36] ? rwlock_bug.part.0+0x90/0x90
[ 59.837153][ T36] worker_thread+0x96/0xe20
[ 59.841672][ T36] ? process_one_work+0x16a0/0x16a0
[ 59.846870][ T36] kthread+0x388/0x470
[ 59.850938][ T36] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 59.857090][ T36] ret_from_fork+0x24/0x30
[ 60.103613][ T36] tipc: TX() has been purged, node left!
[ 60.156323][ T36]
[ 60.158793][ T36] =============================
[ 60.169832][ T36] WARNING: suspicious RCU usage
[ 60.174814][ T36] 5.6.0-rc7-next-20200327-syzkaller #0 Not tainted
[ 60.193072][ T36] -----------------------------
[ 60.213581][ T36] net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!!
[ 60.221570][ T36]
[ 60.221570][ T36] other info that might help us debug this:
[ 60.221570][ T36]
[ 60.233076][ T36]
[ 60.233076][ T36] rcu_scheduler_active = 2, debug_locks = 1
[ 60.241916][ T36] 4 locks held by kworker/u4:2/36:
[ 60.247713][ T36] #0: ffff8880a977e138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x844/0x16a0
[ 60.259305][ T36] #1: ffffc90000e97dc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x878/0x16a0
[ 60.269946][ T36] #2: ffffffff8a569bb0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xa50
[ 60.279759][ T36] #3: ffffffff8a575aa8 (rtnl_mutex){+.+.}-{3:3}, at: ip6gre_exit_batch_net+0x88/0x700
[ 60.289717][ T36]
[ 60.289717][ T36] stack backtrace:
[ 60.295965][ T36] CPU: 0 PID: 36 Comm: kworker/u4:2 Not tainted 5.6.0-rc7-next-20200327-syzkaller #0
[ 60.305547][ T36] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 60.315619][ T36] Workqueue: netns cleanup_net
[ 60.320388][ T36] Call Trace:
[ 60.323680][ T36] dump_stack+0x188/0x20d
[ 60.328020][ T36] ipmr_device_event+0x240/0x2b0
[ 60.332959][ T36] ? __sanitizer_cov_trace_switch+0x45/0x70
[ 60.338861][ T36] notifier_call_chain+0xc0/0x230
[ 60.343898][ T36] call_netdevice_notifiers_info+0xb5/0x130
[ 60.349791][ T36] rollback_registered_many+0x75c/0xe70
[ 60.355345][ T36] ? netif_set_real_num_tx_queues+0x700/0x700
[ 60.361427][ T36] ? lock_downgrade+0x840/0x840
[ 60.366292][ T36] unregister_netdevice_many.part.0+0x16/0x1e0
[ 60.372462][ T36] unregister_netdevice_many+0x36/0x50
[ 60.377928][ T36] ip6gre_exit_batch_net+0x4e8/0x700
[ 60.383222][ T36] ? ip6gre_tunnel_link+0xf0/0xf0
[ 60.388256][ T36] ? rcu_read_lock_held_common+0x130/0x130
[ 60.394067][ T36] ? ip6gre_tunnel_link+0xf0/0xf0
[ 60.399108][ T36] ops_exit_list.isra.0+0x103/0x150
[ 60.404326][ T36] cleanup_net+0x511/0xa50
[ 60.408758][ T36] ? unregister_pernet_device+0x70/0x70
[ 60.414310][ T36] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 60.420291][ T36] ? _raw_spin_unlock_irq+0x1f/0x80
[ 60.425495][ T36] process_one_work+0x965/0x16a0
[ 60.430442][ T36] ? lock_release+0x800/0x800
[ 60.435133][ T36] ? pwq_dec_nr_in_flight+0x310/0x310
[ 60.440519][ T36] ? rwlock_bug.part.0+0x90/0x90
[ 60.445484][ T36] worker_thread+0x96/0xe20
[ 60.450005][ T36] ? process_one_work+0x16a0/0x16a0
[ 60.455205][ T36] kthread+0x388/0x470
[ 60.459271][ T36] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 60.465002][ T36] ret_from_fork+0x24/0x30
[ 61.331273][ T7041] can: request_module (can-proto-0) failed.
executing program
[ 63.529363][ T7041] can: request_module (can-proto-0) failed.
[ 63.542044][ T7041] can: request_module (can-proto-0) failed.

Tested on:

commit: 975f7a88 Add linux-next specific files for 20200327
git tree: linux-next

kernel config: https://syzkaller.appspot.com/x/.config?x=3dac46d048050056

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=13880825e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in hci_dev_open

==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x41b7/0x5270 kernel/locking/lockdep.c:4063
Read of size 8 at addr ffff888088a45928 by task syz-executor.2/8755

CPU: 0 PID: 8755 Comm: syz-executor.2 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618

__lock_acquire+0x41b7/0x5270 kernel/locking/lockdep.c:4063
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777
hci_dev_open+0xdb/0x2f0 net/bluetooth/hci_core.c:1626
hci_sock_bind+0x427/0x11a0 net/bluetooth/hci_sock.c:1200

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3683b2dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f3683b2e6d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff

R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bfac

Allocated by task 8729:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465

__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x161/0x7a0 mm/slab.c:3665
kmalloc include/linux/slab.h:560 [inline]
kzalloc include/linux/slab.h:669 [inline]
alloc_workqueue+0x166/0xe90 kernel/workqueue.c:4250
hci_register_dev+0x203/0x960 net/bluetooth/hci_core.c:3385
__vhci_create_device+0x2b5/0x5b0 drivers/bluetooth/hci_vhci.c:124

vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8756:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757

rcu_do_batch kernel/rcu/tree.c:2218 [inline]
rcu_core+0x59f/0x1370 kernel/rcu/tree.c:2445
__do_softirq+0x26c/0x99d kernel/softirq.c:292

The buggy address belongs to the object at ffff888088a45800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 296 bytes inside of
512-byte region [ffff888088a45800, ffff888088a45a00)

The buggy address belongs to the page:

page:ffffea0002229140 refcount:1 mapcount:0 mapping:00000000e21170b8 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000258bc48 ffffea00022277c8 ffff8880aa000a80
raw: 0000000000000000 ffff888088a45000 0000000100000004 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888088a45800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888088a45880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888088a45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888088a45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888088a45a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=102e2e83e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=10df8093e00000

[Qiujun Huang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
770fbb32

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

BUG: MAX_LOCKDEP_CHAINS too low!

BUG: MAX_LOCKDEP_CHAINS too low!
turning off the locking correctness validator.
CPU: 1 PID: 8548 Comm: kworker/u5:1 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: hci2192 hci_power_on

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

add_chain_cache kernel/locking/lockdep.c:3048 [inline]
lookup_chain_cache_add kernel/locking/lockdep.c:3147 [inline]
validate_chain kernel/locking/lockdep.c:3168 [inline]
__lock_acquire.cold+0x11/0x2c1 kernel/locking/lockdep.c:4190
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
seqcount_lockdep_reader_access include/linux/seqlock.h:97 [inline]
read_seqcount_begin include/linux/seqlock.h:182 [inline]
ktime_get_with_offset+0xfd/0x360 kernel/time/timekeeping.c:800
ktime_get_real include/linux/timekeeping.h:79 [inline]
__net_timestamp include/linux/skbuff.h:3737 [inline]
hci_si_event net/bluetooth/hci_sock.c:728 [inline]
hci_sock_dev_event+0x2d6/0x590 net/bluetooth/hci_sock.c:757
hci_dev_do_open+0x6b9/0x18b0 net/bluetooth/hci_core.c:1548
hci_power_on+0x11d/0x610 net/bluetooth/hci_core.c:2193
process_one_work+0x94b/0x1690 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x357/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17d0f46de00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1068546de00000

[Qiujun Huang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
770fbb32

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to apply patch:
checking file drivers/bluetooth/hci_ldisc.c
checking file include/net/bluetooth/hci_core.h
Hunk #1 succeeded at 1489 (offset -44 lines).
checking file kernel/locking/lockdep_internals.h
checking file net/bluetooth/hci_core.c
Hunk #1 succeeded at 3451 (offset -124 lines).
Hunk #2 FAILED at 3585.
Hunk #3 succeeded at 3513 (offset -126 lines).
1 out of 3 hunks FAILED
checking file net/bluetooth/hci_sysfs.c

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=119a7c97e00000

[Qiujun Huang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
770fbb32

[Qiujun Huang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
770fbb32

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

WARNING: locking bug in __perf_event_task_sched_in

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)
WARNING: CPU: 1 PID: 9814 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:168 [inline]
WARNING: CPU: 1 PID: 9814 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:157 [inline]
WARNING: CPU: 1 PID: 9814 at kernel/locking/lockdep.c:168 __lock_acquire+0x2154/0x5270 kernel/locking/lockdep.c:4186
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 9814 Comm: syz-executor.4 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x35 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:168 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:157 [inline]
RIP: 0010:__lock_acquire+0x2154/0x5270 kernel/locking/lockdep.c:4186
Code: 08 84 d2 0f 85 ee 21 00 00 8b 05 b7 97 2d 09 85 c0 75 b4 48 c7 c6 c0 7d 2b 88 48 c7 c7 00 7e 2b 88 4c 89 14 24 e8 44 a5 eb ff <0f> 0b 31 db 4c 8b 14 24 e9 28 fa ff ff 44 8b 7c 24 60 4d 89 f2 48
RSP: 0018:ffffc900036c7678 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000a65 RCX: 0000000000000000
RDX: 0000000040000000 RSI: ffffffff815c4e91 RDI: fffff520006d8ec1
RBP: ffff8880a11c4540 R08: ffff8880a11c4540 R09: fffffbfff13345a5
R10: fffffbfff13345a4 R11: ffffffff899a2d23 R12: 0000000025700c6b
R13: ffffffff8a865350 R14: ffff8880a11c4e08 R15: 0000000000000000
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
perf_ctx_lock kernel/events/core.c:155 [inline]
perf_event_context_sched_in kernel/events/core.c:3568 [inline]
__perf_event_task_sched_in+0x50f/0x7c0 kernel/events/core.c:3626
perf_event_task_sched_in include/linux/perf_event.h:1191 [inline]
finish_task_switch+0x2a8/0x750 kernel/sched/core.c:3215
context_switch kernel/sched/core.c:3381 [inline]
__schedule+0x93c/0x1f90 kernel/sched/core.c:4078
preempt_schedule_irq+0xb0/0x150 kernel/sched/core.c:4335
retint_kernel+0x1b/0x2b
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
RIP: 0010:lock_acquire+0x209/0x420 kernel/locking/lockdep.c:4723
Code: 9c 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 de 01 00 00 48 83 3d 8b c4 3a 08 00 0f 84 5a 01 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 65 8b
RSP: 0018:ffffc900036c7b18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff1327907 RBX: ffff8880a11c4540 RCX: 1ffff920006d8f4c
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000286
RBP: ffff88809d8e1d28 R08: 0000000000000004 R09: fffffbfff18b79b5
R10: fffffbfff18b79b4 R11: 0000000000000003 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777
hci_dev_open+0xdb/0x280 net/bluetooth/hci_core.c:1626
hci_sock_bind+0x427/0x1140 net/bluetooth/hci_sock.c:1200

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f0cad736c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f0cad7376d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bfac

Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16b1a4dbe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

BUG: MAX_LOCKDEP_KEYS too low!

BUG: MAX_LOCKDEP_KEYS too low!

turning off the locking correctness validator.

CPU: 0 PID: 9043 Comm: kworker/u5:2 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: hci2841 hci_power_on

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

register_lock_class.cold+0x18/0x21 kernel/locking/lockdep.c:1225
__lock_acquire+0xfa/0x5270 kernel/locking/lockdep.c:4072

lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777

drain_workqueue+0x1a7/0x3c0 kernel/workqueue.c:2942
hci_dev_do_close+0x23a/0xf70 net/bluetooth/hci_core.c:1714
hci_power_on+0x1aa/0x610 net/bluetooth/hci_core.c:2211

process_one_work+0x94b/0x1690 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x357/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=146e297be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=108c4215e00000

[Qiujun Huang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
770fbb32

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

BUG: MAX_LOCKDEP_ENTRIES too low!

BUG: MAX_LOCKDEP_ENTRIES too low!

turning off the locking correctness validator.

CPU: 1 PID: 1614 Comm: kworker/u5:0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: hci3626 hci_power_on

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

alloc_list_entry.cold+0x11/0x18 kernel/locking/lockdep.c:1295
add_lock_to_list kernel/locking/lockdep.c:1316 [inline]
check_prev_add kernel/locking/lockdep.c:2533 [inline]
check_prevs_add kernel/locking/lockdep.c:2586 [inline]
validate_chain kernel/locking/lockdep.c:3203 [inline]
__lock_acquire+0x28e9/0x53f0 kernel/locking/lockdep.c:4190
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
process_one_work+0x8ba/0x1690 kernel/workqueue.c:2242

worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x357/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352


Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1417b493e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=13d55e33e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

WARNING in print_bfs_bug

------------[ cut here ]------------
lockdep bfs error:-1
WARNING: CPU: 1 PID: 1616 at kernel/locking/lockdep.c:1699 print_bfs_bug+0x53/0x70 kernel/locking/lockdep.c:1699

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 1616 Comm: kworker/u5:0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: hci3795 wq_barrier_func

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x35 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027

RIP: 0010:print_bfs_bug+0x53/0x70 kernel/locking/lockdep.c:1699
Code: 32 b8 3b 08 00 74 28 48 c7 c7 a0 29 80 8d e8 b4 77 01 00 66 90 85 db 75 03 5b 5d c3 89 ee 48 c7 c7 80 7e 2b 88 e8 55 4f ec ff <0f> 0b 5b 5d c3 0f 0b 48 c7 c7 b0 c9 93 89 e8 ea a5 57 00 eb be 0f
RSP: 0018:ffffc900055d76e8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815c5011 RDI: fffff52000abaecf
RBP: 00000000ffffffff R08: ffff8880a4fa4140 R09: ffffed1015ca45c9
R10: ffffed1015ca45c8 R11: ffff8880ae522e43 R12: ffff8880a4fa4a80
R13: 0000000000000000 R14: ffffc900055d7800 R15: 1ffff92000abaeec
check_irq_usage+0x612/0x9e0 kernel/locking/lockdep.c:2246
check_prev_add kernel/locking/lockdep.c:2485 [inline]

check_prevs_add kernel/locking/lockdep.c:2586 [inline]
validate_chain kernel/locking/lockdep.c:3203 [inline]

__lock_acquire+0x24ba/0x53f0 kernel/locking/lockdep.c:4190
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
write_seqcount_begin_nested include/linux/seqlock.h:408 [inline]
write_seqcount_begin include/linux/seqlock.h:413 [inline]
psi_group_change kernel/sched/psi.c:690 [inline]
psi_task_change+0x276/0x9f0 kernel/sched/psi.c:781
psi_enqueue kernel/sched/stats.h:82 [inline]
enqueue_task kernel/sched/core.c:1301 [inline]
activate_task+0x20f/0x470 kernel/sched/core.c:1327
ttwu_do_activate+0xca/0x130 kernel/sched/core.c:2258
ttwu_queue kernel/sched/core.c:2403 [inline]
try_to_wake_up+0xace/0x17c0 kernel/sched/core.c:2637
__wake_up_common+0x147/0x650 kernel/sched/wait.c:93
complete+0x51/0x70 kernel/sched/completion.c:36
process_one_work+0x94b/0x1690 kernel/workqueue.c:2266
process_scheduled_works kernel/workqueue.c:2328 [inline]
worker_thread+0x7ab/0xe20 kernel/workqueue.c:2414

kthread+0x357/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17b96d7be00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=15c867a3e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

CC drivers/media/usb/uvc/uvc_video.o
CC fs/xfs/xfs_refcount_item.o
CC drivers/media/rc/keymaps/rc-eztv.o
CC drivers/usb/host/xhci-hub.o
CC drivers/media/usb/uvc/uvc_ctrl.o
CC drivers/media/usb/uvc/uvc_status.o
AR drivers/usb/serial/built-in.a
CC net/netfilter/xt_socket.o
CC net/netfilter/xt_state.o
CC drivers/net/usb/cdc_ncm.o
CC drivers/net/usb/cdc_mbim.o
CC drivers/usb/host/xhci-dbg.o
AR drivers/media/usb/gspca/built-in.a
CC drivers/usb/host/xhci-trace.o
CC drivers/usb/host/xhci-debugfs.o
CC drivers/net/virtio_net.o
CC drivers/gpu/drm/drm_color_mgmt.o
CC drivers/media/usb/uvc/uvc_isight.o
CC net/netfilter/xt_statistic.o
drivers/edac/mce_amd.o: warning: objtool: amd_decode_mce.cold()+0xb3a: sibling call from callable instruction with modified stack frame
CC drivers/media/rc/keymaps/rc-flydvb.o
CC drivers/media/rc/keymaps/rc-flyvideo.o
CC net/netfilter/xt_string.o
CC net/netfilter/xt_tcpmss.o
CC drivers/isdn/mISDN/layer2.o
CC fs/block_dev.o
CC fs/xfs/xfs_rmap_item.o
CC fs/direct-io.o
CC drivers/net/geneve.o
CC drivers/net/vxlan.o
AR drivers/edac/built-in.a
CC drivers/media/rc/keymaps/rc-fusionhdtv-mce.o
AR drivers/usb/usbip/built-in.a
CC drivers/md/md.o
CC drivers/gpu/drm/i915/i915_request.o
CC drivers/gpu/drm/i915/i915_scheduler.o
CC drivers/isdn/mISDN/tei.o
CC net/netfilter/xt_time.o
CC drivers/isdn/mISDN/timerdev.o
CC drivers/media/usb/uvc/uvc_debugfs.o
CC drivers/isdn/mISDN/dsp_core.o
CC drivers/media/rc/keymaps/rc-gadmei-rm008z.o
CC drivers/gpu/drm/drm_print.o
CC fs/xfs/xfs_log_recover.o
CC drivers/isdn/mISDN/dsp_cmx.o
CC drivers/media/rc/keymaps/rc-geekbox.o
CC drivers/net/gtp.o
CC drivers/media/usb/uvc/uvc_metadata.o
CC net/netfilter/xt_u32.o
CC drivers/media/usb/uvc/uvc_entity.o
CC drivers/isdn/mISDN/dsp_tones.o
CC drivers/isdn/mISDN/dsp_dtmf.o
CC drivers/gpu/drm/drm_dumb_buffers.o
AR drivers/md/persistent-data/built-in.a
CC drivers/md/md-bitmap.o
CC drivers/net/nlmon.o
CC fs/xfs/xfs_trans_ail.o
CC drivers/md/dm-uevent.o
CC drivers/md/dm-table.o
CC drivers/gpu/drm/i915/i915_trace_points.o
CC drivers/md/dm.o
CC drivers/net/vrf.o
CC drivers/gpu/drm/i915/i915_vma.o
CC drivers/gpu/drm/i915/intel_region_lmem.o
AR drivers/media/radio/built-in.a
CC fs/xfs/xfs_trans_buf.o
CC fs/xfs/xfs_dquot.o
CC drivers/media/rc/keymaps/rc-genius-tvgo-a11mce.o
CC drivers/isdn/mISDN/dsp_audio.o
CC drivers/gpu/drm/i915/intel_wopcm.o
AR drivers/md/bcache/built-in.a
CC fs/xfs/xfs_dquot_item.o
CC drivers/usb/host/xhci-pci.o
CC drivers/net/vsockmon.o
CC fs/xfs/xfs_trans_dquot.o
CC drivers/gpu/drm/i915/gt/uc/intel_uc.o
CC drivers/net/xen-netfront.o
CC drivers/isdn/mISDN/dsp_blowfish.o
CC drivers/isdn/mISDN/dsp_pipeline.o
CC drivers/isdn/mISDN/dsp_hwec.o
AR net/netfilter/built-in.a
CC drivers/isdn/mISDN/l1oip_core.o
CC drivers/usb/host/xhci-plat.o
AR net/built-in.a
CC drivers/md/dm-target.o
CC drivers/media/rc/keymaps/rc-gotview7135.o
CC fs/xfs/xfs_qm_syscalls.o
CC drivers/md/dm-linear.o
CC drivers/md/dm-stripe.o
CC drivers/gpu/drm/drm_mode_config.o
CC drivers/gpu/drm/drm_vblank.o
CC drivers/isdn/mISDN/l1oip_codec.o
drivers/media/usb/uvc/uvc_video.o: warning: objtool: uvc_query_ctrl.cold()+0x41: sibling call from callable instruction with modified stack frame
AR drivers/media/usb/uvc/built-in.a
AR drivers/media/usb/built-in.a
CC drivers/gpu/drm/drm_syncobj.o
CC drivers/net/thunderbolt.o
CC fs/mpage.o
CC drivers/media/rc/keymaps/rc-hisi-poplar.o
CC drivers/net/net_failover.o
CC drivers/md/dm-ioctl.o
CC drivers/gpu/drm/i915/gt/uc/intel_uc_fw.o
CC fs/xfs/xfs_qm_bhv.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc.o
CC fs/xfs/xfs_qm.o
CC fs/proc_namespace.o
CC drivers/md/dm-io.o
CC fs/xfs/xfs_quotaops.o
CC drivers/gpu/drm/drm_lease.o
CC drivers/md/dm-kcopyd.o
CC drivers/md/dm-sysfs.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_ads.o
AR drivers/net/ethernet/mellanox/mlx4/built-in.a
AR drivers/net/usb/built-in.a
CC fs/eventpoll.o
AR drivers/usb/host/built-in.a
CC fs/anon_inodes.o
CC drivers/media/rc/keymaps/rc-hisi-tv-demo.o
AR drivers/net/ethernet/mellanox/built-in.a
CC fs/xfs/xfs_rtalloc.o
AR drivers/usb/built-in.a
AR drivers/net/ethernet/built-in.a
CC drivers/gpu/drm/drm_writeback.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_ct.o
CC fs/xfs/xfs_acl.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_fw.o
CC drivers/md/dm-stats.o
CC drivers/gpu/drm/drm_client.o
CC drivers/gpu/drm/drm_client_modeset.o
CC fs/signalfd.o
CC fs/xfs/xfs_sysctl.o
CC drivers/md/dm-rq.o
CC drivers/gpu/drm/drm_hdcp.o
CC drivers/gpu/drm/drm_atomic_uapi.o
CC drivers/md/dm-builtin.o
CC drivers/media/rc/keymaps/rc-imon-mce.o
CC drivers/media/rc/keymaps/rc-imon-pad.o
CC fs/timerfd.o
CC drivers/md/dm-bufio.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_log.o
CC fs/xfs/xfs_ioctl32.o
CC fs/xfs/xfs_pnfs.o
CC drivers/gpu/drm/drm_ioc32.o
CC drivers/gpu/drm/drm_gem_shmem_helper.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_submission.o
CC fs/eventfd.o
CC drivers/gpu/drm/drm_panel.o
CC fs/userfaultfd.o
CC drivers/media/rc/keymaps/rc-imon-rsc.o
CC drivers/media/rc/keymaps/rc-iodata-bctv7e.o
AR drivers/isdn/mISDN/built-in.a
CC drivers/md/dm-bio-prison-v1.o
AR drivers/isdn/built-in.a
CC drivers/gpu/drm/drm_agpsupport.o
CC fs/aio.o
CC fs/io_uring.o
CC drivers/gpu/drm/i915/gt/uc/intel_huc.o
CC drivers/gpu/drm/drm_pci.o
CC drivers/md/dm-bio-prison-v2.o
CC drivers/gpu/drm/i915/gt/uc/intel_huc_fw.o
CC drivers/md/dm-crypt.o
CC drivers/gpu/drm/i915/display/intel_atomic.o
CC drivers/gpu/drm/drm_debugfs.o
CC drivers/md/dm-flakey.o
CC drivers/gpu/drm/i915/display/intel_atomic_plane.o
CC drivers/gpu/drm/drm_debugfs_crc.o
CC drivers/gpu/drm/i915/display/intel_audio.o
CC drivers/md/dm-path-selector.o
CC fs/io-wq.o
CC drivers/media/rc/keymaps/rc-it913x-v1.o
CC drivers/media/rc/keymaps/rc-it913x-v2.o
CC drivers/md/dm-mpath.o
CC fs/dax.o
CC drivers/md/dm-round-robin.o
CC drivers/gpu/drm/drm_mipi_dsi.o
CC fs/locks.o
CC drivers/gpu/drm/drm_panel_orientation_quirks.o
CC drivers/md/dm-queue-length.o
CC drivers/gpu/drm/i915/display/intel_bios.o
CC drivers/md/dm-service-time.o
CC drivers/media/rc/keymaps/rc-kaiomy.o
CC fs/compat.o
CC drivers/md/dm-snap.o
CC fs/binfmt_misc.o
CC drivers/gpu/drm/i915/display/intel_bw.o
CC drivers/gpu/drm/i915/display/intel_cdclk.o
CC fs/binfmt_script.o
CC drivers/media/rc/keymaps/rc-khadas.o
CC drivers/gpu/drm/i915/display/intel_color.o
CC drivers/gpu/drm/i915/display/intel_combo_phy.o
CC drivers/md/dm-exception-store.o
CC drivers/media/rc/keymaps/rc-kworld-315u.o
CC drivers/media/rc/keymaps/rc-kworld-pc150u.o
CC drivers/media/rc/keymaps/rc-kworld-plus-tv-analog.o
CC drivers/gpu/drm/i915/display/intel_connector.o
CC fs/binfmt_elf.o
CC drivers/gpu/drm/i915/display/intel_csr.o
CC drivers/media/rc/keymaps/rc-leadtek-y04g0051.o
CC drivers/media/rc/keymaps/rc-lme2510.o
CC drivers/md/dm-snap-transient.o
CC drivers/gpu/drm/i915/display/intel_display.o
CC fs/compat_binfmt_elf.o
CC drivers/media/rc/keymaps/rc-manli.o
CC fs/mbcache.o
CC drivers/media/rc/keymaps/rc-medion-x10.o
CC drivers/md/dm-snap-persistent.o
CC drivers/gpu/drm/i915/display/intel_display_power.o
CC fs/posix_acl.o
CC fs/coredump.o
CC fs/drop_caches.o
CC drivers/media/rc/keymaps/rc-medion-x10-digitainer.o
CC drivers/gpu/drm/i915/display/intel_dpio_phy.o
CC drivers/md/dm-raid1.o
CC drivers/media/rc/keymaps/rc-medion-x10-or2x.o
CC drivers/md/dm-log.o
CC drivers/md/dm-region-hash.o
CC drivers/media/rc/keymaps/rc-msi-digivox-ii.o
CC drivers/gpu/drm/i915/display/intel_dpll_mgr.o
CC drivers/md/dm-zero.o
CC drivers/media/rc/keymaps/rc-msi-digivox-iii.o
CC fs/dcookies.o
CC fs/fhandle.o
CC drivers/md/dm-raid.o

CC drivers/gpu/drm/i915/display/intel_dsb.o
CC drivers/gpu/drm/i915/display/intel_fbc.o
CC drivers/gpu/drm/i915/display/intel_fifo_underrun.o

CC drivers/media/rc/keymaps/rc-msi-tvanywhere.o
CC drivers/md/dm-thin.o
CC drivers/gpu/drm/i915/display/intel_frontbuffer.o
CC drivers/md/dm-thin-metadata.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere-plus.o
CC drivers/gpu/drm/i915/display/intel_global_state.o
CC drivers/gpu/drm/i915/display/intel_hdcp.o
CC drivers/gpu/drm/i915/display/intel_hotplug.o
CC drivers/md/dm-verity-fec.o
CC drivers/media/rc/keymaps/rc-nebula.o
CC drivers/gpu/drm/i915/display/intel_lpe_audio.o
CC drivers/md/dm-verity-target.o
CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o
CC drivers/media/rc/keymaps/rc-norwood.o
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/md/dm-cache-target.o
CC drivers/media/rc/keymaps/rc-npgtech.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC drivers/md/dm-cache-metadata.o
CC drivers/gpu/drm/i915/display/intel_tc.o
CC drivers/gpu/drm/i915/display/intel_vga.o
CC drivers/media/rc/keymaps/rc-odroid.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC drivers/md/dm-cache-policy.o
CC drivers/md/dm-cache-background-tracker.o
CC drivers/media/rc/keymaps/rc-pctv-sedna.o
CC drivers/md/dm-cache-policy-smq.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o
CC drivers/media/rc/keymaps/rc-pinnacle-color.o
CC drivers/md/dm-clone-target.o

CC drivers/md/dm-clone-metadata.o
CC drivers/md/dm-integrity.o
CC drivers/md/dm-zoned-target.o
CC drivers/md/dm-zoned-metadata.o

CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/md/dm-zoned-reclaim.o
CC drivers/md/dm-writecache.o
CC drivers/media/rc/keymaps/rc-pinnacle-grey.o
CC drivers/media/rc/keymaps/rc-pixelview.o
CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o

CC drivers/media/rc/keymaps/rc-pixelview-mk12.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/media/rc/keymaps/rc-pixelview-002t.o
CC drivers/gpu/drm/i915/display/intel_ddi.o

CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/media/rc/keymaps/rc-pixelview-new.o
AR fs/xfs/built-in.a
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/media/rc/keymaps/rc-proteus-2309.o
CC drivers/media/rc/keymaps/rc-purpletv.o
CC drivers/media/rc/keymaps/rc-pv951.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/media/rc/keymaps/rc-hauppauge.o
AR drivers/net/built-in.a
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/media/rc/keymaps/rc-rc6-mce.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/media/rc/keymaps/rc-reddo.o
CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o

CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o

CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/media/rc/keymaps/rc-tivo.o

CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o

CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/media/rc/keymaps/rc-videostrong-kii-pro.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o

CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o

CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
AR drivers/media/built-in.a

AR drivers/md/built-in.a

AR fs/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a

Makefile:1684: recipe for target 'drivers' failed

make: *** [drivers] Error 2


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=12a3c643e00000

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=10a3c643e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

KASAN: use-after-free Write in hci_sock_bind

==================================================================

BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250

Write of size 4 at addr ffff888091d19078 by task syz-executor.3/8636

CPU: 0 PID: 8636 Comm: syz-executor.3 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618

check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x128/0x190 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f3461cffc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f3461d006d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bfac

Allocated by task 8614:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465

kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]

hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99

vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8610:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757

bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
device_release+0x71/0x200 drivers/base/core.c:1358
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x2e0 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2586
vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2da/0x850 fs/file_table.c:280
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888091d18000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of

8192-byte region [ffff888091d18000, ffff888091d1a000)

The buggy address belongs to the page:

page:ffffea0002474600 refcount:1 mapcount:0 mapping:00000000e0b10316 index:0x0 head:ffffea0002474600 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00028f9608 ffffea0002483108 ffff8880aa0021c0
raw: 0000000000000000 ffff888091d18000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888091d18f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888091d18f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888091d19000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888091d19080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888091d19100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16bda4b3e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1107a6cde00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

m-ioctl.o
CC drivers/md/dm-io.o
CC drivers/md/dm-kcopyd.o
CC fs/ocfs2/sysfile.o
CC drivers/media/rc/keymaps/rc-it913x-v2.o
CC fs/eventpoll.o
CC drivers/gpu/drm/i915/i915_query.o
CC drivers/gpu/drm/i915/i915_request.o
CC fs/xfs/xfs_error.o
CC fs/xfs/xfs_export.o
CC fs/xfs/xfs_extent_busy.o
CC drivers/media/rc/keymaps/rc-kaiomy.o
AR drivers/usb/typec/tcpm/built-in.a
AR drivers/usb/typec/built-in.a
AR drivers/usb/built-in.a
CC fs/btrfs/dev-replace.o
CC net/netfilter/xt_CLASSIFY.o
CC drivers/md/dm-sysfs.o
CC fs/xfs/xfs_file.o
CC fs/btrfs/raid56.o
CC drivers/media/rc/keymaps/rc-khadas.o
CC fs/xfs/xfs_filestream.o
CC drivers/media/rc/keymaps/rc-kworld-315u.o
CC net/netfilter/xt_CONNSECMARK.o
CC fs/anon_inodes.o
AR drivers/isdn/mISDN/built-in.a
AR drivers/isdn/built-in.a
CC drivers/media/rc/keymaps/rc-kworld-pc150u.o
CC fs/ocfs2/uptodate.o
CC drivers/media/rc/keymaps/rc-kworld-plus-tv-analog.o
CC drivers/md/dm-stats.o
CC fs/ocfs2/quota_local.o
CC drivers/gpu/drm/i915/i915_scheduler.o
CC net/netfilter/xt_CT.o
CC fs/btrfs/uuid-tree.o
CC net/netfilter/xt_DSCP.o
CC fs/xfs/xfs_fsmap.o
CC fs/btrfs/props.o
CC fs/xfs/xfs_fsops.o
CC fs/xfs/xfs_globals.o
CC drivers/media/rc/keymaps/rc-leadtek-y04g0051.o
CC fs/signalfd.o
CC drivers/media/rc/keymaps/rc-lme2510.o
CC drivers/media/rc/keymaps/rc-manli.o
CC net/netfilter/xt_HL.o
AR drivers/media/platform/vivid/built-in.a
AR drivers/media/platform/built-in.a
CC fs/xfs/xfs_health.o
CC drivers/media/rc/keymaps/rc-medion-x10.o
CC fs/timerfd.o
CC fs/ocfs2/quota_global.o
CC drivers/md/dm-rq.o
CC drivers/md/dm-builtin.o
CC fs/xfs/xfs_icache.o
CC drivers/media/rc/keymaps/rc-medion-x10-digitainer.o
CC fs/xfs/xfs_ioctl.o
CC fs/eventfd.o
CC fs/userfaultfd.o
CC fs/aio.o
CC net/netfilter/xt_HMARK.o
CC drivers/media/rc/keymaps/rc-medion-x10-or2x.o
CC drivers/media/rc/keymaps/rc-msi-digivox-ii.o
CC drivers/gpu/drm/i915/i915_trace_points.o
CC net/netfilter/xt_LED.o
CC drivers/md/dm-bufio.o
CC fs/xfs/xfs_iomap.o
CC drivers/gpu/drm/i915/i915_vma.o
CC drivers/md/dm-bio-prison-v1.o
CC drivers/md/dm-bio-prison-v2.o
CC fs/io_uring.o
CC fs/io-wq.o
CC drivers/md/dm-crypt.o
CC drivers/md/dm-flakey.o
CC fs/ocfs2/xattr.o
CC fs/btrfs/free-space-tree.o
CC drivers/media/rc/keymaps/rc-msi-digivox-iii.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere.o
CC fs/ocfs2/acl.o
CC fs/dax.o
CC drivers/gpu/drm/i915/intel_region_lmem.o
CC drivers/md/dm-path-selector.o
CC fs/xfs/xfs_iops.o
CC drivers/gpu/drm/i915/intel_wopcm.o
CC net/netfilter/xt_LOG.o
CC fs/btrfs/tree-checker.o
CC fs/btrfs/space-info.o
CC fs/locks.o
CC net/netfilter/xt_NETMAP.o
CC net/netfilter/xt_NFLOG.o
CC drivers/md/dm-mpath.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere-plus.o
CC fs/btrfs/block-rsv.o
CC drivers/gpu/drm/i915/gt/uc/intel_uc.o
CC drivers/md/dm-round-robin.o
CC net/netfilter/xt_NFQUEUE.o
CC fs/compat.o
CC fs/binfmt_misc.o
CC drivers/md/dm-queue-length.o
CC drivers/md/dm-service-time.o
CC fs/ocfs2/filecheck.o
CC fs/btrfs/delalloc-space.o
CC drivers/media/rc/keymaps/rc-nebula.o
CC drivers/gpu/drm/i915/gt/uc/intel_uc_fw.o
CC fs/ocfs2/stackglue.o
CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o
CC fs/ocfs2/stack_o2cb.o
CC fs/xfs/xfs_inode.o
CC net/netfilter/xt_RATEEST.o
CC net/netfilter/xt_REDIRECT.o
CC fs/xfs/xfs_itable.o
CC drivers/md/dm-snap.o
CC fs/ocfs2/stack_user.o
CC fs/binfmt_script.o
CC fs/xfs/xfs_iwalk.o
CC drivers/md/dm-exception-store.o
CC fs/xfs/xfs_message.o
CC net/netfilter/xt_MASQUERADE.o
CC fs/btrfs/block-group.o
CC net/netfilter/xt_SECMARK.o
CC drivers/media/rc/keymaps/rc-norwood.o
CC fs/binfmt_elf.o
CC fs/btrfs/discard.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc.o
CC fs/compat_binfmt_elf.o
AR drivers/net/ethernet/mellanox/mlx4/built-in.a
AR drivers/net/ethernet/mellanox/built-in.a
CC fs/xfs/xfs_mount.o
AR drivers/net/ethernet/built-in.a
AR drivers/net/built-in.a
CC drivers/gpu/drm/i915/gt/uc/intel_guc_ads.o
CC drivers/md/dm-snap-transient.o
CC net/netfilter/xt_TPROXY.o
CC net/netfilter/xt_TCPMSS.o
CC drivers/md/dm-snap-persistent.o
CC drivers/media/rc/keymaps/rc-npgtech.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_ct.o
CC fs/mbcache.o
CC fs/posix_acl.o
CC net/netfilter/xt_TCPOPTSTRIP.o
CC net/netfilter/xt_TEE.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_fw.o
CC fs/xfs/xfs_mru_cache.o
CC fs/coredump.o
CC fs/btrfs/reflink.o
CC fs/xfs/xfs_pwork.o
CC drivers/media/rc/keymaps/rc-odroid.o
CC fs/btrfs/acl.o
CC drivers/md/dm-raid1.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_log.o
CC fs/xfs/xfs_reflink.o
CC fs/drop_caches.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_submission.o
CC net/netfilter/xt_TRACE.o
CC drivers/media/rc/keymaps/rc-pctv-sedna.o
CC net/netfilter/xt_IDLETIMER.o
CC net/netfilter/xt_addrtype.o
CC drivers/gpu/drm/i915/gt/uc/intel_huc.o
CC net/netfilter/xt_bpf.o
CC drivers/gpu/drm/i915/gt/uc/intel_huc_fw.o
CC fs/xfs/xfs_stats.o
CC drivers/md/dm-log.o
CC net/netfilter/xt_cluster.o
CC drivers/md/dm-region-hash.o
CC drivers/gpu/drm/i915/display/intel_atomic.o
CC fs/xfs/xfs_super.o
CC fs/xfs/xfs_symlink.o
CC net/netfilter/xt_comment.o
CC net/netfilter/xt_connbytes.o
CC fs/xfs/xfs_sysfs.o
CC drivers/media/rc/keymaps/rc-pinnacle-color.o
CC drivers/gpu/drm/i915/display/intel_atomic_plane.o
CC net/netfilter/xt_connlabel.o
CC fs/fhandle.o
CC drivers/media/rc/keymaps/rc-pinnacle-grey.o
CC drivers/md/dm-zero.o
CC drivers/gpu/drm/i915/display/intel_audio.o
CC drivers/gpu/drm/i915/display/intel_bios.o
CC fs/xfs/xfs_xattr.o
CC fs/xfs/xfs_trans.o
CC fs/dcookies.o
CC net/netfilter/xt_connlimit.o
CC drivers/gpu/drm/i915/display/intel_bw.o
CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
CC drivers/media/rc/keymaps/rc-pixelview.o
CC drivers/media/rc/keymaps/rc-pixelview-mk12.o
CC fs/xfs/kmem.o
CC net/netfilter/xt_conntrack.o
CC drivers/gpu/drm/i915/display/intel_cdclk.o
CC drivers/gpu/drm/i915/display/intel_color.o
CC net/netfilter/xt_cpu.o
CC drivers/md/dm-raid.o
CC net/netfilter/xt_dccp.o
CC drivers/gpu/drm/i915/display/intel_combo_phy.o
CC fs/xfs/xfs_log.o
CC net/netfilter/xt_devgroup.o
CC drivers/media/rc/keymaps/rc-pixelview-002t.o
CC drivers/media/rc/keymaps/rc-pixelview-new.o
CC net/netfilter/xt_dscp.o
CC net/netfilter/xt_ecn.o
CC fs/xfs/xfs_log_cil.o
CC drivers/gpu/drm/i915/display/intel_connector.o
CC net/netfilter/xt_esp.o
CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o
CC drivers/gpu/drm/i915/display/intel_csr.o
CC net/netfilter/xt_hashlimit.o
CC drivers/md/dm-thin.o
CC drivers/media/rc/keymaps/rc-proteus-2309.o
CC drivers/gpu/drm/i915/display/intel_display.o
CC fs/xfs/xfs_bmap_item.o
CC drivers/gpu/drm/i915/display/intel_display_power.o
CC drivers/gpu/drm/i915/display/intel_dpio_phy.o
CC fs/xfs/xfs_buf_item.o
CC net/netfilter/xt_helper.o
CC fs/xfs/xfs_extfree_item.o
CC fs/xfs/xfs_icreate_item.o
CC drivers/media/rc/keymaps/rc-purpletv.o
CC net/netfilter/xt_hl.o
CC drivers/md/dm-thin-metadata.o
CC drivers/gpu/drm/i915/display/intel_dpll_mgr.o
CC drivers/media/rc/keymaps/rc-pv951.o
CC drivers/media/rc/keymaps/rc-hauppauge.o
CC fs/xfs/xfs_inode_item.o
CC drivers/md/dm-verity-fec.o
CC drivers/media/rc/keymaps/rc-rc6-mce.o
CC drivers/md/dm-verity-target.o
CC drivers/gpu/drm/i915/display/intel_dsb.o
CC drivers/gpu/drm/i915/display/intel_fbc.o
CC net/netfilter/xt_ipcomp.o
CC drivers/md/dm-cache-target.o
CC net/netfilter/xt_iprange.o
CC drivers/md/dm-cache-metadata.o
CC drivers/gpu/drm/i915/display/intel_fifo_underrun.o
CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
CC drivers/gpu/drm/i915/display/intel_frontbuffer.o
CC net/netfilter/xt_ipvs.o
CC drivers/gpu/drm/i915/display/intel_global_state.o
CC drivers/md/dm-cache-policy.o
CC drivers/md/dm-cache-background-tracker.o
CC drivers/media/rc/keymaps/rc-reddo.o
CC drivers/gpu/drm/i915/display/intel_hdcp.o
CC drivers/gpu/drm/i915/display/intel_hotplug.o
CC net/netfilter/xt_l2tp.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC net/netfilter/xt_length.o
CC fs/xfs/xfs_refcount_item.o
CC net/netfilter/xt_limit.o
CC drivers/gpu/drm/i915/display/intel_lpe_audio.o
CC net/netfilter/xt_mac.o
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC fs/xfs/xfs_rmap_item.o
CC net/netfilter/xt_multiport.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC fs/xfs/xfs_log_recover.o
CC drivers/media/rc/keymaps/rc-tango.o
CC net/netfilter/xt_nfacct.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC fs/xfs/xfs_trans_ail.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/md/dm-cache-policy-smq.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC fs/xfs/xfs_trans_buf.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC net/netfilter/xt_osf.o
AR fs/btrfs/built-in.a
CC fs/xfs/xfs_dquot.o
CC drivers/md/dm-clone-target.o
CC fs/xfs/xfs_dquot_item.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/md/dm-clone-metadata.o
CC fs/xfs/xfs_trans_dquot.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC drivers/gpu/drm/i915/display/intel_tc.o
CC net/netfilter/xt_owner.o
CC drivers/md/dm-integrity.o
CC drivers/md/dm-zoned-target.o
CC net/netfilter/xt_cgroup.o
CC drivers/md/dm-zoned-metadata.o
CC fs/xfs/xfs_qm_syscalls.o
CC net/netfilter/xt_physdev.o
CC drivers/gpu/drm/i915/display/intel_vga.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC net/netfilter/xt_pkttype.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC drivers/md/dm-zoned-reclaim.o
CC drivers/md/dm-writecache.o
CC net/netfilter/xt_policy.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o

CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o

CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC net/netfilter/xt_quota.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC net/netfilter/xt_rateest.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC fs/xfs/xfs_qm_bhv.o
CC fs/xfs/xfs_qm.o
CC fs/xfs/xfs_quotaops.o
CC fs/xfs/xfs_rtalloc.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC net/netfilter/xt_realm.o
CC fs/xfs/xfs_acl.o
CC net/netfilter/xt_recent.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC fs/xfs/xfs_sysctl.o
CC net/netfilter/xt_sctp.o
CC fs/xfs/xfs_ioctl32.o
CC net/netfilter/xt_socket.o
CC fs/xfs/xfs_pnfs.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC net/netfilter/xt_state.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC net/netfilter/xt_statistic.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC net/netfilter/xt_string.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC net/netfilter/xt_tcpmss.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC net/netfilter/xt_time.o
CC net/netfilter/xt_u32.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/media/rc/keymaps/rc-tt-1500.o

CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o

CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o

CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/media/rc/keymaps/rc-videostrong-kii-pro.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o

CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o

CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o

CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o

CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o

CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o

CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o

CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o

CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o

CC drivers/gpu/drm/i915/i915_vgpu.o
AR net/netfilter/built-in.a
Makefile:1684: recipe for target 'net' failed

make: *** [net] Error 2
make: *** Waiting for unfinished jobs....

AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
AR drivers/media/built-in.a

AR fs/ocfs2/built-in.a
AR drivers/md/built-in.a
AR fs/xfs/built-in.a

AR fs/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
Makefile:1684: recipe for target 'drivers' failed
make: *** [drivers] Error 2


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=12ba790be00000

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=12a1458fe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

WARNING in mark_lock

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)

WARNING: CPU: 1 PID: 8530 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:168 [inline]
WARNING: CPU: 1 PID: 8530 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:157 [inline]
WARNING: CPU: 1 PID: 8530 at kernel/locking/lockdep.c:168 mark_lock+0x225/0x1220 kernel/locking/lockdep.c:3878

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8530 Comm: syz-executor.4 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x35 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027

RIP: 0010:hlock_class kernel/locking/lockdep.c:168 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:157 [inline]

RIP: 0010:mark_lock+0x225/0x1220 kernel/locking/lockdep.c:3878
Code: d0 7c 08 84 d2 0f 85 ab 0e 00 00 44 8b 1d e3 d4 2d 09 45 85 db 75 b6 48 c7 c6 c0 7d 2b 88 48 c7 c7 00 7e 2b 88 e8 73 d7 eb ff <0f> 0b 31 db e9 aa fe ff ff 48 c7 c7 40 1f 60 8c e8 76 2c 57 00 e9
RSP: 0018:ffffc900018a7968 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815c4e91 RDI: fffff52000314f1f
RBP: ffff88808f256340 R08: ffff88808f256340 R09: fffffbfff13345a5
R10: fffffbfff13345a4 R11: ffffffff899a2d23 R12: 0000000000000002
R13: ffff88808f256c2a R14: ffff88808f256c08 R15: 0000000000040a52
mark_usage kernel/locking/lockdep.c:3814 [inline]
__lock_acquire+0x15c2/0x5270 kernel/locking/lockdep.c:4144

lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777

hci_dev_open+0xd9/0x260 net/bluetooth/hci_core.c:1626
hci_sock_bind+0x427/0x1100 net/bluetooth/hci_sock.c:1200

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007ff94a86bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007ff94a86c6d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bfac

Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1005b1fbe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=16a00053e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING in mark_lock

haley: hdev 0xffff8880a2ed0000. hci_dev_hold, 1046

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)

WARNING: CPU: 1 PID: 8536 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:168 [inline]
WARNING: CPU: 1 PID: 8536 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:157 [inline]
WARNING: CPU: 1 PID: 8536 at kernel/locking/lockdep.c:168 mark_lock+0x225/0x1220 kernel/locking/lockdep.c:3878

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8536 Comm: syz-executor.2 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x35 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:168 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:157 [inline]
RIP: 0010:mark_lock+0x225/0x1220 kernel/locking/lockdep.c:3878
Code: d0 7c 08 84 d2 0f 85 ab 0e 00 00 44 8b 1d e3 d4 2d 09 45 85 db 75 b6 48 c7 c6 c0 7d 2b 88 48 c7 c7 00 7e 2b 88 e8 73 d7 eb ff <0f> 0b 31 db e9 aa fe ff ff 48 c7 c7 40 1f 60 8c e8 76 2c 57 00 e9

RSP: 0018:ffffc900016d7968 EFLAGS: 00010086

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff815c4e91 RDI: fffff520002daf1f
RBP: ffff88808fe8e000 R08: ffff88808fe8e000 R09: fffffbfff13345a5

R10: fffffbfff13345a4 R11: ffffffff899a2d23 R12: 0000000000000002

R13: ffff88808fe8e8ea R14: ffff88808fe8e8c8 R15: 0000000000040a2e

mark_usage kernel/locking/lockdep.c:3814 [inline]
__lock_acquire+0x15c2/0x5270 kernel/locking/lockdep.c:4144
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777
hci_dev_open+0xd9/0x260 net/bluetooth/hci_core.c:1626
hci_sock_bind+0x427/0x1100 net/bluetooth/hci_sock.c:1200
__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007ff579ee4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007ff579ee56d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 000000000076c040 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff

R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076c04c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10d3aae7e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=161d5ae7e00000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+04e804...@syzkaller.appspotmail.com

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=16e5efdbe00000

Note: testing is done by a robot and is best-effort only.

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

WARNING: locking bug in __perf_event_task_sched_in

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)

WARNING: CPU: 1 PID: 11476 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:168 [inline]
WARNING: CPU: 1 PID: 11476 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:157 [inline]
WARNING: CPU: 1 PID: 11476 at kernel/locking/lockdep.c:168 __lock_acquire+0x2154/0x5270 kernel/locking/lockdep.c:4186

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 11476 Comm: syz-executor.1 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x35 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:168 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:157 [inline]

RIP: 0010:__lock_acquire+0x2154/0x5270 kernel/locking/lockdep.c:4186

Code: 08 84 d2 0f 85 ee 21 00 00 8b 05 77 99 2d 09 85 c0 75 b4 48 c7 c6 c0 7d 2b 88 48 c7 c7 00 7e 2b 88 4c 89 14 24 e8 44 a5 eb ff <0f> 0b 31 db 4c 8b 14 24 e9 28 fa ff ff 44 8b 7c 24 60 4d 89 f2 48
RSP: 0018:ffffc90001c2f678 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000b4f RCX: 0000000000000000
RDX: 0000000040000000 RSI: ffffffff815c4e91 RDI: fffff52000385ec1
RBP: ffff8880920a4240 R08: ffff8880920a4240 R09: fffffbfff13345a5
R10: fffffbfff13345a4 R11: ffffffff899a2d23 R12: 00000000bdadaf5a
R13: ffffffff8a865510 R14: ffff8880920a4b08 R15: 0000000000000000

lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
perf_ctx_lock kernel/events/core.c:155 [inline]
perf_event_context_sched_in kernel/events/core.c:3568 [inline]
__perf_event_task_sched_in+0x50f/0x7c0 kernel/events/core.c:3626
perf_event_task_sched_in include/linux/perf_event.h:1191 [inline]
finish_task_switch+0x2a8/0x750 kernel/sched/core.c:3215
context_switch kernel/sched/core.c:3381 [inline]
__schedule+0x93c/0x1f90 kernel/sched/core.c:4078
preempt_schedule_irq+0xb0/0x150 kernel/sched/core.c:4335
retint_kernel+0x1b/0x2b
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
RIP: 0010:lock_acquire+0x209/0x420 kernel/locking/lockdep.c:4723
Code: 9c 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 de 01 00 00 48 83 3d 8b c4 3a 08 00 0f 84 5a 01 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 65 8b

RSP: 0018:ffffc90001c2fb18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff1327907 RBX: ffff8880920a4240 RCX: 1ffff92000385f4c

RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000286

RBP: ffff88808e49fd28 R08: 0000000000000004 R09: fffffbfff18b79b5

R10: fffffbfff18b79b4 R11: 0000000000000003 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777
hci_dev_open+0xdb/0x280 net/bluetooth/hci_core.c:1626

hci_sock_bind+0x427/0x1140 net/bluetooth/hci_sock.c:1200

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f9baca13c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f9baca146d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff

R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bfac

Shutting down cpus with NMI

Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17c34fdbe00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=109fe6c7e00000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+04e804...@syzkaller.appspotmail.com

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=15300053e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: locking bug in __perf_event_task_sched_in

------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)

WARNING: CPU: 0 PID: 12406 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:168 [inline]
WARNING: CPU: 0 PID: 12406 at kernel/locking/lockdep.c:168 hlock_class kernel/locking/lockdep.c:157 [inline]
WARNING: CPU: 0 PID: 12406 at kernel/locking/lockdep.c:168 __lock_acquire+0x2154/0x5270 kernel/locking/lockdep.c:4186

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 12406 Comm: syz-executor.0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x35 kernel/panic.c:582
report_bug+0x27b/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:hlock_class kernel/locking/lockdep.c:168 [inline]
RIP: 0010:hlock_class kernel/locking/lockdep.c:157 [inline]
RIP: 0010:__lock_acquire+0x2154/0x5270 kernel/locking/lockdep.c:4186

Code: 08 84 d2 0f 85 ee 21 00 00 8b 05 b7 99 2d 09 85 c0 75 b4 48 c7 c6 c0 7d 2b 88 48 c7 c7 00 7e 2b 88 4c 89 14 24 e8 44 a5 eb ff <0f> 0b 31 db 4c 8b 14 24 e9 28 fa ff ff 44 8b 7c 24 60 4d 89 f2 48
RSP: 0018:ffffc90001707678 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000b4a RCX: 0000000000000000
RDX: 0000000040000000 RSI: ffffffff815c4e91 RDI: fffff520002e0ec1
RBP: ffff8880741d8480 R08: ffff8880741d8480 R09: fffffbfff13345a5
R10: fffffbfff13345a4 R11: ffffffff899a2d23 R12: 000000002c14703f
R13: ffffffff8a865550 R14: ffff8880741d8d48 R15: 0000000000000000

lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
perf_ctx_lock kernel/events/core.c:155 [inline]
perf_event_context_sched_in kernel/events/core.c:3568 [inline]
__perf_event_task_sched_in+0x50f/0x7c0 kernel/events/core.c:3626
perf_event_task_sched_in include/linux/perf_event.h:1191 [inline]
finish_task_switch+0x2a8/0x750 kernel/sched/core.c:3215
context_switch kernel/sched/core.c:3381 [inline]
__schedule+0x93c/0x1f90 kernel/sched/core.c:4078
preempt_schedule_irq+0xb0/0x150 kernel/sched/core.c:4335
retint_kernel+0x1b/0x2b
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
RIP: 0010:lock_acquire+0x209/0x420 kernel/locking/lockdep.c:4723
Code: 9c 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 de 01 00 00 48 83 3d 8b c4 3a 08 00 0f 84 5a 01 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 65 8b

RSP: 0018:ffffc90001707b18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff1327907 RBX: ffff8880741d8480 RCX: 1ffff920002e0f4c

RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000286

RBP: ffff88809a177928 R08: 0000000000000004 R09: fffffbfff18b79b5

R10: fffffbfff18b79b4 R11: 0000000000000003 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777
hci_dev_open+0xdb/0x280 net/bluetooth/hci_core.c:1626
hci_sock_bind+0x427/0x1140 net/bluetooth/hci_sock.c:1200
__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f0dd3606c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f0dd36076d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bfac
Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=13f3aae7e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=15a34fdbe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

KASAN: use-after-free Write in hci_sock_bind

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]

BUG: KASAN: use-after-free in hci_sock_bind+0x591/0x11b0 net/bluetooth/hci_sock.c:1250
Write of size 4 at addr ffff88808a2b9078 by task syz-executor.3/8582

CPU: 0 PID: 8582 Comm: syz-executor.3 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x128/0x190 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]

hci_sock_bind+0x591/0x11b0 net/bluetooth/hci_sock.c:1250

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f5120f9dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f5120f9e6d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006

RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff

R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bf0c

Allocated by task 8579:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99
vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8574:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
device_release+0x71/0x200 drivers/base/core.c:1358
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x2e0 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2586
vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2da/0x850 fs/file_table.c:280
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808a2b8000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of

8192-byte region [ffff88808a2b8000, ffff88808a2ba000)

The buggy address belongs to the page:

page:ffffea000228ae00 refcount:1 mapcount:0 mapping:00000000692c10cd index:0x0 head:ffffea000228ae00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002612708 ffffea000264f708 ffff8880aa0021c0
raw: 0000000000000000 ffff88808a2b8000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff88808a2b8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808a2b8f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808a2b9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88808a2b9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808a2b9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12b13fdbe00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1275efdbe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in hci_sock_bind

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: use-after-free in hci_sock_bind+0x591/0x11b0 net/bluetooth/hci_sock.c:1250

Write of size 4 at addr ffff888085f75078 by task syz-executor.4/8549

CPU: 0 PID: 8549 Comm: syz-executor.4 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x128/0x190 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
hci_sock_bind+0x591/0x11b0 net/bluetooth/hci_sock.c:1250
__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f29d01b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f29d01b16d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bf0c

Allocated by task 8550:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99
vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8546:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
bt_host_release+0x15/0x20 net/bluetooth/hci_sysfs.c:86
device_release+0x71/0x200 drivers/base/core.c:1358
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x2e0 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2586
vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2da/0x850 fs/file_table.c:280
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888085f74000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of

8192-byte region [ffff888085f74000, ffff888085f76000)

The buggy address belongs to the page:

page:ffffea000217dd00 refcount:1 mapcount:0 mapping:00000000ef8eba6a index:0x0 head:ffffea000217dd00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00021c1508 ffffea000261ca08 ffff8880aa0021c0
raw: 0000000000000000 ffff888085f74000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888085f74f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888085f74f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888085f75000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888085f75080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888085f75100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=13e3d71fe00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=137fe6c7e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

/rc/keymaps/rc-reddo.o
CC drivers/android/binder.o
CC drivers/nvmem/core.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/nvmem/nvmem-sysfs.o
CC drivers/platform/chrome/cros_ec_chardev.o
CC drivers/md/dm-zoned-metadata.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/infiniband/sw/rxe/rxe_mmap.o
CC drivers/md/dm-zoned-reclaim.o
CC drivers/platform/chrome/cros_ec_lightbar.o
CC net/netfilter/xt_dscp.o
AR drivers/infiniband/hw/mlx4/built-in.a
AR drivers/infiniband/hw/built-in.a
CC drivers/infiniband/core/cma.o
CC drivers/infiniband/core/cma_trace.o
CC drivers/platform/chrome/cros_ec_debugfs.o
CC drivers/thunderbolt/tb.o
drivers/infiniband/ulp/srp/ib_srp.o: warning: objtool: srp_ib_cm_handler.cold()+0xe6: sibling call from callable instruction with modified stack frame
CC drivers/thunderbolt/switch.o
AR drivers/infiniband/ulp/srp/built-in.a
CC drivers/infiniband/sw/rxe/rxe_icrc.o
CC drivers/infiniband/sw/rxe/rxe_mcast.o
CC drivers/infiniband/sw/rxe/rxe_task.o
CC drivers/crypto/qat/qat_c3xxxvf/adf_drv.o
CC drivers/counter/counter.o
CC drivers/infiniband/sw/rxe/rxe_net.o
CC drivers/md/dm-writecache.o
AR drivers/crypto/qat/qat_dh895xccvf/built-in.a
CC drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.o
CC fs/xfs/xfs_rmap_item.o
CC fs/xfs/xfs_log_recover.o
CC drivers/infiniband/sw/rxe/rxe_sysfs.o
CC drivers/crypto/padlock-sha.o
CC fs/xfs/xfs_trans_ail.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/crypto/qat/qat_c62xvf/adf_drv.o
AR drivers/soundwire/built-in.a
CC drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/thunderbolt/cap.o
CC drivers/gpu/drm/i915/gem/i915_gem_throttle.o
CC drivers/infiniband/sw/rxe/rxe_hw_counters.o
CC net/netfilter/xt_ecn.o
CC drivers/thunderbolt/path.o
CC drivers/thunderbolt/tunnel.o
CC drivers/platform/chrome/cros_ec_sysfs.o
CC drivers/hid/uhid.o
CC drivers/hid/hid-generic.o
CC net/netfilter/xt_esp.o
CC fs/xfs/xfs_trans_buf.o
CC fs/xfs/xfs_dquot.o
CC drivers/gpu/drm/i915/gem/i915_gem_tiling.o
CC drivers/infiniband/core/cma_configfs.o
CC drivers/infiniband/core/user_mad.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
AR drivers/infiniband/ulp/opa_vnic/built-in.a
CC drivers/gpu/drm/i915/gem/i915_gem_userptr.o
AR drivers/infiniband/ulp/built-in.a
CC drivers/gpu/drm/i915/gem/i915_gem_wait.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/gpu/drm/i915/gem/i915_gemfs.o
CC net/netfilter/xt_hashlimit.o
CC net/netfilter/xt_helper.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC drivers/android/binder_alloc.o
CC drivers/hid/hid-a4tech.o
CC drivers/hid/hid-axff.o
CC drivers/hid/hid-apple.o
CC net/netfilter/xt_hl.o
CC fs/xfs/xfs_dquot_item.o
AR drivers/crypto/qat/qat_c3xxxvf/built-in.a
CC fs/xfs/xfs_trans_dquot.o
CC fs/xfs/xfs_qm_syscalls.o
AR drivers/crypto/qat/qat_c62xvf/built-in.a
CC drivers/platform/chrome/cros_usbpd_notify.o
AR drivers/crypto/qat/built-in.a
CC drivers/thunderbolt/eeprom.o
CC drivers/thunderbolt/domain.o
AR drivers/infiniband/sw/rdmavt/built-in.a
CC drivers/infiniband/core/uverbs_main.o
AR drivers/infiniband/sw/siw/built-in.a
CC drivers/thunderbolt/dma_port.o
CC drivers/hid/hid-belkin.o
AR drivers/crypto/built-in.a
CC drivers/gpu/drm/i915/i915_active.o
AR drivers/nvmem/built-in.a
CC drivers/gpu/drm/i915/i915_buddy.o
CC fs/xfs/xfs_qm_bhv.o
CC fs/xfs/xfs_qm.o
CC drivers/gpu/drm/i915/i915_cmd_parser.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/gpu/drm/i915/i915_gem_evict.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC net/netfilter/xt_ipcomp.o
CC net/netfilter/xt_iprange.o
CC net/netfilter/xt_ipvs.o
CC drivers/hid/hid-cherry.o
CC drivers/hid/hid-chicony.o
CC drivers/thunderbolt/icm.o
CC drivers/hid/hid-cypress.o
CC drivers/infiniband/core/uverbs_cmd.o
CC drivers/hid/hid-dr.o
CC net/netfilter/xt_l2tp.o
CC net/netfilter/xt_length.o
CC drivers/infiniband/core/uverbs_marshall.o
CC drivers/hid/hid-emsff.o
AR drivers/counter/built-in.a
CC drivers/hid/hid-elecom.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC net/netfilter/xt_limit.o
CC drivers/infiniband/core/rdma_core.o
CC drivers/infiniband/core/uverbs_ioctl.o
CC net/netfilter/xt_mac.o
CC drivers/infiniband/core/uverbs_std_types.o
CC net/netfilter/xt_multiport.o
CC fs/xfs/xfs_quotaops.o
CC drivers/hid/hid-ezkey.o
CC drivers/hid/hid-google-hammer.o
AR drivers/infiniband/sw/rxe/built-in.a
CC drivers/gpu/drm/i915/i915_gem_fence_reg.o
AR drivers/infiniband/sw/built-in.a
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/thunderbolt/property.o
CC drivers/gpu/drm/i915/i915_gem_gtt.o
CC drivers/hid/hid-gyration.o
CC drivers/infiniband/core/uverbs_std_types_cq.o
AR drivers/platform/chrome/built-in.a
CC drivers/gpu/drm/i915/i915_gem.o
AR drivers/platform/built-in.a
CC fs/xfs/xfs_rtalloc.o
CC drivers/hid/hid-holtek-kbd.o
CC net/netfilter/xt_nfacct.o
CC net/netfilter/xt_osf.o
CC drivers/infiniband/core/uverbs_std_types_flow_action.o
CC fs/xfs/xfs_acl.o
CC drivers/thunderbolt/xdomain.o
CC fs/xfs/xfs_sysctl.o
CC drivers/hid/hid-holtek-mouse.o
CC drivers/gpu/drm/i915/i915_globals.o
CC drivers/thunderbolt/lc.o
CC fs/xfs/xfs_ioctl32.o
CC net/netfilter/xt_owner.o
CC net/netfilter/xt_cgroup.o
CC drivers/hid/hid-holtekff.o
CC drivers/gpu/drm/i915/i915_query.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/thunderbolt/tmu.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC net/netfilter/xt_physdev.o
CC drivers/hid/hid-ite.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC net/netfilter/xt_pkttype.o
CC drivers/infiniband/core/uverbs_std_types_dm.o
CC drivers/hid/hid-kensington.o
CC drivers/gpu/drm/i915/i915_request.o
CC drivers/hid/hid-keytouch.o
CC drivers/hid/hid-kye.o
CC drivers/infiniband/core/uverbs_std_types_mr.o
CC drivers/infiniband/core/uverbs_std_types_counters.o
CC drivers/infiniband/core/uverbs_uapi.o
CC drivers/hid/hid-lcpower.o
CC drivers/hid/hid-lg.o
CC drivers/thunderbolt/usb4.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/gpu/drm/i915/i915_scheduler.o
CC fs/xfs/xfs_pnfs.o
CC drivers/hid/hid-lgff.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC net/netfilter/xt_policy.o
CC net/netfilter/xt_quota.o
CC net/netfilter/xt_rateest.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC net/netfilter/xt_realm.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC net/netfilter/xt_recent.o
CC drivers/infiniband/core/uverbs_std_types_device.o
CC drivers/hid/hid-lg2ff.o
CC drivers/gpu/drm/i915/i915_trace_points.o
CC drivers/hid/hid-lg3ff.o
CC net/netfilter/xt_sctp.o
CC drivers/hid/hid-lg4ff.o
CC net/netfilter/xt_socket.o
CC net/netfilter/xt_state.o
CC drivers/gpu/drm/i915/i915_vma.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/gpu/drm/i915/intel_region_lmem.o
CC drivers/gpu/drm/i915/intel_wopcm.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC net/netfilter/xt_statistic.o
CC net/netfilter/xt_string.o
CC drivers/infiniband/core/uverbs_std_types_async_fd.o
CC drivers/media/rc/keymaps/rc-videostrong-kii-pro.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC net/netfilter/xt_tcpmss.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/gpu/drm/i915/gt/uc/intel_uc.o
CC drivers/infiniband/core/umem.o
CC drivers/infiniband/core/umem_odp.o
CC drivers/hid/hid-lg-g15.o
CC drivers/gpu/drm/i915/gt/uc/intel_uc_fw.o
CC net/netfilter/xt_time.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_ads.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/hid/hid-logitech-dj.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_ct.o
CC drivers/infiniband/core/ucma.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_fw.o
CC drivers/hid/hid-logitech-hidpp.o
CC drivers/hid/hid-magicmouse.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_log.o
CC net/netfilter/xt_u32.o
CC drivers/gpu/drm/i915/gt/uc/intel_guc_submission.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/hid/hid-microsoft.o
CC drivers/hid/hid-monterey.o
CC drivers/hid/hid-multitouch.o
CC drivers/hid/hid-ortek.o
CC drivers/gpu/drm/i915/gt/uc/intel_huc.o
CC drivers/hid/hid-ntrig.o
AR drivers/md/built-in.a
AR drivers/thunderbolt/built-in.a
CC drivers/hid/hid-prodikeys.o
CC drivers/hid/hid-petalynx.o
CC drivers/hid/hid-pl.o
CC drivers/gpu/drm/i915/gt/uc/intel_huc_fw.o
CC drivers/gpu/drm/i915/display/intel_atomic.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/hid/hid-picolcd_debugfs.o
CC drivers/hid/hid-plantronics.o
CC drivers/hid/hid-primax.o
CC drivers/hid/hid-roccat-common.o
CC drivers/hid/hid-roccat.o
CC drivers/gpu/drm/i915/display/intel_atomic_plane.o
CC drivers/hid/hid-roccat-arvo.o
CC drivers/hid/hid-roccat-kone.o
CC drivers/gpu/drm/i915/display/intel_bios.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/gpu/drm/i915/display/intel_audio.o
CC drivers/hid/hid-roccat-koneplus.o
CC drivers/hid/hid-roccat-konepure.o
AR drivers/media/rc/keymaps/built-in.a
CC drivers/hid/hid-roccat-kovaplus.o
AR drivers/media/rc/built-in.a
AR drivers/media/built-in.a
CC drivers/gpu/drm/i915/display/intel_cdclk.o
CC drivers/gpu/drm/i915/display/intel_bw.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/gpu/drm/i915/display/intel_color.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/gpu/drm/i915/display/intel_combo_phy.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/gpu/drm/i915/display/intel_connector.o
CC drivers/hid/hid-rmi.o
CC drivers/hid/hid-saitek.o
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-sjoy.o
CC drivers/hid/hid-sony.o
AR net/netfilter/built-in.a
CC drivers/gpu/drm/i915/display/intel_csr.o
CC drivers/hid/hid-speedlink.o
CC drivers/hid/hid-sunplus.o

Makefile:1684: recipe for target 'net' failed
make: *** [net] Error 2
make: *** Waiting for unfinished jobs....

CC drivers/gpu/drm/i915/display/intel_display.o
CC drivers/gpu/drm/i915/display/intel_display_power.o
CC drivers/hid/hid-gaff.o
CC drivers/gpu/drm/i915/display/intel_dpio_phy.o
CC drivers/hid/hid-tmff.o
CC drivers/gpu/drm/i915/display/intel_dpll_mgr.o
CC drivers/gpu/drm/i915/display/intel_dsb.o
CC drivers/gpu/drm/i915/display/intel_fbc.o
CC drivers/gpu/drm/i915/display/intel_fifo_underrun.o
CC drivers/hid/hid-tivo.o
CC drivers/gpu/drm/i915/display/intel_frontbuffer.o
CC drivers/gpu/drm/i915/display/intel_global_state.o
CC drivers/gpu/drm/i915/display/intel_hdcp.o
CC drivers/gpu/drm/i915/display/intel_hotplug.o
CC drivers/gpu/drm/i915/display/intel_lpe_audio.o
CC drivers/hid/hid-topseed.o
CC drivers/hid/hid-twinhan.o
CC drivers/hid/hid-uclogic-core.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/hid/hid-led.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC drivers/hid/hid-zydacron.o
CC drivers/hid/hid-zpff.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/hid/wacom_wac.o
CC drivers/hid/wacom_sys.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC drivers/gpu/drm/i915/display/intel_tc.o
CC drivers/hid/hid-waltop.o
CC drivers/gpu/drm/i915/display/intel_vga.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o
CC drivers/hid/hid-wiimote-debug.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC drivers/gpu/drm/i915/display/intel_acpi.o

CC drivers/gpu/drm/i915/display/intel_fbdev.o
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o

CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o

CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o

CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o

CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_lvds.o

CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o

AR fs/xfs/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
AR fs/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o

CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o

CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/gpu/drm/i915/i915_vgpu.o
AR drivers/android/built-in.a
AR drivers/infiniband/core/built-in.a
AR drivers/infiniband/built-in.a
AR drivers/hid/built-in.a

AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a

AR drivers/built-in.a

Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=13f64a5de00000

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=16bbd2afe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

KASAN: use-after-free Read in hci_dev_open

==================================================================

BUG: KASAN: use-after-free in __lock_acquire+0x41b7/0x5270 kernel/locking/lockdep.c:4063

Read of size 8 at addr ffff8880921b7928 by task syz-executor.2/8717

CPU: 0 PID: 8717 Comm: syz-executor.2 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618

__lock_acquire+0x41b7/0x5270 kernel/locking/lockdep.c:4063

lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
flush_workqueue+0x126/0x14c0 kernel/workqueue.c:2777

hci_dev_open+0xdb/0x360 net/bluetooth/hci_core.c:1626
hci_sock_bind+0x427/0x1210 net/bluetooth/hci_sock.c:1200

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f6ea2aabc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f6ea2aac6d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bf0c

Allocated by task 8709:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465

__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x161/0x7a0 mm/slab.c:3665

kmalloc include/linux/slab.h:560 [inline]
kzalloc include/linux/slab.h:669 [inline]
alloc_workqueue+0x166/0xe90 kernel/workqueue.c:4250
hci_register_dev+0x203/0x950 net/bluetooth/hci_core.c:3390
__vhci_create_device+0x2b5/0x5b0 drivers/bluetooth/hci_vhci.c:124

vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7145:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757

rcu_do_batch kernel/rcu/tree.c:2218 [inline]
rcu_core+0x59f/0x1370 kernel/rcu/tree.c:2445
__do_softirq+0x26c/0x99d kernel/softirq.c:292

The buggy address belongs to the object at ffff8880921b7800

which belongs to the cache kmalloc-512 of size 512
The buggy address is located 296 bytes inside of

512-byte region [ffff8880921b7800, ffff8880921b7a00)

The buggy address belongs to the page:

page:ffffea0002486dc0 refcount:1 mapcount:0 mapping:00000000554a632b index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00024a7a48 ffffea0002916a48 ffff8880aa000a80
raw: 0000000000000000 ffff8880921b7000 0000000100000004 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880921b7800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880921b7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880921b7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880921b7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880921b7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=155016c7e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5

dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=17bfb7dbe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

BUG: MAX_LOCKDEP_CHAINS too low!

BUG: MAX_LOCKDEP_CHAINS too low!

turning off the locking correctness validator.

CPU: 1 PID: 8529 Comm: kworker/u5:2 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: hci1507 hci_power_on

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

add_chain_cache kernel/locking/lockdep.c:3048 [inline]
lookup_chain_cache_add kernel/locking/lockdep.c:3147 [inline]
validate_chain kernel/locking/lockdep.c:3168 [inline]
__lock_acquire.cold+0x11/0x2c1 kernel/locking/lockdep.c:4190

lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151

vprintk_emit+0x11a/0x710 kernel/printk/printk.c:1974
vprintk_func+0x79/0x17e kernel/printk/printk_safe.c:386
printk+0xba/0xed kernel/printk/printk.c:2054
hci_dev_hold include/net/bluetooth/hci_core.h:1041 [inline]
hci_dev_do_open+0x628/0x1920 net/bluetooth/hci_core.c:1544
hci_power_on+0x11d/0x610 net/bluetooth/hci_core.c:2193

process_one_work+0x94b/0x1690 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412

kthread+0x357/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17d9458fe00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=158e4a5de00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
BUG: MAX_LOCKDEP_CHAINS too low!

BUG: MAX_LOCKDEP_CHAINS too low!
turning off the locking correctness validator.

CPU: 0 PID: 4105 Comm: systemd-udevd Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
add_chain_cache kernel/locking/lockdep.c:3048 [inline]
lookup_chain_cache_add kernel/locking/lockdep.c:3147 [inline]
validate_chain kernel/locking/lockdep.c:3168 [inline]
__lock_acquire.cold+0x11/0x2c1 kernel/locking/lockdep.c:4190
lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720

__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x8c/0xbf kernel/locking/spinlock.c:159
remove_entity_load_avg+0x76/0x250 kernel/sched/fair.c:3839
finish_task_switch+0x516/0x750 kernel/sched/core.c:3240

context_switch kernel/sched/core.c:3381 [inline]
__schedule+0x93c/0x1f90 kernel/sched/core.c:4078

preempt_schedule_common+0x4a/0xc0 kernel/sched/core.c:4233
___preempt_schedule+0x16/0x18 arch/x86/entry/thunk_64.S:50
unwind_next_frame+0xdd3/0x19d0 arch/x86/kernel/unwind_orc.c:572
arch_stack_walk+0x74/0xd0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:123

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465

slab_post_alloc_hook mm/slab.h:586 [inline]
slab_alloc mm/slab.c:3320 [inline]
__do_kmalloc mm/slab.c:3654 [inline]
__kmalloc+0x14b/0x7a0 mm/slab.c:3665
kmalloc include/linux/slab.h:560 [inline]
kernfs_fop_write+0x345/0x490 fs/kernfs/file.c:292
__vfs_write+0x76/0x100 fs/read_write.c:494

vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x7f515596e970
Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 7e 9b 01 00 48 89 04 24
RSP: 002b:00007ffde3fe5778 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007f515596e970
RDX: 0000000000000007 RSI: 00005636d3308e90 RDI: 000000000000000e
RBP: 00005636d3308e90 R08: 00005636d3308d40 R09: 00007f5156afb8c0
R10: 0000000000080240 R11: 0000000000000246 R12: 0000000000000007
R13: 0000000000000001 R14: 00005636d3308c60 R15: 0000000000000007

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=125417bde00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1733dbb7e00000

[Qiujun Huang]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

KASAN: use-after-free Write in hci_sock_bind

==================================================================

BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]

BUG: KASAN: use-after-free in hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250
Write of size 4 at addr ffff888074ee1078 by task syz-executor.2/8898

CPU: 0 PID: 8898 Comm: syz-executor.2 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118

print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618

check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x128/0x190 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]

hci_sock_bind+0x591/0x1140 net/bluetooth/hci_sock.c:1250

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671

do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007fa059054c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007fa0590556d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bf0c

Allocated by task 8879:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465

kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]

hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99

vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496

vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8851:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]

kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757

bt_host_release+0x6d/0x90 net/bluetooth/hci_sysfs.c:88

device_release+0x71/0x200 drivers/base/core.c:1358
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x2e0 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2586
vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2da/0x850 fs/file_table.c:280
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888074ee0000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of

8192-byte region [ffff888074ee0000, ffff888074ee2000)

The buggy address belongs to the page:

page:ffffea0001d3b800 refcount:1 mapcount:0 mapping:000000009661c38a index:0x0 head:ffffea0001d3b800 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0001d3ab08 ffffea0001d3de08 ffff8880aa0021c0
raw: 0000000000000000 ffff888074ee0000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888074ee0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074ee0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888074ee1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888074ee1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074ee1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17bb1fb7e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=12eafc1be00000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+04e804...@syzkaller.appspotmail.com

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=143a6ab3e00000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+04e804...@syzkaller.appspotmail.com

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1246faafe00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Write in hci_sock_bind

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]

BUG: KASAN: use-after-free in hci_sock_bind+0x576/0x1140 net/bluetooth/hci_sock.c:1251
Write of size 4 at addr ffff888074311078 by task syz-executor.4/9261

CPU: 0 PID: 9261 Comm: syz-executor.4 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x1a/0x32 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:618
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x128/0x190 mm/kasan/generic.c:192
instrument_atomic_write include/linux/instrumented.h:71 [inline]
atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]

hci_sock_bind+0x576/0x1140 net/bluetooth/hci_sock.c:1251

__sys_bind+0x20e/0x250 net/socket.c:1662
__do_sys_bind net/socket.c:1673 [inline]
__se_sys_bind net/socket.c:1671 [inline]
__x64_sys_bind+0x6f/0xb0 net/socket.c:1671
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f07120ffc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007f07121006d4 RCX: 000000000045c849

RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000002c R14: 00000000004c2ce6 R15: 000000000076bf0c

Allocated by task 9236:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:492 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:465
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
hci_alloc_dev+0x3e/0x1e20 net/bluetooth/hci_core.c:3249
__vhci_create_device+0x100/0x5b0 drivers/bluetooth/hci_vhci.c:99
vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
vhci_get_user drivers/bluetooth/hci_vhci.c:205 [inline]
vhci_write+0x2bf/0x450 drivers/bluetooth/hci_vhci.c:285
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x49c/0x700 fs/read_write.c:483
__vfs_write+0xc9/0x100 fs/read_write.c:496
vfs_write+0x262/0x5c0 fs/read_write.c:558
ksys_write+0x127/0x250 fs/read_write.c:611
do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9208:

save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:314 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:453
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757

bt_host_release+0x81/0xa0 net/bluetooth/hci_sysfs.c:90

device_release+0x71/0x200 drivers/base/core.c:1358
kobject_cleanup lib/kobject.c:693 [inline]
kobject_release lib/kobject.c:722 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x2e0 lib/kobject.c:739
put_device+0x1b/0x30 drivers/base/core.c:2586
vhci_release+0x78/0xe0 drivers/bluetooth/hci_vhci.c:341
__fput+0x2da/0x850 fs/file_table.c:280
task_work_run+0x13f/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2fa/0x360 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x672/0x790 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888074310000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4216 bytes inside of

8192-byte region [ffff888074310000, ffff888074312000)

The buggy address belongs to the page:

page:ffffea0001d0c400 refcount:1 mapcount:0 mapping:000000005001c219 index:0x0 head:ffffea0001d0c400 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00023bf508 ffffea0001d0c908 ffff8880aa0021c0
raw: 0000000000000000 ffff888074310000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888074310f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074310f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888074311000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888074311080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074311100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 770fbb32 Add linux-next specific files for 20200228
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1643bfb7e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=576314276bce4ad5
dashboard link: https://syzkaller.appspot.com/bug?extid=04e804c8c2224b6a9497
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1025aaafe00000

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.