WARNING: held lock freed in l2cap_conn_del
7 views
Skip to first unread message
syzbot
Sep 23, 2022, 11:07:36 PM9/23/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4edbf74132a4 Linux 4.14.294
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=152e2aff080000
kernel config: https://syzkaller.appspot.com/x/.config?x=94d4cf9c4e23980f
dashboard link: https://syzkaller.appspot.com/bug?extid=1d8ec443b7c1a10628fd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115ed640880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16eca6ef080000
Downloadable assets:
disk image: https://storage.googleapis.com/b40da19b4827/disk-4edbf741.raw.xz
vmlinux: https://storage.googleapis.com/a36e39677c18/vmlinux-4edbf741.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d8ec4...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
Bluetooth: hci0 hardware error 0xff
=========================
WARNING: held lock freed!
4.14.294-syzkaller #0 Not tainted
-------------------------
kworker/u5:2/7972 is freeing memory ffff888095be1500-ffff888095be1cff, with a lock still held there!
(&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_chan_lock include/net/bluetooth/l2cap.h:806 [inline]
(&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_conn_del+0x363/0x690 net/bluetooth/l2cap_core.c:1754
7 locks held by kworker/u5:2/7972:
#0: ("%s"hdev->name){+.+.}, at: [<ffffffff81364eb0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
#1: ((&hdev->error_reset)){+.+.}, at: [<ffffffff81364ee6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
#2: (&hdev->req_lock){+.+.}, at: [<ffffffff86616978>] hci_dev_do_close+0xa8/0xd80 net/bluetooth/hci_core.c:1589
#3: (&hdev->lock){+.+.}, at: [<ffffffff86616b34>] hci_dev_do_close+0x264/0xd80 net/bluetooth/hci_core.c:1628
#4: (hci_cb_list_lock){+.+.}, at: [<ffffffff8662c34a>] hci_disconn_cfm include/net/bluetooth/hci_core.h:1228 [inline]
#4: (hci_cb_list_lock){+.+.}, at: [<ffffffff8662c34a>] hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1393
#5: (&conn->chan_lock){+.+.}, at: [<ffffffff866a1eda>] l2cap_conn_del+0x2aa/0x690 net/bluetooth/l2cap_core.c:1749
#6: (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_chan_lock include/net/bluetooth/l2cap.h:806 [inline]
#6: (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_conn_del+0x363/0x690 net/bluetooth/l2cap_core.c:1754
stack backtrace:
CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: hci0 hci_error_reset
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_freed_lock_bug kernel/locking/lockdep.c:4463 [inline]
debug_check_no_locks_freed.cold+0x9c/0xa8 kernel/locking/lockdep.c:4496
kfree+0xac/0x250 mm/slab.c:3812
l2cap_chan_destroy net/bluetooth/l2cap_core.c:497 [inline]
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x1c2/0x250 net/bluetooth/l2cap_core.c:521
l2cap_conn_del+0x3aa/0x690 net/bluetooth/l2cap_core.c:1758
l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:185 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x5bd/0x770 kernel/locking/mutex.c:1027
Read of size 8 at addr ffff888095be1988 by task kworker/u5:2/7972
CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: hci0 hci_error_reset
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:185 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
__mutex_unlock_slowpath+0x5bd/0x770 kernel/locking/mutex.c:1027
l2cap_chan_unlock include/net/bluetooth/l2cap.h:811 [inline]
l2cap_conn_del+0x3b2/0x690 net/bluetooth/l2cap_core.c:1760
l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 7972:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
l2cap_chan_create+0x3e/0x580 net/bluetooth/l2cap_core.c:457
a2mp_chan_open net/bluetooth/a2mp.c:778 [inline]
amp_mgr_create+0x94/0x930 net/bluetooth/a2mp.c:869
a2mp_channel_create+0x6e/0x140 net/bluetooth/a2mp.c:901
l2cap_data_channel net/bluetooth/l2cap_core.c:6921 [inline]
l2cap_recv_frame+0x43e2/0x93d0 net/bluetooth/l2cap_core.c:7075
l2cap_recv_acldata+0x8f9/0xa30 net/bluetooth/l2cap_core.c:7632
hci_acldata_packet net/bluetooth/hci_core.c:4088 [inline]
hci_rx_work+0x403/0xb40 net/bluetooth/hci_core.c:4271
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 7972:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
l2cap_chan_destroy net/bluetooth/l2cap_core.c:497 [inline]
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x1c2/0x250 net/bluetooth/l2cap_core.c:521
l2cap_conn_del+0x3aa/0x690 net/bluetooth/l2cap_core.c:1758
l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff888095be1500
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1160 bytes inside of
2048-byte region [ffff888095be1500, ffff888095be1d00)
The buggy address belongs to the page:
page:ffffea000256f800 count:1 mapcount:0 mapping:ffff888095be0400 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888095be0400 0000000000000000 0000000100000003
raw: ffffea0002d144a0 ffff88813fe64948 ffff88813fe74c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888095be1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888095be1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888095be1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888095be1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888095be1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 4edbf74132a4 Linux 4.14.294
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=152e2aff080000
kernel config: https://syzkaller.appspot.com/x/.config?x=94d4cf9c4e23980f
dashboard link: https://syzkaller.appspot.com/bug?extid=1d8ec443b7c1a10628fd
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115ed640880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16eca6ef080000
Downloadable assets:
disk image: https://storage.googleapis.com/b40da19b4827/disk-4edbf741.raw.xz
vmlinux: https://storage.googleapis.com/a36e39677c18/vmlinux-4edbf741.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d8ec4...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
Bluetooth: hci0 hardware error 0xff
=========================
WARNING: held lock freed!
4.14.294-syzkaller #0 Not tainted
-------------------------
kworker/u5:2/7972 is freeing memory ffff888095be1500-ffff888095be1cff, with a lock still held there!
(&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_chan_lock include/net/bluetooth/l2cap.h:806 [inline]
(&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_conn_del+0x363/0x690 net/bluetooth/l2cap_core.c:1754
7 locks held by kworker/u5:2/7972:
#0: ("%s"hdev->name){+.+.}, at: [<ffffffff81364eb0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
#1: ((&hdev->error_reset)){+.+.}, at: [<ffffffff81364ee6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
#2: (&hdev->req_lock){+.+.}, at: [<ffffffff86616978>] hci_dev_do_close+0xa8/0xd80 net/bluetooth/hci_core.c:1589
#3: (&hdev->lock){+.+.}, at: [<ffffffff86616b34>] hci_dev_do_close+0x264/0xd80 net/bluetooth/hci_core.c:1628
#4: (hci_cb_list_lock){+.+.}, at: [<ffffffff8662c34a>] hci_disconn_cfm include/net/bluetooth/hci_core.h:1228 [inline]
#4: (hci_cb_list_lock){+.+.}, at: [<ffffffff8662c34a>] hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1393
#5: (&conn->chan_lock){+.+.}, at: [<ffffffff866a1eda>] l2cap_conn_del+0x2aa/0x690 net/bluetooth/l2cap_core.c:1749
#6: (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_chan_lock include/net/bluetooth/l2cap.h:806 [inline]
#6: (&chan->lock/1){+.+.}, at: [<ffffffff866a1f93>] l2cap_conn_del+0x363/0x690 net/bluetooth/l2cap_core.c:1754
stack backtrace:
CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: hci0 hci_error_reset
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_freed_lock_bug kernel/locking/lockdep.c:4463 [inline]
debug_check_no_locks_freed.cold+0x9c/0xa8 kernel/locking/lockdep.c:4496
kfree+0xac/0x250 mm/slab.c:3812
l2cap_chan_destroy net/bluetooth/l2cap_core.c:497 [inline]
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x1c2/0x250 net/bluetooth/l2cap_core.c:521
l2cap_conn_del+0x3aa/0x690 net/bluetooth/l2cap_core.c:1758
l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:185 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x5bd/0x770 kernel/locking/mutex.c:1027
Read of size 8 at addr ffff888095be1988 by task kworker/u5:2/7972
CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: hci0 hci_error_reset
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:185 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
__mutex_unlock_slowpath+0x5bd/0x770 kernel/locking/mutex.c:1027
l2cap_chan_unlock include/net/bluetooth/l2cap.h:811 [inline]
l2cap_conn_del+0x3b2/0x690 net/bluetooth/l2cap_core.c:1760
l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 7972:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
l2cap_chan_create+0x3e/0x580 net/bluetooth/l2cap_core.c:457
a2mp_chan_open net/bluetooth/a2mp.c:778 [inline]
amp_mgr_create+0x94/0x930 net/bluetooth/a2mp.c:869
a2mp_channel_create+0x6e/0x140 net/bluetooth/a2mp.c:901
l2cap_data_channel net/bluetooth/l2cap_core.c:6921 [inline]
l2cap_recv_frame+0x43e2/0x93d0 net/bluetooth/l2cap_core.c:7075
l2cap_recv_acldata+0x8f9/0xa30 net/bluetooth/l2cap_core.c:7632
hci_acldata_packet net/bluetooth/hci_core.c:4088 [inline]
hci_rx_work+0x403/0xb40 net/bluetooth/hci_core.c:4271
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 7972:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
l2cap_chan_destroy net/bluetooth/l2cap_core.c:497 [inline]
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x1c2/0x250 net/bluetooth/l2cap_core.c:521
l2cap_conn_del+0x3aa/0x690 net/bluetooth/l2cap_core.c:1758
l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7479 [inline]
l2cap_disconn_cfm+0x7c/0xb0 net/bluetooth/l2cap_core.c:7472
hci_disconn_cfm include/net/bluetooth/hci_core.h:1231 [inline]
hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1393
hci_dev_do_close+0x57d/0xd80 net/bluetooth/hci_core.c:1641
hci_error_reset+0xa3/0x120 net/bluetooth/hci_core.c:2177
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff888095be1500
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1160 bytes inside of
2048-byte region [ffff888095be1500, ffff888095be1d00)
The buggy address belongs to the page:
page:ffffea000256f800 count:1 mapcount:0 mapping:ffff888095be0400 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888095be0400 0000000000000000 0000000100000003
raw: ffffea0002d144a0 ffff88813fe64948 ffff88813fe74c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888095be1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888095be1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888095be1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888095be1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888095be1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages