Greetings, 0day kernel testing robot got the below dmesg and the first bad commit is https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master commit 6c08fc896b60893c5d673764b0668015d76df462 Author: Manish Mandlik AuthorDate: Tue Jan 28 10:54:14 2020 -0800 Commit: Marcel Holtmann CommitDate: Wed Jan 29 04:53:12 2020 +0100 Bluetooth: Fix refcount use-after-free issue There is no lock preventing both l2cap_sock_release() and chan->ops->close() from running at the same time. If we consider Thread A running l2cap_chan_timeout() and Thread B running l2cap_sock_release(), expected behavior is: A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb() A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill() B::l2cap_sock_release()->sock_orphan() B::l2cap_sock_release()->l2cap_sock_kill() where, sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks socket as SOCK_ZAPPED. In l2cap_sock_kill(), there is an "if-statement" that checks if both sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is satisfied. In the race condition, following occurs: A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb() B::l2cap_sock_release()->sock_orphan() B::l2cap_sock_release()->l2cap_sock_kill() A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill() In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug. Similar condition occurs at other places where teardown/sock_kill is happening: l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb() l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill() l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb() l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill() l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb() l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill() l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb() l2cap_sock_cleanup_listen()->l2cap_sock_kill() Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on l2cap channel to ensure that the socket is killed only after marked as zapped and orphan. Signed-off-by: Manish Mandlik Signed-off-by: Marcel Holtmann 151129df2f Bluetooth: SMP: Fix SALT value in some comments 6c08fc896b Bluetooth: Fix refcount use-after-free issue +---------------------------------------------+------------+------------+ | | 151129df2f | 6c08fc896b | +---------------------------------------------+------------+------------+ | boot_successes | 51 | 8 | | boot_failures | 0 | 10 | | WARNING:bad_unlock_balance_detected | 0 | 10 | | BUG:unable_to_handle_page_fault_for_address | 0 | 10 | | Oops:#[##] | 0 | 10 | | EIP:print_unlock_imbalance_bug | 0 | 10 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 10 | +---------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 54.004083] Unable to find swap-space signature [main] 10092 iterations. [F:7038 S:2998 HI:1021 STALLED:1] errno out of range after doing getgid: 1024:Unknown error 1024 [ 85.817054] [ 85.822921] ===================================== [ 85.823598] WARNING: bad unlock balance detected! [ 85.824267] 5.5.0-rc7-01832-g6c08fc896b608 #1 Not tainted [ 85.825061] ------------------------------------- [ 85.825784] trinity-c1/1057 is trying to release lock ( [ 85.826475] BUG: unable to handle page fault for address: 6b6b6ea7 [ 85.828073] #PF: supervisor read access in kernel mode [ 85.828800] #PF: error_code(0x0000) - not-present page [ 85.829694] *pde = 00000000 [ 85.830127] Oops: 0000 [#1] PREEMPT SMP [ 85.830689] CPU: 1 PID: 1057 Comm: trinity-c1 Not tainted 5.5.0-rc7-01832-g6c08fc896b608 #1 [ 85.831841] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 85.833030] EIP: print_unlock_imbalance_bug+0x6a/0xd0 [ 85.833783] Code: 87 40 01 00 e8 97 ed ff ff 68 a4 2b 06 c2 e8 78 40 01 00 8d 83 e0 04 00 00 ff b3 b0 03 00 00 50 68 d0 2b 06 c2 e8 61 40 01 00 <8b> 57 0c 8b 07 e8 21 27 00 00 68 69 29 06 c2 e8 4d 40 01 00 83 c4 [ 85.836363] EAX: 0000002b EBX: f10581c0 ECX: 00000000 EDX: 00000282 [ 85.837253] ESI: c19589e8 EDI: 6b6b6e9b EBP: f10b3dd4 ESP: f10b3dac [ 85.838154] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010046 [ 85.839116] CR0: 80050033 CR2: 6b6b6ea7 CR3: 024b1000 CR4: 00340690 [ 85.840001] DR0: b6cb9000 DR1: b627f000 DR2: 00000000 DR3: 00000000 [ 85.840885] DR6: fffe0ff0 DR7: 00000600 [ 85.849534] Call Trace: [ 85.849924] lock_release+0x13c/0x3d0 [ 85.850457] ? l2cap_sock_release+0x98/0xc0 [ 85.851053] ? l2cap_sock_release+0x98/0xc0 [ 85.851627] __mutex_unlock_slowpath+0x2f/0x290 [ 85.852273] ? sk_destruct+0x47/0x50 [ 85.852807] mutex_unlock+0x10/0x20 [ 85.853277] l2cap_sock_release+0x98/0xc0 [ 85.853641] __sock_release+0x29/0xb0 [ 85.853971] sock_close+0x10/0x20 [ 85.854272] __fput+0xfe/0x1e0 [ 85.854551] ____fput+0xd/0x10 [ 85.854829] task_work_run+0x77/0xa0 [ 85.855192] do_exit+0x418/0xa30 [ 85.855492] do_group_exit+0x8f/0x90 [ 85.855848] get_signal+0x8e5/0x950 [ 85.856194] do_signal+0x1c/0xc0 [ 85.856499] ? process_cpu_nsleep+0x17/0x20 [ 85.856874] ? sys_clock_nanosleep_time32+0xc9/0x110 [ 85.857333] exit_to_usermode_loop+0x33/0xa0 [ 85.857714] do_int80_syscall_32+0xbd/0x100 [ 85.858089] entry_INT80_32+0x114/0x119 [ 85.858434] EIP: 0x809b132 [ 85.858686] Code: Bad RIP value. [ 85.858982] EAX: fffffdfe EBX: 00000002 ECX: 00000001 EDX: 00000004 [ 85.859535] ESI: 00000004 EDI: 7e7e7e7e EBP: fffffff8 ESP: bfa85108 [ 85.860088] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296 [ 85.860687] Modules linked in: [ 85.860981] CR2: 000000006b6b6ea7 [ 85.861298] ---[ end trace 3165464af4bfb57a ]--- [ 85.861712] EIP: print_unlock_imbalance_bug+0x6a/0xd0 # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD git bisect start b645d5179112cd9a93922bd2c25473f9f0351dbd d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 -- git bisect bad f924b4c373687bf05c2f856598a64a3a8bfdb399 # 02:18 B 3 8 0 0 Merge 'clk/clk-amlogic' into devel-hourly-2020013022 git bisect good 0aa84350de083fda6878b3c11da2f346182684da # 02:18 G 12 0 0 0 Merge 'arm-soc/ti/k3-dt2' into devel-hourly-2020013022 git bisect bad d458e22978565e2291722cd0481be7b91aaec3a6 # 02:18 B 5 7 0 0 Merge 'peterz-queue/x86/misc' into devel-hourly-2020013022 git bisect bad 88e053051630e64efbe0acd97889ce08923f2c75 # 02:18 B 2 10 0 0 Merge 'kdave-btrfs-devel/for-next-20200129' into devel-hourly-2020013022 git bisect bad f129fc7122c73596a006176928934a0382f7f855 # 02:18 B 2 10 0 0 Merge 'bluetooth-next/master' into devel-hourly-2020013022 git bisect good 48aabbcf240c8ae6abfd139b1049f227f9817621 # 02:18 G 13 0 0 0 Merge 'iommu/x86/amd' into devel-hourly-2020013022 git bisect bad 6c08fc896b60893c5d673764b0668015d76df462 # 02:18 B 2 10 0 0 Bluetooth: Fix refcount use-after-free issue git bisect good 151129df2f4ac29e55be6d3a7be91d0979f71a55 # 02:19 G 39 0 0 0 Bluetooth: SMP: Fix SALT value in some comments # first bad commit: [6c08fc896b60893c5d673764b0668015d76df462] Bluetooth: Fix refcount use-after-free issue git bisect good 151129df2f4ac29e55be6d3a7be91d0979f71a55 # 02:19 G 39 0 0 0 Bluetooth: SMP: Fix SALT value in some comments # extra tests with debug options # extra tests on revert first bad commit git bisect good 983086bfa9c8bcf3bc7eb6904e7c4f5fb64dc33c # 05:13 G 14 0 1 1 Revert "Bluetooth: Fix refcount use-after-free issue" # good: [983086bfa9c8bcf3bc7eb6904e7c4f5fb64dc33c] Revert "Bluetooth: Fix refcount use-after-free issue" --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation