* WARNING: refcount bug in l2cap_chan_put
@ 2020-02-24 8:28 syzbot
2020-02-24 19:32 ` Abhishek Pandit-Subedi
2020-09-06 1:07 ` syzbot
0 siblings, 2 replies; 6+ messages in thread
From: syzbot @ 2020-02-24 8:28 UTC (permalink / raw)
To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
marcel, netdev, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: bee46b30 Add linux-next specific files for 20200221
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1244ea7ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=10693880b4976691
dashboard link: https://syzkaller.appspot.com/bug?extid=198362c76088d1515529
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160a03d9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f8e1dde00000
Bisection is inconclusive: the bug happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f03a7ee00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=10083a7ee00000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f03a7ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+198362c76088d1515529@syzkaller.appspotmail.com
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 2940 at lib/refcount.c:28 refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2940 Comm: kworker/1:12 Not tainted 5.6.0-rc2-next-20200221-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
panic+0x2e3/0x75c kernel/panic.c:221
__warn.cold+0x2f/0x3e kernel/panic.c:582
report_bug+0x289/0x300 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:175 [inline]
fixup_bug arch/x86/kernel/traps.c:170 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
Code: e9 d8 fe ff ff 48 89 df e8 81 81 10 fe e9 85 fe ff ff e8 07 54 d1 fd 48 c7 c7 00 c8 91 88 c6 05 6b f6 fc 06 01 e8 23 74 a1 fd <0f> 0b e9 ac fe ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 55 48
RSP: 0018:ffffc9000952fbd8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815ee766 RDI: fffff520012a5f6d
RBP: ffffc9000952fbe8 R08: ffff88809e82e600 R09: ffffed1015d26661
R10: ffffed1015d26660 R11: ffff8880ae933307 R12: 0000000000000003
R13: ffff888095b3f018 R14: dead000000000122 R15: ffffc9000952fc98
refcount_sub_and_test include/linux/refcount.h:261 [inline]
refcount_dec_and_test include/linux/refcount.h:281 [inline]
kref_put include/linux/kref.h:64 [inline]
l2cap_chan_put+0x1d9/0x240 net/bluetooth/l2cap_core.c:501
do_enable_set+0x54b/0x960 net/bluetooth/6lowpan.c:1075
process_one_work+0xa05/0x17a0 kernel/workqueue.c:2266
worker_thread+0x98/0xe40 kernel/workqueue.c:2412
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING: refcount bug in l2cap_chan_put
2020-02-24 8:28 WARNING: refcount bug in l2cap_chan_put syzbot
@ 2020-02-24 19:32 ` Abhishek Pandit-Subedi
2020-02-25 1:18 ` Luiz Augusto von Dentz
2020-09-06 1:07 ` syzbot
1 sibling, 1 reply; 6+ messages in thread
From: Abhishek Pandit-Subedi @ 2020-02-24 19:32 UTC (permalink / raw)
To: syzbot
Cc: David S. Miller, Johan Hedberg, Jakub Kicinski,
Bluez mailing list, LKML, Marcel Holtmann, netdev,
syzkaller-bugs
(Resent in plain text; sorry for double send)
I took a brief look at this error and uncovered that 6lowpan uses zero
locks when using l2cap (should be using the channel lock).
It seems like it would be better just to convert its direct use of
l2cap channel into using an l2cap socket.
On Mon, Feb 24, 2020 at 12:28 AM syzbot
<syzbot+198362c76088d1515529@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: bee46b30 Add linux-next specific files for 20200221
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1244ea7ee00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=10693880b4976691
> dashboard link: https://syzkaller.appspot.com/bug?extid=198362c76088d1515529
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160a03d9e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f8e1dde00000
>
> Bisection is inconclusive: the bug happens on the oldest tested release.
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f03a7ee00000
> final crash: https://syzkaller.appspot.com/x/report.txt?x=10083a7ee00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=17f03a7ee00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+198362c76088d1515529@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> refcount_t: underflow; use-after-free.
> WARNING: CPU: 1 PID: 2940 at lib/refcount.c:28 refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 2940 Comm: kworker/1:12 Not tainted 5.6.0-rc2-next-20200221-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: events do_enable_set
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x197/0x210 lib/dump_stack.c:118
> panic+0x2e3/0x75c kernel/panic.c:221
> __warn.cold+0x2f/0x3e kernel/panic.c:582
> report_bug+0x289/0x300 lib/bug.c:195
> fixup_bug arch/x86/kernel/traps.c:175 [inline]
> fixup_bug arch/x86/kernel/traps.c:170 [inline]
> do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
> do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
> invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> RIP: 0010:refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
> Code: e9 d8 fe ff ff 48 89 df e8 81 81 10 fe e9 85 fe ff ff e8 07 54 d1 fd 48 c7 c7 00 c8 91 88 c6 05 6b f6 fc 06 01 e8 23 74 a1 fd <0f> 0b e9 ac fe ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 55 48
> RSP: 0018:ffffc9000952fbd8 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff815ee766 RDI: fffff520012a5f6d
> RBP: ffffc9000952fbe8 R08: ffff88809e82e600 R09: ffffed1015d26661
> R10: ffffed1015d26660 R11: ffff8880ae933307 R12: 0000000000000003
> R13: ffff888095b3f018 R14: dead000000000122 R15: ffffc9000952fc98
> refcount_sub_and_test include/linux/refcount.h:261 [inline]
> refcount_dec_and_test include/linux/refcount.h:281 [inline]
> kref_put include/linux/kref.h:64 [inline]
> l2cap_chan_put+0x1d9/0x240 net/bluetooth/l2cap_core.c:501
> do_enable_set+0x54b/0x960 net/bluetooth/6lowpan.c:1075
> process_one_work+0xa05/0x17a0 kernel/workqueue.c:2266
> worker_thread+0x98/0xe40 kernel/workqueue.c:2412
> kthread+0x361/0x430 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING: refcount bug in l2cap_chan_put
2020-02-24 19:32 ` Abhishek Pandit-Subedi
@ 2020-02-25 1:18 ` Luiz Augusto von Dentz
2020-02-25 6:29 ` Marcel Holtmann
0 siblings, 1 reply; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2020-02-25 1:18 UTC (permalink / raw)
To: Abhishek Pandit-Subedi
Cc: syzbot, David S. Miller, Johan Hedberg, Jakub Kicinski,
Bluez mailing list, LKML, Marcel Holtmann, netdev,
syzkaller-bugs
Hi Abhishek,
On Mon, Feb 24, 2020 at 11:33 AM Abhishek Pandit-Subedi
<abhishekpandit@chromium.org> wrote:
>
> (Resent in plain text; sorry for double send)
>
> I took a brief look at this error and uncovered that 6lowpan uses zero
> locks when using l2cap (should be using the channel lock).
>
> It seems like it would be better just to convert its direct use of
> l2cap channel into using an l2cap socket.
I recall having some thought on that, I think having a socket like
RFCOMM does would be better but I don't remember why I haven't
follow-up on that, well we wanted to discontinue the bt specific
6lowpan on the kernel side though.
> On Mon, Feb 24, 2020 at 12:28 AM syzbot
> <syzbot+198362c76088d1515529@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: bee46b30 Add linux-next specific files for 20200221
> > git tree: linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1244ea7ee00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=10693880b4976691
> > dashboard link: https://syzkaller.appspot.com/bug?extid=198362c76088d1515529
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160a03d9e00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f8e1dde00000
> >
> > Bisection is inconclusive: the bug happens on the oldest tested release.
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f03a7ee00000
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=10083a7ee00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=17f03a7ee00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+198362c76088d1515529@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > refcount_t: underflow; use-after-free.
> > WARNING: CPU: 1 PID: 2940 at lib/refcount.c:28 refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 1 PID: 2940 Comm: kworker/1:12 Not tainted 5.6.0-rc2-next-20200221-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: events do_enable_set
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x197/0x210 lib/dump_stack.c:118
> > panic+0x2e3/0x75c kernel/panic.c:221
> > __warn.cold+0x2f/0x3e kernel/panic.c:582
> > report_bug+0x289/0x300 lib/bug.c:195
> > fixup_bug arch/x86/kernel/traps.c:175 [inline]
> > fixup_bug arch/x86/kernel/traps.c:170 [inline]
> > do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
> > do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
> > invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> > RIP: 0010:refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
> > Code: e9 d8 fe ff ff 48 89 df e8 81 81 10 fe e9 85 fe ff ff e8 07 54 d1 fd 48 c7 c7 00 c8 91 88 c6 05 6b f6 fc 06 01 e8 23 74 a1 fd <0f> 0b e9 ac fe ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 55 48
> > RSP: 0018:ffffc9000952fbd8 EFLAGS: 00010286
> > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: ffffffff815ee766 RDI: fffff520012a5f6d
> > RBP: ffffc9000952fbe8 R08: ffff88809e82e600 R09: ffffed1015d26661
> > R10: ffffed1015d26660 R11: ffff8880ae933307 R12: 0000000000000003
> > R13: ffff888095b3f018 R14: dead000000000122 R15: ffffc9000952fc98
> > refcount_sub_and_test include/linux/refcount.h:261 [inline]
> > refcount_dec_and_test include/linux/refcount.h:281 [inline]
> > kref_put include/linux/kref.h:64 [inline]
> > l2cap_chan_put+0x1d9/0x240 net/bluetooth/l2cap_core.c:501
> > do_enable_set+0x54b/0x960 net/bluetooth/6lowpan.c:1075
> > process_one_work+0xa05/0x17a0 kernel/workqueue.c:2266
> > worker_thread+0x98/0xe40 kernel/workqueue.c:2412
> > kthread+0x361/0x430 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> > Kernel Offset: disabled
> > Rebooting in 86400 seconds..
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING: refcount bug in l2cap_chan_put
2020-02-25 1:18 ` Luiz Augusto von Dentz
@ 2020-02-25 6:29 ` Marcel Holtmann
0 siblings, 0 replies; 6+ messages in thread
From: Marcel Holtmann @ 2020-02-25 6:29 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: Abhishek Pandit-Subedi, syzbot, David S. Miller, Johan Hedberg,
Jakub Kicinski, Bluez mailing list, LKML, netdev, syzkaller-bugs
Hi Luiz,
>> (Resent in plain text; sorry for double send)
>>
>> I took a brief look at this error and uncovered that 6lowpan uses zero
>> locks when using l2cap (should be using the channel lock).
>>
>> It seems like it would be better just to convert its direct use of
>> l2cap channel into using an l2cap socket.
>
> I recall having some thought on that, I think having a socket like
> RFCOMM does would be better but I don't remember why I haven't
> follow-up on that, well we wanted to discontinue the bt specific
> 6lowpan on the kernel side though.
because sockets have their own locking issues for Bluetooth. We actually want to get rid of the internal socket usage.
Regards
Marcel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING: refcount bug in l2cap_chan_put
2020-02-24 8:28 WARNING: refcount bug in l2cap_chan_put syzbot
2020-02-24 19:32 ` Abhishek Pandit-Subedi
@ 2020-09-06 1:07 ` syzbot
2020-11-11 13:26 ` Dmitry Vyukov
1 sibling, 1 reply; 6+ messages in thread
From: syzbot @ 2020-09-06 1:07 UTC (permalink / raw)
To: abhishekpandit, alainm, bliniob53, davem, johan.hedberg, kuba,
linux-bluetooth, linux-kernel, luiz.dentz, marcel, mcchou,
netdev, syzkaller-bugs
syzbot suspects this issue was fixed by commit:
commit b83764f9220a4a14525657466f299850bbc98de9
Author: Miao-chen Chou <mcchou@chromium.org>
Date: Tue Jun 30 03:15:00 2020 +0000
Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11aaff5d900000
start commit: fffe3ae0 Merge tag 'for-linus-hmm' of git://git.kernel.org..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=18bb86f2e4ebfda2
dashboard link: https://syzkaller.appspot.com/bug?extid=198362c76088d1515529
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152a482c900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109b781a900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING: refcount bug in l2cap_chan_put
2020-09-06 1:07 ` syzbot
@ 2020-11-11 13:26 ` Dmitry Vyukov
0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Vyukov @ 2020-11-11 13:26 UTC (permalink / raw)
To: syzbot, linux-bluetooth, LKML, netdev, syzkaller-bugs
On Sun, Sep 6, 2020 at 3:07 AM syzbot
<syzbot+198362c76088d1515529@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit b83764f9220a4a14525657466f299850bbc98de9
> Author: Miao-chen Chou <mcchou@chromium.org>
> Date: Tue Jun 30 03:15:00 2020 +0000
>
> Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11aaff5d900000
> start commit: fffe3ae0 Merge tag 'for-linus-hmm' of git://git.kernel.org..
> git tree: upstream
> kernel config: https://syzkaller.appspot.com/x/.config?x=18bb86f2e4ebfda2
> dashboard link: https://syzkaller.appspot.com/bug?extid=198362c76088d1515529
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152a482c900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109b781a900000
>
> If the result looks correct, please mark the issue as fixed by replying with:
>
> #syz fix: Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
#syz fix: Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-11-11 13:26 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-24 8:28 WARNING: refcount bug in l2cap_chan_put syzbot
2020-02-24 19:32 ` Abhishek Pandit-Subedi
2020-02-25 1:18 ` Luiz Augusto von Dentz
2020-02-25 6:29 ` Marcel Holtmann
2020-09-06 1:07 ` syzbot
2020-11-11 13:26 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).