Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp592388pxa; Tue, 11 Aug 2020 10:08:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzm4hgrriYjSYGLeehQDGXFzs9/ND8sPllcCT0npncDcQ+yJcr8aUVAS/JSd6J0a5nMdF2Y X-Received: by 2002:a05:6402:b09:: with SMTP id bm9mr28160286edb.9.1597165735949; Tue, 11 Aug 2020 10:08:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597165735; cv=none; d=google.com; s=arc-20160816; b=Gx3p4b2d0vBcw2b6SnNUqp1yROQBAlZ+jIyS8FFVn/xNlSsYZVAfCKIdY9S6N2Q22e Sp+bj8JpJZjW4AAJ39x7M3YVCm/QXdVMQQCGJ1i9XMJXD3OYbMGHYcUxdbEDvqcYztbO qRFXOyHb274I+XShIL8OPAx0kzJsakRNOu4BKLD9MMbxlxRXz0UUv5ChikDSm3AsDq2I HYrMas8yCx8FQPEX2UQUXrqR6wlCVxMPR+1jgL5cbElLPOx/1LctmYnEqb25exO3zOC1 3QE5mdlnQtBLqOtNCJ88jwv/kPRTmB8xkApU0GMjxpxQURHiPtaPC4hoTcuPIBYbPETj nuzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:from:subject:message-id:date :mime-version; bh=3ZPRrfgd4U28dH7RCjAGl0xrthCHCi5aVcTRVhPqTvM=; b=H8qGgRKplrRHMgyNN1FiFNuJcYI9Alq0jfi8CsC4g3iYE83G62knXOJJGxLt+HY1Qp PFBFNSDKCRc6gmSyApa2Req4wXOyPLkHt4JA9RxSQW3h0ZzGYlD47gx06BVSwx+rNenM tbewd/i9QofidUY8FOjmskKP61EuEERlvPZ0nVRLkcak5fIklIa4NNeop+/aCRjPLQm9 GaJp1MhIjpOCfSpYJd4pCtOmLjbB/xdOQJvsvzTDMHHPxgZFQV6PuXHC9I3XNTAf5soB zbSXqfOliW9paLFtJQXfhFxF7ZTCQFYQziud3vGa1cAfngz/9FOvnNNUD+DBn9pCXSk3 rvgA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q22si12529911eds.346.2020.08.11.10.08.30; Tue, 11 Aug 2020 10:08:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729347AbgHKRH0 (ORCPT + 99 others); Tue, 11 Aug 2020 13:07:26 -0400 Received: from mail-io1-f69.google.com ([209.85.166.69]:54374 "EHLO mail-io1-f69.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729104AbgHKRHP (ORCPT ); Tue, 11 Aug 2020 13:07:15 -0400 Received: by mail-io1-f69.google.com with SMTP id z25so10191877ioh.21 for ; Tue, 11 Aug 2020 10:07:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=3ZPRrfgd4U28dH7RCjAGl0xrthCHCi5aVcTRVhPqTvM=; b=iLf+YFDegaDR/4WEaHMfV5OAn5AXU3BbxZyPMzg4dKtviHOOBjsNMknRrf2xNP4fLF 0eAfUgZYuDwvmWe4kRnyj/1DnomVjjziwbA9fvYX4Bwly2pE1V7CNSZan3aAavvNqhWd C8hq4hcpI0fKD5Ra5Y+eKBRAQMT7uziVrqD26NUpBDCUG7Pwf+NllqcVZFc77T5TFRuC OKfCMcKb47A7ZC/U8NQR+3hpW/ZwqaIHWnN7qP4pgKwFJlbfbda1epX2AUSAvCBbPWYe TKfjY3MYkmFltACA5J5vS1evqbHRulWUd6qoZQE9Ui92Mnp4ukY6fz0KFdAMc+iVKmlZ 455w== X-Gm-Message-State: AOAM530l4fUglKNEjE8qVZ/Dq2mcKjZ/pYlALsoeZKtPxNoO43fJIxo/ zvmSgdxR9x/1V2mIXDr37KhpEDkOLq0GMFyXjbfwuvTaGUdv MIME-Version: 1.0 X-Received: by 2002:a92:d8d2:: with SMTP id l18mr21745562ilo.94.1597165634421; Tue, 11 Aug 2020 10:07:14 -0700 (PDT) Date: Tue, 11 Aug 2020 10:07:14 -0700 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000004991e705ac9d1a83@google.com> Subject: inconsistent lock state in sco_conn_del From: syzbot To: davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hello, syzbot found the following issue on: HEAD commit: f80535b9 Add linux-next specific files for 20200810 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=152ffd8a900000 kernel config: https://syzkaller.appspot.com/x/.config?x=2055bd0d83d5ee16 dashboard link: https://syzkaller.appspot.com/bug?extid=65684128cd7c35bc66a1 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+65684128cd7c35bc66a1@syzkaller.appspotmail.com ================================ WARNING: inconsistent lock state 5.8.0-next-20200810-syzkaller #0 Not tainted -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. syz-executor.5/11793 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff8880554ec0a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] ffff8880554ec0a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: sco_conn_del+0x128/0x270 net/bluetooth/sco.c:176 {IN-SOFTIRQ-W} state was registered at: lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:5005 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] sco_sock_timeout+0x24/0x140 net/bluetooth/sco.c:83 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413 expire_timers kernel/time/timer.c:1458 [inline] __run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755 __run_timers kernel/time/timer.c:1736 [inline] run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768 __do_softirq+0x2de/0xa24 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x1f3/0x230 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1090 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581 arch_local_irq_enable arch/x86/include/asm/paravirt.h:780 [inline] __local_bh_enable_ip+0x101/0x190 kernel/softirq.c:200 spin_unlock_bh include/linux/spinlock.h:399 [inline] batadv_nc_purge_paths+0x2a5/0x3a0 net/batman-adv/network-coding.c:470 batadv_nc_worker+0x868/0xe50 net/batman-adv/network-coding.c:721 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 irq event stamp: 33895 hardirqs last enabled at (33895): [] kfree+0x1cd/0x2c0 mm/slab.c:3757 hardirqs last disabled at (33894): [] kfree+0x6f/0x2c0 mm/slab.c:3746 softirqs last enabled at (30344): [] asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 softirqs last disabled at (30333): [] asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(slock-AF_BLUETOOTH-BTPROTO_SCO); lock(slock-AF_BLUETOOTH-BTPROTO_SCO); *** DEADLOCK *** 3 locks held by syz-executor.5/11793: #0: ffff88805b990f40 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0xf5/0x1080 net/bluetooth/hci_core.c:1720 #1: ffff88805b990078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_do_close+0x253/0x1080 net/bluetooth/hci_core.c:1757 #2: ffffffff8a9a5c28 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1435 [inline] #2: ffffffff8a9a5c28 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xc7/0x220 net/bluetooth/hci_conn.c:1557 stack backtrace: CPU: 0 PID: 11793 Comm: syz-executor.5 Not tainted 5.8.0-next-20200810-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_usage_bug kernel/locking/lockdep.c:4020 [inline] valid_state kernel/locking/lockdep.c:3361 [inline] mark_lock_irq kernel/locking/lockdep.c:3560 [inline] mark_lock.cold+0x7a/0x7f kernel/locking/lockdep.c:4006 mark_usage kernel/locking/lockdep.c:3923 [inline] __lock_acquire+0x8cd/0x5640 kernel/locking/lockdep.c:4380 lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:5005 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] sco_conn_del+0x128/0x270 net/bluetooth/sco.c:176 sco_disconn_cfm net/bluetooth/sco.c:1178 [inline] sco_disconn_cfm+0x62/0x80 net/bluetooth/sco.c:1171 hci_disconn_cfm include/net/bluetooth/hci_core.h:1438 [inline] hci_conn_hash_flush+0x114/0x220 net/bluetooth/hci_conn.c:1557 hci_dev_do_close+0x5c6/0x1080 net/bluetooth/hci_core.c:1770 hci_unregister_dev+0x1bd/0xe30 net/bluetooth/hci_core.c:3790 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:135 exit_task_work include/linux/task_work.h:25 [inline] do_exit+0xb7d/0x29f0 kernel/exit.c:806 do_group_exit+0x125/0x310 kernel/exit.c:903 get_signal+0x40b/0x1ee0 kernel/signal.c:2743 arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:135 [inline] exit_to_user_mode_prepare+0x15d/0x1c0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45ce69 Code: Bad RIP value. RSP: 002b:00007fd132defcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000118bfc8 RCX: 000000000045ce69 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118bfc8 RBP: 000000000118bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bfcc R13: 00007ffd9693ba5f R14: 00007fd132df09c0 R15: 000000000118bfcc --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.