[v6.1] WARNING: bad unlock balance in l2cap_recv_frame
2 views
Skip to first unread message
syzbot
Apr 20, 2023, 5:50:16 PM4/20/23
Hello,
syzbot found the following issue on:
HEAD commit: f17b0ab65d17 Linux 6.1.25
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16e7cda3c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d75954dcbfe38186
dashboard link: https://syzkaller.appspot.com/bug?extid=63c07f4a7c391be5086a
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/832d07d855e3/disk-f17b0ab6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4815c4c1f51b/vmlinux-f17b0ab6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4d6d025222b4/bzImage-f17b0ab6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================
WARNING: bad unlock balance detected!
6.1.25-syzkaller #0 Not tainted
-------------------------------------
kworker/u5:5/3660 is trying to release lock (&conn->chan_lock) at:
[<ffffffff899012ec>] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
[<ffffffff899012ec>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff899012ec>] l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
but there are no more locks to release!
other info that might help us debug this:
2 locks held by kworker/u5:5/3660:
#0: ffff88807e2ea938 ((wq_completion)hci3#2){+.+.}-{0:0}, at: process_one_work+0x77a/0x11f0
#1: ffffc9000404fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7bd/0x11f0 kernel/workqueue.c:2264
stack backtrace:
CPU: 0 PID: 3660 Comm: kworker/u5:5 Not tainted 6.1.25-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: hci3 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x24e/0x2c0 kernel/locking/lockdep.c:5109
__lock_release kernel/locking/lockdep.c:5346 [inline]
lock_release+0x5ad/0xa20 kernel/locking/lockdep.c:5689
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:907
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
hci_acldata_packet net/bluetooth/hci_core.c:3828 [inline]
hci_rx_work+0x39b/0xa80 net/bluetooth/hci_core.c:4063
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2289
worker_thread+0xa5f/0x1210 kernel/workqueue.c:2436
kthread+0x268/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: f17b0ab65d17 Linux 6.1.25
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16e7cda3c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d75954dcbfe38186
dashboard link: https://syzkaller.appspot.com/bug?extid=63c07f4a7c391be5086a
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/832d07d855e3/disk-f17b0ab6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4815c4c1f51b/vmlinux-f17b0ab6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4d6d025222b4/bzImage-f17b0ab6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================
WARNING: bad unlock balance detected!
6.1.25-syzkaller #0 Not tainted
-------------------------------------
kworker/u5:5/3660 is trying to release lock (&conn->chan_lock) at:
[<ffffffff899012ec>] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
[<ffffffff899012ec>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff899012ec>] l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
but there are no more locks to release!
other info that might help us debug this:
2 locks held by kworker/u5:5/3660:
#0: ffff88807e2ea938 ((wq_completion)hci3#2){+.+.}-{0:0}, at: process_one_work+0x77a/0x11f0
#1: ffffc9000404fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7bd/0x11f0 kernel/workqueue.c:2264
stack backtrace:
CPU: 0 PID: 3660 Comm: kworker/u5:5 Not tainted 6.1.25-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: hci3 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x24e/0x2c0 kernel/locking/lockdep.c:5109
__lock_release kernel/locking/lockdep.c:5346 [inline]
lock_release+0x5ad/0xa20 kernel/locking/lockdep.c:5689
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:907
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
hci_acldata_packet net/bluetooth/hci_core.c:3828 [inline]
hci_rx_work+0x39b/0xa80 net/bluetooth/hci_core.c:4063
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2289
worker_thread+0xa5f/0x1210 kernel/workqueue.c:2436
kthread+0x268/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 30, 2023, 2:33:43 PM4/30/23
Hello,
syzbot found the following issue on:
HEAD commit: f48aeeaaa64c Linux 5.15.109
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17e637a0280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0ea19992afd55ad
dashboard link: https://syzkaller.appspot.com/bug?extid=5769cfc76b5700f915bb
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd82b060cee7/disk-f48aeeaa.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/b216234bd1a0/vmlinux-f48aeeaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c0609f7a6703/bzImage-f48aeeaa.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
=====================================
WARNING: bad unlock balance detected!
-------------------------------------
kworker/u5:2/3543 is trying to release lock (&conn->chan_lock) at:
[<ffffffff89428093>] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
[<ffffffff89428093>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff89428093>] l2cap_recv_frame+0x1fc3/0x8870 net/bluetooth/l2cap_core.c:7796
but there are no more locks to release!
other info that might help us debug this:
2 locks held by kworker/u5:2/3543:
other info that might help us debug this:
#0: ffff8880155ab938 ((wq_completion)hci4#2){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2279
#1: ffffc90002f3fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2281
stack backtrace:
CPU: 0 PID: 3543 Comm: kworker/u5:2 Not tainted 5.15.109-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: hci4 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x248/0x2b0 kernel/locking/lockdep.c:5064
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
__lock_release kernel/locking/lockdep.c:5301 [inline]
lock_release+0x596/0x9a0 kernel/locking/lockdep.c:5642
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:851
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fc3/0x8870 net/bluetooth/l2cap_core.c:7796
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
hci_acldata_packet net/bluetooth/hci_core.c:4967 [inline]
hci_rx_work+0x489/0x7d0 net/bluetooth/hci_core.c:5158
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
worker_thread+0xaca/0x1280 kernel/workqueue.c:2453
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 30, 2023, 2:46:51 PM4/30/23
syzbot has found a reproducer for the following issue on:
HEAD commit: f48aeeaaa64c Linux 5.15.109
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17786f58280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b91144280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd82b060cee7/disk-f48aeeaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b216234bd1a0/vmlinux-f48aeeaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c0609f7a6703/bzImage-f48aeeaa.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================
WARNING: bad unlock balance detected!
5.15.109-syzkaller #0 Not tainted
-------------------------------------
kworker/u5:2/3505 is trying to release lock (&conn->chan_lock) at:
#0: ffff888024804138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2279
#1: ffffc9000235fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2281
stack backtrace:
CPU: 0 PID: 3505 Comm: kworker/u5:2 Not tainted 5.15.109-syzkaller #0
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: f48aeeaaa64c Linux 5.15.109
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f0ea19992afd55ad
dashboard link: https://syzkaller.appspot.com/bug?extid=5769cfc76b5700f915bb
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f4643c280000
dashboard link: https://syzkaller.appspot.com/bug?extid=5769cfc76b5700f915bb
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15b91144280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fd82b060cee7/disk-f48aeeaa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b216234bd1a0/vmlinux-f48aeeaa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c0609f7a6703/bzImage-f48aeeaa.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
=====================================
WARNING: bad unlock balance detected!
5.15.109-syzkaller #0 Not tainted
-------------------------------------
[<ffffffff89428093>] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
[<ffffffff89428093>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff89428093>] l2cap_recv_frame+0x1fc3/0x8870 net/bluetooth/l2cap_core.c:7796
but there are no more locks to release!
other info that might help us debug this:
2 locks held by kworker/u5:2/3505:
[<ffffffff89428093>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff89428093>] l2cap_recv_frame+0x1fc3/0x8870 net/bluetooth/l2cap_core.c:7796
but there are no more locks to release!
other info that might help us debug this:
#0: ffff888024804138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2279
#1: ffffc9000235fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2281
stack backtrace:
CPU: 0 PID: 3505 Comm: kworker/u5:2 Not tainted 5.15.109-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x248/0x2b0 kernel/locking/lockdep.c:5064
__lock_release kernel/locking/lockdep.c:5301 [inline]
lock_release+0x596/0x9a0 kernel/locking/lockdep.c:5642
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:851
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fc3/0x8870 net/bluetooth/l2cap_core.c:7796
hci_acldata_packet net/bluetooth/hci_core.c:4967 [inline]
hci_rx_work+0x489/0x7d0 net/bluetooth/hci_core.c:5158
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
---
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x248/0x2b0 kernel/locking/lockdep.c:5064
__lock_release kernel/locking/lockdep.c:5301 [inline]
lock_release+0x596/0x9a0 kernel/locking/lockdep.c:5642
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:851
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fc3/0x8870 net/bluetooth/l2cap_core.c:7796
hci_acldata_packet net/bluetooth/hci_core.c:4967 [inline]
hci_rx_work+0x489/0x7d0 net/bluetooth/hci_core.c:5158
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Apr 30, 2023, 7:15:50 PM4/30/23
syzbot has found a reproducer for the following issue on:
HEAD commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=124728f8280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f749f501f45a424b
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1399b964280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fa9c42c5de02/disk-ca1c9012.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/deeadb7af907/vmlinux-ca1c9012.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3b2d047683d5/bzImage-ca1c9012.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
-------------------------------------
kworker/u5:2/3548 is trying to release lock (&conn->chan_lock) at:
[<ffffffff89937f5c>] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
[<ffffffff89937f5c>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff89937f5c>] l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
#0: ffff8880764cb138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x77a/0x11f0
#1: ffffc90003a7fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7bd/0x11f0 kernel/workqueue.c:2264
stack backtrace:
CPU: 0 PID: 3548 Comm: kworker/u5:2 Not tainted 6.1.26-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: hci0 hci_rx_work
HEAD commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=124728f8280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f749f501f45a424b
dashboard link: https://syzkaller.appspot.com/bug?extid=63c07f4a7c391be5086a
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103bd8e8280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1399b964280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fa9c42c5de02/disk-ca1c9012.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/deeadb7af907/vmlinux-ca1c9012.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3b2d047683d5/bzImage-ca1c9012.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
=====================================
WARNING: bad unlock balance detected!
6.1.26-syzkaller #0 Not tainted
WARNING: bad unlock balance detected!
-------------------------------------
kworker/u5:2/3548 is trying to release lock (&conn->chan_lock) at:
[<ffffffff89937f5c>] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
[<ffffffff89937f5c>] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
[<ffffffff89937f5c>] l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
but there are no more locks to release!
other info that might help us debug this:
2 locks held by kworker/u5:2/3548:
other info that might help us debug this:
#0: ffff8880764cb138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x77a/0x11f0
#1: ffffc90003a7fd20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x7bd/0x11f0 kernel/workqueue.c:2264
stack backtrace:
CPU: 0 PID: 3548 Comm: kworker/u5:2 Not tainted 6.1.26-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: hci0 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x24e/0x2c0 kernel/locking/lockdep.c:5109
__lock_release kernel/locking/lockdep.c:5346 [inline]
lock_release+0x5ad/0xa20 kernel/locking/lockdep.c:5689
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:907
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
hci_acldata_packet net/bluetooth/hci_core.c:3828 [inline]
hci_rx_work+0x39b/0xa80 net/bluetooth/hci_core.c:4063
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2289
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_unlock_imbalance_bug+0x24e/0x2c0 kernel/locking/lockdep.c:5109
__lock_release kernel/locking/lockdep.c:5346 [inline]
lock_release+0x5ad/0xa20 kernel/locking/lockdep.c:5689
__mutex_unlock_slowpath+0xde/0x750 kernel/locking/mutex.c:907
l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:6426 [inline]
l2cap_le_sig_channel net/bluetooth/l2cap_core.c:6464 [inline]
l2cap_recv_frame+0x1fcc/0x8890 net/bluetooth/l2cap_core.c:7796
hci_acldata_packet net/bluetooth/hci_core.c:3828 [inline]
hci_rx_work+0x39b/0xa80 net/bluetooth/hci_core.c:4063
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2289
syzbot
Jun 23, 2023, 12:00:37 AM6/23/23
syzbot suspects this issue was fixed by commit:
commit fd269a0435f8e9943b7a57c5a59688848d42d449
Author: Min Li <[email protected]>
Date: Mon Apr 17 02:27:54 2023 +0000
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1609cd00a80000
start commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
#syz fix: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit fd269a0435f8e9943b7a57c5a59688848d42d449
Author: Min Li <[email protected]>
Date: Mon Apr 17 02:27:54 2023 +0000
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1609cd00a80000
start commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f749f501f45a424b
dashboard link: https://syzkaller.appspot.com/bug?extid=63c07f4a7c391be5086a
dashboard link: https://syzkaller.appspot.com/bug?extid=63c07f4a7c391be5086a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103bd8e8280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1399b964280000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1399b964280000
#syz fix: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Jun 25, 2023, 7:45:22 AM6/25/23
syzbot suspects this issue was fixed by commit:
commit 116b9c002c894097adc2b8684db2d1da4229ed46
Author: Min Li <[email protected]>
Date: Mon Apr 17 02:27:54 2023 +0000
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=122f5ccb280000
Date: Mon Apr 17 02:27:54 2023 +0000
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
start commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
dashboard link: https://syzkaller.appspot.com/bug?extid=5769cfc76b5700f915bb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13930119280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1367c329280000
Reply all
Reply to author
Forward
0 new messages