Embedded Files
Original report of the bug: https://syzkaller.appspot.com/bug?id=fec182d534b82570ac1071dd89350d3a8b77a5da
We found multiple dangerous primitives that can potentially allow an attacker to execute arbitrary code in kernel context.
Fuzzer tested kernel version: af5043c8
Root cause analysis
Root cause analysis
The use-after-free bug happened because the object has two different references. But when it was freed, only one reference was removed (no refcounting on the object), allowing the other reference to be used incorrectly.
Specifically, the object of type struct hci_chan can be referenced in two places from an object called hcon(or conn in hci_chan_create)of type struct hci_conn : hcon->chan_list and hcon->l2cap_data->hchan. But only one of them (conn->chan_list) was deleted when freeing struct hci_chan from hci_disconn_loglink_complete_evt().
This function shows how the first reference is created.
struct hci_chan *hci_chan_create(struct hci_conn *conn)
{
struct hci_dev *hdev = conn->hdev;
struct hci_chan *chan;
...
chan = kzalloc(sizeof(*chan), GFP_KERNEL);
...
list_add_rcu(&chan->list, &conn->chan_list); // Assign chan to hcon->chan_list. This is the first reference created.
return chan;
}
This is the caller of the previous function which shows how the second reference is created.
static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon)
{
struct l2cap_conn *conn = hcon->l2cap_data;
struct hci_chan *hchan;
...
hchan = hci_chan_create(hcon); //"hchan" was created in hci_chan_create
if (!hchan)
return NULL;
conn = kzalloc(sizeof(*conn), GFP_KERNEL);
...
kref_init(&conn->ref);
hcon->l2cap_data = conn;
conn->hcon = hci_conn_get(hcon);
conn->hchan = hchan; // "chan" was assigned to "hcon->l2cap_data->hchan". This is the second reference.
...
}
When the chan was freed in hci_disconn_loglink_complete_evt (hci_disconn_loglink_complete_evt()->amp_destroy_logical_link()->hci_chan_del()), we only deleted the reference of ((struct hci_conn *)hcon)->chan_list (effectively removing the entry from the list), but the reference of ((struct hci_conn *)hcon)->l2cap_data->hchan is still valid.
The function below shows exactly how the free of the object occurs and how its first reference is removed.
void hci_chan_del(struct hci_chan *chan)
{
struct hci_conn *conn = chan->conn;
struct hci_dev *hdev = conn->hdev;
BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
list_del_rcu(&chan->list); // removed "chan" from the list (the first reference).
synchronize_rcu();
set_bit(HCI_CONN_DROP, &conn->flags);
hci_conn_put(conn); // decrement reference count. the device won't be freed if th ref count isn't zero. So the entry of (struct hci_conn *)hcon->l2cap_data->hchan will remain valid.
skb_queue_purge(&chan->data_q);
kfree(chan); // free "chan"
}
Potential fix
Potential fix
In hci_chan_del(), remove the second reference of(struct hci_conn *)hcon->l2cap_data->hchan,e.g., setting it to NULL
Primitive 1: Double free in hci_chan_del
Primitive 1: Double free in hci_chan_del
Bug Impact analysis:
Bug Impact analysis:
In the original syzbot bug report, a UAF read in hci_chan_del() was caught as the title shows "use-after-free Read in hci_chan_del"
We explain how the original impact looks like and how a subsequent and much more serious impact can occur.
original buggy location: UAF read happened when struct hci_chan *chan tried to assign chan->conn to a local variable conn,
This is the function is the caller of the function where the original bug impact was reported. No bug impact yet.
static void l2cap_conn_del(struct hci_conn *hcon, int err)
{
struct l2cap_conn *conn = hcon->l2cap_data; // This entry is still valid
struct l2cap_chan *chan, *l;
...
hci_chan_del(conn->hchan); // Note that conn->hchan is freed already
...
}
void hci_chan_del(struct hci_chan *chan) //chan was freed already
{
struct hci_conn *conn = chan->conn; // Syzbot's original report on the UAF read
struct hci_dev *hdev = conn->hdev;
...
kfree(chan); // The chan was freed again, which causes a double free bug (a serious impact)
}
Trace in high level:
Trace in high level:
|hci_chan_del net/bluetooth/hci_conn.c:1728 (Triggered the UAF read bug)
|kfree net/bluetooth/hci_conn.c:1743 (Triggered a new impact: Double free)
Trace in detail:
Trace in detail:
0xffffffff855a73bf
hci_chan_del net/bluetooth/hci_conn.c:1728 (Triggered the UAF read bug)
--------------------------------------
0xffffffff855a73ce
hci_chan_del net/bluetooth/hci_conn.c:1733
--------------------------------------
0xffffffff855a73d3
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff82caf970
__list_del_entry_valid lib/list_debug.c:42
--------------------------------------
0xffffffff82caf986
__list_del_entry_valid lib/list_debug.c:42
--------------------------------------
0xffffffff82caf993
__list_del_entry_valid lib/list_debug.c:43
--------------------------------------
0xffffffff82caf9a6
__list_del_entry_valid lib/list_debug.c:48
--------------------------------------
0xffffffff82caf9b5
__list_del_entry_valid lib/list_debug.c:51
--------------------------------------
0xffffffff82caf9bd
__list_del_entry_valid lib/list_debug.c:51
--------------------------------------
0xffffffff82caf9c6
__list_del_entry_valid lib/list_debug.c:54
--------------------------------------
0xffffffff82caf9cf
__list_del_entry_valid lib/list_debug.c:54
--------------------------------------
0xffffffff82caf9d8
__list_del_entry_valid lib/list_debug.c:54
--------------------------------------
0xffffffff855a73e0
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73ec
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73f1
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73f6
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73fe
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a740a
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a7418
hci_chan_del ./include/linux/list.h:135
--------------------------------------
0xffffffff855a7424
hci_chan_del ./include/linux/list.h:113
--------------------------------------
0xffffffff855a742d
hci_chan_del ./include/linux/rculist.h:167
--------------------------------------
0xffffffff855a7435
hci_chan_del ./include/linux/rculist.h:167
--------------------------------------
0xffffffff8140dbb0
synchronize_rcu kernel/rcu/tree.c:3625
--------------------------------------
0xffffffff855a7449
hci_chan_del ./include/linux/instrumented.h:86
--------------------------------------
0xffffffff855a745a
hci_chan_del ./arch/x86/include/asm/bitops.h:55
--------------------------------------
0xffffffff83210410
put_device drivers/base/core.c:3034
--------------------------------------
0xffffffff8321041e
put_device drivers/base/core.c:3034
--------------------------------------
0xffffffff83210423
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff83210428
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff82d83d40
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83d55
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83d5e
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d63
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d70
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d82
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d86
kobject_put ./include/linux/kref.h:64
--------------------------------------
0xffffffff82d83d8b
kobject_put ./include/linux/kref.h:64
--------------------------------------
0xffffffff82d83da2
kobject_put ./arch/x86/include/asm/atomic.h:190
--------------------------------------
0xffffffff82d83db5
kobject_put ./include/linux/refcount.h:277
--------------------------------------
0xffffffff82d83e1d
kobject_put ./include/linux/refcount.h:278
--------------------------------------
0xffffffff82d83e22
kobject_put lib/kobject.c:736
--------------------------------------
0xffffffff82d83e2c
kobject_put lib/kobject.c:736
--------------------------------------
0xffffffff82d83e3b
kobject_put ./include/linux/kobject.h:223
--------------------------------------
0xffffffff82d83e48
kobject_put lib/kobject.c:683
--------------------------------------
0xffffffff82d83e56
kobject_put lib/kobject.c:688
--------------------------------------
0xffffffff82d83e5b
kobject_put lib/kobject.c:688
--------------------------------------
0xffffffff82d83f5b
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d83f60
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d83f68
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d83f7c
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d8403b
kobject_put ./include/linux/kobject.h:90
--------------------------------------
0xffffffff82d83ec9
kobject_put lib/kobject.c:709
--------------------------------------
0xffffffff82d83ece
kobject_put lib/kobject.c:709
--------------------------------------
0xffffffff82d83ed3
kobject_put ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff82d83ed8
kobject_put ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff82d83ee2
kobject_put lib/kobject.c:711
--------------------------------------
0xffffffff82d83ee7
kobject_put lib/kobject.c:711
--------------------------------------
0xffffffff816af2e0
kfree_const mm/util.c:39
--------------------------------------
0xffffffff816af2ee
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af2fd
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af306
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af30b
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af31a
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af323
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af328
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff82d83eef
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff82d83ef4
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff82d83d40
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83d55
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83de6
kobject_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff82d83deb
kobject_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff82d83efc
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff82d83f01
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff83210430
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff83210435
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff855a746e
hci_chan_del net/bluetooth/hci_conn.c:1742
--------------------------------------
0xffffffff84c38e00
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e19
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e1e
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c31350
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff84c31365
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff8606c0e0
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:120
--------------------------------------
0xffffffff8606c0ef
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff8606c0f8
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:109
--------------------------------------
0xffffffff8135d4b0
preempt_count_add kernel/sched/core.c:4175
--------------------------------------
0xffffffff8135d4c5
preempt_count_add ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff8135d4d6
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135d4e7
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135d4fc
preempt_count_add ./include/linux/ftrace.h:816
--------------------------------------
0xffffffff813c22f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813c22fb
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff8135d508
preempt_count_add ./include/linux/ftrace.h:818
--------------------------------------
0xffffffff8135d52f
preempt_count_add ./include/linux/ftrace.h:820
--------------------------------------
0xffffffff813c22f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813c2307
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff8135d53f
preempt_count_add ./include/linux/ftrace.h:821
--------------------------------------
0xffffffff8135d50c
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8135d522
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8606c102
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:110
--------------------------------------
0xffffffff813bf380
lock_acquire kernel/locking/lockdep.c:5404
--------------------------------------
0xffffffff8606c11e
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:117
--------------------------------------
0xffffffff813c5a50
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813c5ac0
do_raw_spin_lock kernel/locking/spinlock_debug.c:112
--------------------------------------
0xffffffff813c5ad0
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813c5add
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813c5af4
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813c5b01
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813c5b15
do_raw_spin_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813c5b2a
do_raw_spin_lock ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff813c5b38
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813c5b4d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813c5b5d
do_raw_spin_lock kernel/locking/spinlock_debug.c:91
--------------------------------------
0xffffffff813c5b6a
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c5b9d
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff8606c126
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:121
--------------------------------------
0xffffffff84c31371
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff84c3137c
skb_dequeue ./include/linux/skbuff.h:2080
--------------------------------------
0xffffffff84c31388
skb_dequeue ./include/linux/skbuff.h:2081
--------------------------------------
0xffffffff84c3138d
skb_dequeue ./include/linux/skbuff.h:2081
--------------------------------------
0xffffffff84c313ed
skb_dequeue ./include/linux/spinlock.h:409
--------------------------------------
0xffffffff84c313f2
skb_dequeue ./include/linux/spinlock.h:409
--------------------------------------
0xffffffff8606c390
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:158
--------------------------------------
0xffffffff813beef0
lock_release kernel/locking/lockdep.c:5444
--------------------------------------
0xffffffff8606c3aa
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:159
--------------------------------------
0xffffffff813c5d40
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813c5d56
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813c5d65
do_raw_spin_unlock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813c5d72
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813c5d7a
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813c5d86
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813c5d93
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c5da7
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813c5db4
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813c5dc6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813c5dce
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813c5ddf
do_raw_spin_unlock kernel/locking/spinlock_debug.c:103
--------------------------------------
0xffffffff813c5df4
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff813c5dfe
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff813c5e08
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff8606c3b2
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff8606c3b7
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:84
--------------------------------------
0xffffffff8135c6a0
preempt_count_sub kernel/sched/core.c:4207
--------------------------------------
0xffffffff8135c6b3
preempt_count_sub kernel/sched/core.c:4207
--------------------------------------
0xffffffff8135c6bd
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135c6d0
preempt_count_sub kernel/sched/core.c:4212
--------------------------------------
0xffffffff8135c71d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135c6d8
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff8606c3c3
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff8606c3ce
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff84c313fd
skb_dequeue net/core/skbuff.c:3037
--------------------------------------
0xffffffff84c38e26
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e2e
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e33
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff855a7478
hci_chan_del net/bluetooth/hci_conn.c:1743 (Triggered a new impact: Double free)
Primitive 2: Control flow hijacking in sock_zerocopy_put
Primitive 2: Control flow hijacking in sock_zerocopy_put
Bug Impact analysis:
Bug Impact analysis:
This function is where the bug impact was originally reported on syzbot
void hci_chan_del(struct hci_chan *chan) //"chan" was freed
{
struct hci_conn *conn = chan->conn; // Syzbot reported the UAF read
struct hci_dev *hdev = conn->hdev;
...
skb_queue_purge(&chan->data_q); // "data_q" comes from the freed object "chan" therefore it can point to arbitrary memory address
kfree(chan);
}
The skb was dequeued from the list, however the list is controllable by an attacker because it can point to an arbitrary memory address.
void skb_queue_purge(struct sk_buff_head *list)
{
struct sk_buff *skb;
while ((skb = skb_dequeue(list)) != NULL) // skb is also controllable
kfree_skb(skb); // dangerous use of skb further down
}
After a long call chain: skb_queue_purge->kfree_skb->__kfree_skb->skb_release_all->skb_release_data
static void skb_release_data(struct sk_buff *skb)
{
...
skb_zcopy_clear(skb, true); // skb entered skb_zcopy_clear() and will dereference a function pointer inside.
skb_free_head(skb);
}
static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy)
{
struct ubuf_info *uarg = skb_zcopy(skb); // uarg comes from skb, therefore it also controllable by attacker
if (uarg) {
if (skb_zcopy_is_nouarg(skb)) {
/* no notification callback */
} else if (uarg->callback == sock_zerocopy_callback) {
uarg->zerocopy = uarg->zerocopy && zerocopy;
sock_zerocopy_put(uarg); // uarg enters sock_zerocopy_put()
}
...
}
}
Inside the function below, uarg's function pointer will be dereferenced. This makes a control flow hijacking possible because uarg is totally controllable by attackers.
void sock_zerocopy_put(struct ubuf_info *uarg)
{
if (uarg && refcount_dec_and_test(&uarg->refcnt)) {
if (uarg->callback)
uarg->callback(uarg, uarg->zerocopy); // uarg dereferences a function pointer, and thus we grant a control flow hijacking primitive
...
}
}
Trace in high level:
Trace in high level:
|hci_chan_del net/bluetooth/hci_conn.c:1728 (Triggered the UAF read bug)
|skb_queue_purge net/bluetooth/hci_conn.c:1742
|kfree_skb net/core/skbuff.c:3073
|skb_release_data net/core/skbuff.c:664
|sock_zerocopy_put ./include/linux/skbuff.h:1479
|sock_zerocopy_put net/core/skbuff.c:1243 (Triggered a new impact: Control flow hijacking)
Trace in detail:
Trace in detail:
0xffffffff855a73bf
hci_chan_del net/bluetooth/hci_conn.c:1728 (Triggered the UAF read bug)
--------------------------------------
0xffffffff855a73ce
hci_chan_del net/bluetooth/hci_conn.c:1733
--------------------------------------
0xffffffff855a73d3
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff82caf970
__list_del_entry_valid lib/list_debug.c:42
--------------------------------------
0xffffffff82caf986
__list_del_entry_valid lib/list_debug.c:42
--------------------------------------
0xffffffff82caf993
__list_del_entry_valid lib/list_debug.c:43
--------------------------------------
0xffffffff82caf9a6
__list_del_entry_valid lib/list_debug.c:48
--------------------------------------
0xffffffff82caf9b5
__list_del_entry_valid lib/list_debug.c:51
--------------------------------------
0xffffffff82caf9bd
__list_del_entry_valid lib/list_debug.c:51
--------------------------------------
0xffffffff82caf9c6
__list_del_entry_valid lib/list_debug.c:54
--------------------------------------
0xffffffff82caf9cf
__list_del_entry_valid lib/list_debug.c:54
--------------------------------------
0xffffffff82caf9d8
__list_del_entry_valid lib/list_debug.c:54
--------------------------------------
0xffffffff855a73e0
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73ec
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73f1
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73f6
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a73fe
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a740a
hci_chan_del ./include/linux/list.h:132
--------------------------------------
0xffffffff855a7418
hci_chan_del ./include/linux/list.h:135
--------------------------------------
0xffffffff855a7424
hci_chan_del ./include/linux/list.h:113
--------------------------------------
0xffffffff855a742d
hci_chan_del ./include/linux/rculist.h:167
--------------------------------------
0xffffffff855a7435
hci_chan_del ./include/linux/rculist.h:167
--------------------------------------
0xffffffff8140dbb0
synchronize_rcu kernel/rcu/tree.c:3625
--------------------------------------
0xffffffff855a7449
hci_chan_del ./include/linux/instrumented.h:86
--------------------------------------
0xffffffff855a745a
hci_chan_del ./arch/x86/include/asm/bitops.h:55
--------------------------------------
0xffffffff83210410
put_device drivers/base/core.c:3034
--------------------------------------
0xffffffff8321041e
put_device drivers/base/core.c:3034
--------------------------------------
0xffffffff83210423
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff83210428
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff82d83d40
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83d55
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83d5e
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d63
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d70
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d82
kobject_put lib/kobject.c:749
--------------------------------------
0xffffffff82d83d86
kobject_put ./include/linux/kref.h:64
--------------------------------------
0xffffffff82d83d8b
kobject_put ./include/linux/kref.h:64
--------------------------------------
0xffffffff82d83da2
kobject_put ./arch/x86/include/asm/atomic.h:190
--------------------------------------
0xffffffff82d83db5
kobject_put ./include/linux/refcount.h:277
--------------------------------------
0xffffffff82d83e1d
kobject_put ./include/linux/refcount.h:278
--------------------------------------
0xffffffff82d83e22
kobject_put lib/kobject.c:736
--------------------------------------
0xffffffff82d83e2c
kobject_put lib/kobject.c:736
--------------------------------------
0xffffffff82d83e3b
kobject_put ./include/linux/kobject.h:223
--------------------------------------
0xffffffff82d83e48
kobject_put lib/kobject.c:683
--------------------------------------
0xffffffff82d83e56
kobject_put lib/kobject.c:688
--------------------------------------
0xffffffff82d83e5b
kobject_put lib/kobject.c:688
--------------------------------------
0xffffffff82d83f5b
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d83f60
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d83f68
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d83f7c
kobject_put lib/kobject.c:693
--------------------------------------
0xffffffff82d8403b
kobject_put ./include/linux/kobject.h:90
--------------------------------------
0xffffffff82d83ec9
kobject_put lib/kobject.c:709
--------------------------------------
0xffffffff82d83ece
kobject_put lib/kobject.c:709
--------------------------------------
0xffffffff82d83ed3
kobject_put ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff82d83ed8
kobject_put ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff82d83ee2
kobject_put lib/kobject.c:711
--------------------------------------
0xffffffff82d83ee7
kobject_put lib/kobject.c:711
--------------------------------------
0xffffffff816af2e0
kfree_const mm/util.c:39
--------------------------------------
0xffffffff816af2ee
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af2fd
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af306
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af30b
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af31a
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af323
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff816af328
kfree_const ./include/asm-generic/sections.h:171
--------------------------------------
0xffffffff82d83eef
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff82d83ef4
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff82d83d40
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83d55
kobject_put lib/kobject.c:748
--------------------------------------
0xffffffff82d83de6
kobject_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff82d83deb
kobject_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff82d83efc
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff82d83f01
kobject_put lib/kobject.c:714
--------------------------------------
0xffffffff83210430
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff83210435
put_device drivers/base/core.c:3035
--------------------------------------
0xffffffff855a746e
hci_chan_del net/bluetooth/hci_conn.c:1742
--------------------------------------
0xffffffff84c38e00
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e19
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e1e
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c31350
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff84c31365
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff8606c0e0
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:120
--------------------------------------
0xffffffff8606c0ef
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff8606c0f8
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:109
--------------------------------------
0xffffffff8135d4b0
preempt_count_add kernel/sched/core.c:4175
--------------------------------------
0xffffffff8135d4c5
preempt_count_add ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff8135d4d6
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135d4e7
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135d4fc
preempt_count_add ./include/linux/ftrace.h:816
--------------------------------------
0xffffffff813c22f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813c22fb
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff8135d508
preempt_count_add ./include/linux/ftrace.h:818
--------------------------------------
0xffffffff8135d52f
preempt_count_add ./include/linux/ftrace.h:820
--------------------------------------
0xffffffff813c22f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813c2307
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff8135d53f
preempt_count_add ./include/linux/ftrace.h:821
--------------------------------------
0xffffffff8135d50c
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8135d522
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8606c102
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:110
--------------------------------------
0xffffffff813bf380
lock_acquire kernel/locking/lockdep.c:5404
--------------------------------------
0xffffffff8606c11e
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:117
--------------------------------------
0xffffffff813c5a50
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813c5ac0
do_raw_spin_lock kernel/locking/spinlock_debug.c:112
--------------------------------------
0xffffffff813c5ad0
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813c5add
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813c5af4
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813c5b01
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813c5b15
do_raw_spin_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813c5b2a
do_raw_spin_lock ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff813c5b38
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813c5b4d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813c5b5d
do_raw_spin_lock kernel/locking/spinlock_debug.c:91
--------------------------------------
0xffffffff813c5b6a
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c5b9d
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff8606c126
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:121
--------------------------------------
0xffffffff84c31371
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff84c3137c
skb_dequeue ./include/linux/skbuff.h:2080
--------------------------------------
0xffffffff84c31388
skb_dequeue ./include/linux/skbuff.h:2081
--------------------------------------
0xffffffff84c3138d
skb_dequeue ./include/linux/skbuff.h:2081
--------------------------------------
0xffffffff84c31392
skb_dequeue ./include/linux/skbuff.h:2082
--------------------------------------
0xffffffff84c31397
skb_dequeue ./include/linux/skbuff.h:2082
--------------------------------------
0xffffffff84c313a0
skb_dequeue ./include/linux/skbuff.h:2082
--------------------------------------
0xffffffff84c313b1
skb_dequeue ./include/linux/skbuff.h:2063
--------------------------------------
0xffffffff84c313bf
skb_dequeue ./include/linux/skbuff.h:2064
--------------------------------------
0xffffffff84c313de
skb_dequeue ./include/linux/skbuff.h:2066
--------------------------------------
0xffffffff84c313ea
skb_dequeue ./include/linux/skbuff.h:2067
--------------------------------------
0xffffffff84c313f2
skb_dequeue ./include/linux/spinlock.h:409
--------------------------------------
0xffffffff8606c390
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:158
--------------------------------------
0xffffffff813beef0
lock_release kernel/locking/lockdep.c:5444
--------------------------------------
0xffffffff8606c3aa
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:159
--------------------------------------
0xffffffff813c5d40
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813c5d56
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813c5d65
do_raw_spin_unlock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813c5d72
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813c5d7a
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813c5d86
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813c5d93
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c5da7
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813c5db4
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813c5dc6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813c5dce
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813c5ddf
do_raw_spin_unlock kernel/locking/spinlock_debug.c:103
--------------------------------------
0xffffffff813c5df4
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff813c5dfe
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff813c5e08
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff8606c3b2
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff8606c3b7
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:84
--------------------------------------
0xffffffff8135c6a0
preempt_count_sub kernel/sched/core.c:4207
--------------------------------------
0xffffffff8135c6b3
preempt_count_sub kernel/sched/core.c:4207
--------------------------------------
0xffffffff8135c6bd
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135c6d0
preempt_count_sub kernel/sched/core.c:4212
--------------------------------------
0xffffffff8135c71d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135c6d8
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff8606c3c3
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff8606c3ce
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff84c313fd
skb_dequeue net/core/skbuff.c:3037
--------------------------------------
0xffffffff84c38e26
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e0c
skb_queue_purge net/core/skbuff.c:3073
--------------------------------------
0xffffffff84c38e11
skb_queue_purge net/core/skbuff.c:3073
--------------------------------------
0xffffffff84c384d0
kfree_skb ./include/linux/skbuff.h:1044
--------------------------------------
0xffffffff84c384e1
kfree_skb ./include/linux/skbuff.h:1044
--------------------------------------
0xffffffff84c384ea
kfree_skb ./include/linux/refcount.h:147
--------------------------------------
0xffffffff84c384ef
kfree_skb ./include/linux/refcount.h:147
--------------------------------------
0xffffffff84c38504
kfree_skb ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c3850c
kfree_skb ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c38520
kfree_skb ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c38735
kfree_skb ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff84c3873a
kfree_skb ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff84c3874c
kfree_skb ./arch/x86/include/asm/atomic.h:190
--------------------------------------
0xffffffff84c38762
kfree_skb ./include/linux/refcount.h:277
--------------------------------------
0xffffffff84c3876b
kfree_skb ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c38770
kfree_skb ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c38779
kfree_skb ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c3877d
kfree_skb ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c38782
kfree_skb ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c3878b
kfree_skb ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c385dd
kfree_skb net/core/skbuff.c:679
--------------------------------------
0xffffffff84c385e2
kfree_skb net/core/skbuff.c:679
--------------------------------------
0xffffffff84c38e19
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e1e
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c31350
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff84c31365
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff8606c0e0
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:120
--------------------------------------
0xffffffff8606c0ef
_raw_spin_lock_irqsave ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff8606c0f8
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:109
--------------------------------------
0xffffffff8135d4b0
preempt_count_add kernel/sched/core.c:4175
--------------------------------------
0xffffffff8135d4c5
preempt_count_add ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff8135d4d6
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135d4e7
preempt_count_add ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135d4fc
preempt_count_add ./include/linux/ftrace.h:816
--------------------------------------
0xffffffff813c22f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813c22fb
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff8135d508
preempt_count_add ./include/linux/ftrace.h:818
--------------------------------------
0xffffffff8135d52f
preempt_count_add ./include/linux/ftrace.h:820
--------------------------------------
0xffffffff813c22f0
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff813c2307
in_lock_functions kernel/locking/spinlock.c:396
--------------------------------------
0xffffffff8135d53f
preempt_count_add ./include/linux/ftrace.h:821
--------------------------------------
0xffffffff8135d50c
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8135d522
preempt_count_add ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff8606c102
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:110
--------------------------------------
0xffffffff813bf380
lock_acquire kernel/locking/lockdep.c:5404
--------------------------------------
0xffffffff8606c11e
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:117
--------------------------------------
0xffffffff813c5a50
do_raw_spin_lock kernel/locking/spinlock_debug.c:111
--------------------------------------
0xffffffff813c5ac0
do_raw_spin_lock kernel/locking/spinlock_debug.c:112
--------------------------------------
0xffffffff813c5ad0
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813c5add
do_raw_spin_lock kernel/locking/spinlock_debug.c:84
--------------------------------------
0xffffffff813c5af4
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813c5b01
do_raw_spin_lock kernel/locking/spinlock_debug.c:85
--------------------------------------
0xffffffff813c5b15
do_raw_spin_lock ./include/asm-generic/qspinlock.h:80
--------------------------------------
0xffffffff813c5b2a
do_raw_spin_lock ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff813c5b38
do_raw_spin_lock ./arch/x86/include/asm/atomic.h:202
--------------------------------------
0xffffffff813c5b4d
do_raw_spin_lock kernel/locking/spinlock_debug.c:115
--------------------------------------
0xffffffff813c5b5d
do_raw_spin_lock kernel/locking/spinlock_debug.c:91
--------------------------------------
0xffffffff813c5b6a
do_raw_spin_lock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c5b9d
do_raw_spin_lock kernel/locking/spinlock_debug.c:92
--------------------------------------
0xffffffff8606c126
_raw_spin_lock_irqsave ./include/linux/spinlock_api_smp.h:121
--------------------------------------
0xffffffff84c31371
skb_dequeue ./include/linux/spinlock.h:329
--------------------------------------
0xffffffff84c3137c
skb_dequeue ./include/linux/skbuff.h:2080
--------------------------------------
0xffffffff84c31388
skb_dequeue ./include/linux/skbuff.h:2081
--------------------------------------
0xffffffff84c3138d
skb_dequeue ./include/linux/skbuff.h:2081
--------------------------------------
0xffffffff84c31392
skb_dequeue ./include/linux/skbuff.h:2082
--------------------------------------
0xffffffff84c31397
skb_dequeue ./include/linux/skbuff.h:2082
--------------------------------------
0xffffffff84c313a0
skb_dequeue ./include/linux/skbuff.h:2082
--------------------------------------
0xffffffff84c313b1
skb_dequeue ./include/linux/skbuff.h:2063
--------------------------------------
0xffffffff84c313bf
skb_dequeue ./include/linux/skbuff.h:2064
--------------------------------------
0xffffffff84c313de
skb_dequeue ./include/linux/skbuff.h:2066
--------------------------------------
0xffffffff84c313ea
skb_dequeue ./include/linux/skbuff.h:2067
--------------------------------------
0xffffffff84c313f2
skb_dequeue ./include/linux/spinlock.h:409
--------------------------------------
0xffffffff8606c390
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:158
--------------------------------------
0xffffffff813beef0
lock_release kernel/locking/lockdep.c:5444
--------------------------------------
0xffffffff8606c3aa
_raw_spin_unlock_irqrestore ./include/linux/spinlock_api_smp.h:159
--------------------------------------
0xffffffff813c5d40
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813c5d56
do_raw_spin_unlock kernel/locking/spinlock_debug.c:138
--------------------------------------
0xffffffff813c5d65
do_raw_spin_unlock ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff813c5d72
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813c5d7a
do_raw_spin_unlock ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff813c5d86
do_raw_spin_unlock kernel/locking/spinlock_debug.c:99
--------------------------------------
0xffffffff813c5d93
do_raw_spin_unlock ./arch/x86/include/asm/current.h:15
--------------------------------------
0xffffffff813c5da7
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813c5db4
do_raw_spin_unlock kernel/locking/spinlock_debug.c:100
--------------------------------------
0xffffffff813c5dc6
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813c5dce
do_raw_spin_unlock kernel/locking/spinlock_debug.c:102
--------------------------------------
0xffffffff813c5ddf
do_raw_spin_unlock kernel/locking/spinlock_debug.c:103
--------------------------------------
0xffffffff813c5df4
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff813c5dfe
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff813c5e08
do_raw_spin_unlock ./arch/x86/include/asm/paravirt.h:559
--------------------------------------
0xffffffff8606c3b2
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:164
--------------------------------------
0xffffffff8606c3b7
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/irqflags.h:84
--------------------------------------
0xffffffff8135c6a0
preempt_count_sub kernel/sched/core.c:4207
--------------------------------------
0xffffffff8135c6b3
preempt_count_sub kernel/sched/core.c:4207
--------------------------------------
0xffffffff8135c6bd
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135c6d0
preempt_count_sub kernel/sched/core.c:4212
--------------------------------------
0xffffffff8135c71d
preempt_count_sub ./arch/x86/include/asm/preempt.h:26
--------------------------------------
0xffffffff8135c6d8
preempt_count_sub ./arch/x86/include/asm/preempt.h:84
--------------------------------------
0xffffffff8606c3c3
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff8606c3ce
_raw_spin_unlock_irqrestore ./arch/x86/include/asm/preempt.h:102
--------------------------------------
0xffffffff84c313fd
skb_dequeue net/core/skbuff.c:3037
--------------------------------------
0xffffffff84c38e26
skb_queue_purge net/core/skbuff.c:3072
--------------------------------------
0xffffffff84c38e0c
skb_queue_purge net/core/skbuff.c:3073
--------------------------------------
0xffffffff84c38e11
skb_queue_purge net/core/skbuff.c:3073
--------------------------------------
0xffffffff84c384d0
kfree_skb ./include/linux/skbuff.h:1044
--------------------------------------
0xffffffff84c384e1
kfree_skb ./include/linux/skbuff.h:1044
--------------------------------------
0xffffffff84c384ea
kfree_skb ./include/linux/refcount.h:147
--------------------------------------
0xffffffff84c384ef
kfree_skb ./include/linux/refcount.h:147
--------------------------------------
0xffffffff84c38504
kfree_skb ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c3850c
kfree_skb ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c38520
kfree_skb ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c38529
kfree_skb ./include/linux/refcount.h:278
--------------------------------------
0xffffffff84c3852e
kfree_skb net/core/skbuff.c:695
--------------------------------------
0xffffffff84c38533
kfree_skb net/core/skbuff.c:695
--------------------------------------
0xffffffff84c38541
kfree_skb ./include/trace/events/skb.h:15
--------------------------------------
0xffffffff84c38546
kfree_skb ./include/trace/events/skb.h:15
--------------------------------------
0xffffffff84c38559
kfree_skb ./include/linux/cpumask.h:367
--------------------------------------
0xffffffff84c38562
kfree_skb ./include/linux/cpumask.h:145
--------------------------------------
0xffffffff84c38567
kfree_skb ./include/linux/cpumask.h:145
--------------------------------------
0xffffffff84c38582
kfree_skb ./arch/x86/include/asm/bitops.h:214
--------------------------------------
0xffffffff84c38596
kfree_skb ./arch/x86/include/asm/bitops.h:219
--------------------------------------
0xffffffff84c386b6
kfree_skb ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff84c386bb
kfree_skb ./arch/x86/include/asm/preempt.h:79
--------------------------------------
0xffffffff84c386ce
kfree_skb ./include/trace/events/skb.h:15
--------------------------------------
0xffffffff86050a70
debug_lockdep_rcu_enabled kernel/rcu/update.c:278
--------------------------------------
0xffffffff84c386da
kfree_skb ./include/trace/events/skb.h:15
--------------------------------------
0xffffffff84c386e5
kfree_skb ./include/trace/events/skb.h:15
--------------------------------------
0xffffffff84c38706
kfree_skb ./include/linux/rcupdate.h:779
--------------------------------------
0xffffffff84c3870b
kfree_skb ./arch/x86/include/asm/preempt.h:94
--------------------------------------
0xffffffff84c3871e
kfree_skb ./arch/x86/include/asm/preempt.h:94
--------------------------------------
0xffffffff84c3859e
kfree_skb net/core/skbuff.c:696
--------------------------------------
0xffffffff84c385a3
kfree_skb net/core/skbuff.c:696
--------------------------------------
0xffffffff84c38330
skb_release_head_state ./include/net/dst.h:269
--------------------------------------
0xffffffff84c38343
skb_release_head_state ./include/net/dst.h:269
--------------------------------------
0xffffffff84c3834f
skb_release_head_state ./include/net/dst.h:269
--------------------------------------
0xffffffff84c3835d
skb_release_head_state ./include/net/dst.h:269
--------------------------------------
0xffffffff84c38366
skb_release_head_state net/core/skbuff.c:649
--------------------------------------
0xffffffff84c3836b
skb_release_head_state net/core/skbuff.c:649
--------------------------------------
0xffffffff84c38374
skb_release_head_state net/core/skbuff.c:649
--------------------------------------
0xffffffff84c383af
skb_release_head_state ./include/linux/skbuff.h:4118
--------------------------------------
0xffffffff84c383b4
skb_release_head_state ./include/linux/skbuff.h:4118
--------------------------------------
0xffffffff84c383bd
skb_release_head_state ./include/linux/skbuff.h:4118
--------------------------------------
0xffffffff84c383cf
skb_release_head_state ./include/linux/netfilter/nf_conntrack_common.h:33
--------------------------------------
0xffffffff84c38402
skb_release_head_state ./include/linux/skbuff.h:4183
--------------------------------------
0xffffffff84c38407
skb_release_head_state ./include/linux/skbuff.h:4183
--------------------------------------
0xffffffff84c38410
skb_release_head_state ./include/linux/skbuff.h:4183
--------------------------------------
0xffffffff84c3841f
skb_release_head_state ./include/linux/skbuff.h:4183
--------------------------------------
0xffffffff84c38467
skb_release_head_state ./include/linux/skbuff.h:4184
--------------------------------------
0xffffffff84c3846c
skb_release_head_state ./include/linux/skbuff.h:4184
--------------------------------------
0xffffffff84c38478
skb_release_head_state ./include/linux/skbuff.h:4184
--------------------------------------
0xffffffff84c342a0
__skb_ext_put ./include/linux/refcount.h:147
--------------------------------------
0xffffffff84c342b9
__skb_ext_put ./include/linux/instrumented.h:71
--------------------------------------
0xffffffff84c342c6
__skb_ext_put ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c342ce
__skb_ext_put ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c342dd
__skb_ext_put ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c342e2
__skb_ext_put ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff84c342e7
__skb_ext_put ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff84c342f9
__skb_ext_put ./arch/x86/include/asm/atomic.h:190
--------------------------------------
0xffffffff84c3430a
__skb_ext_put ./include/linux/refcount.h:277
--------------------------------------
0xffffffff84c3430f
__skb_ext_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c34314
__skb_ext_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c3431d
__skb_ext_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c34321
__skb_ext_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c34326
__skb_ext_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c3432f
__skb_ext_put ./include/linux/refcount.h:282
--------------------------------------
0xffffffff84c34382
__skb_ext_put net/core/skbuff.c:6317
--------------------------------------
0xffffffff84c34387
__skb_ext_put net/core/skbuff.c:6317
--------------------------------------
0xffffffff84c38484
skb_release_head_state ./include/linux/skbuff.h:4184
--------------------------------------
0xffffffff84c38489
skb_release_head_state ./include/linux/skbuff.h:4184
--------------------------------------
0xffffffff84c385ab
kfree_skb net/core/skbuff.c:663
--------------------------------------
0xffffffff84c385b8
kfree_skb net/core/skbuff.c:663
--------------------------------------
0xffffffff84c385c3
kfree_skb net/core/skbuff.c:664
--------------------------------------
0xffffffff84c385c8
kfree_skb net/core/skbuff.c:664
--------------------------------------
0xffffffff84c399f0
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39a0d
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39a20
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39a3a
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39a53
skb_release_data net/core/skbuff.c:598
--------------------------------------
0xffffffff84c39a68
skb_release_data net/core/skbuff.c:598
--------------------------------------
0xffffffff84c39acd
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39ad2
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39ae8
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39af7
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39b2e
skb_release_data ./include/linux/skbuff.h:3019
--------------------------------------
0xffffffff84c39b33
skb_release_data ./include/linux/skbuff.h:3019
--------------------------------------
0xffffffff84c39b3b
skb_release_data ./include/linux/skbuff.h:3019
--------------------------------------
0xffffffff84c39b51
skb_release_data ./include/linux/page-flags.h:185
--------------------------------------
0xffffffff84c39b6b
skb_release_data ./include/linux/page-flags.h:187
--------------------------------------
0xffffffff84c39e2d
skb_release_data ./include/linux/page-flags.h:188
--------------------------------------
0xffffffff84c39e32
skb_release_data ./include/linux/page-flags.h:188
--------------------------------------
0xffffffff84c39b74
skb_release_data ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff84c39b79
skb_release_data ./arch/x86/include/asm/jump_label.h:25
--------------------------------------
0xffffffff84c39b83
skb_release_data ./include/linux/page_ref.h:67
--------------------------------------
0xffffffff84c39b88
skb_release_data ./include/linux/page_ref.h:67
--------------------------------------
0xffffffff84c39b9a
skb_release_data ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c39ba2
skb_release_data ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c39bb3
skb_release_data ./arch/x86/include/asm/atomic.h:29
--------------------------------------
0xffffffff84c39bbe
skb_release_data ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff84c39bc3
skb_release_data ./include/linux/instrumented.h:101
--------------------------------------
0xffffffff84c39bd0
skb_release_data ./arch/x86/include/asm/atomic.h:123
--------------------------------------
0xffffffff84c39be4
skb_release_data ./include/linux/page_ref.h:152
--------------------------------------
0xffffffff84c39b01
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39b06
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39b16
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39b25
skb_release_data net/core/skbuff.c:603
--------------------------------------
0xffffffff84c39bff
skb_release_data net/core/skbuff.c:606
--------------------------------------
0xffffffff84c39c04
skb_release_data net/core/skbuff.c:606
--------------------------------------
0xffffffff84c39c0d
skb_release_data net/core/skbuff.c:606
--------------------------------------
0xffffffff84c39c33
skb_release_data ./include/linux/skbuff.h:1472
--------------------------------------
0xffffffff84c39c38
skb_release_data ./include/linux/skbuff.h:1472
--------------------------------------
0xffffffff84c39c41
skb_release_data ./include/linux/skbuff.h:1472
--------------------------------------
0xffffffff84c39c55
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39c5a
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39c63
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39c7c
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39c92
skb_release_data ./include/linux/skbuff.h:1406
--------------------------------------
0xffffffff84c39c9b
skb_release_data ./include/linux/skbuff.h:1437
--------------------------------------
0xffffffff84c39ca0
skb_release_data ./include/linux/skbuff.h:1437
--------------------------------------
0xffffffff84c39ca9
skb_release_data ./include/linux/skbuff.h:1437
--------------------------------------
0xffffffff84c39cb6
skb_release_data ./include/linux/skbuff.h:1475
--------------------------------------
0xffffffff84c39cbb
skb_release_data ./include/linux/skbuff.h:1475
--------------------------------------
0xffffffff84c39ccc
skb_release_data ./include/linux/skbuff.h:1475
--------------------------------------
0xffffffff84c39cd1
skb_release_data ./include/linux/skbuff.h:1477
--------------------------------------
0xffffffff84c39cd6
skb_release_data ./include/linux/skbuff.h:1477
--------------------------------------
0xffffffff84c39cde
skb_release_data ./include/linux/skbuff.h:1477
--------------------------------------
0xffffffff84c39e67
skb_release_data ./include/linux/skbuff.h:1478
--------------------------------------
0xffffffff84c39e6c
skb_release_data ./include/linux/skbuff.h:1478
--------------------------------------
0xffffffff84c39e75
skb_release_data ./include/linux/skbuff.h:1479
--------------------------------------
0xffffffff84c3a4e0
sock_zerocopy_put net/core/skbuff.c:1241
--------------------------------------
0xffffffff84c3a4f1
sock_zerocopy_put net/core/skbuff.c:1241
--------------------------------------
0xffffffff84c3a4f6
sock_zerocopy_put net/core/skbuff.c:1241
--------------------------------------
0xffffffff84c3a4fb
sock_zerocopy_put net/core/skbuff.c:1241
--------------------------------------
0xffffffff84c3a512
sock_zerocopy_put ./arch/x86/include/asm/atomic.h:190
--------------------------------------
0xffffffff84c3a525
sock_zerocopy_put ./include/linux/refcount.h:277
--------------------------------------
0xffffffff84c3a55a
sock_zerocopy_put ./include/linux/refcount.h:278
--------------------------------------
0xffffffff84c3a55f
sock_zerocopy_put net/core/skbuff.c:1242
--------------------------------------
0xffffffff84c3a567
sock_zerocopy_put net/core/skbuff.c:1242
--------------------------------------
0xffffffff84c3a570
sock_zerocopy_put net/core/skbuff.c:1243
--------------------------------------
0xffffffff84c3a575
sock_zerocopy_put net/core/skbuff.c:1243
--------------------------------------
0xffffffff84c3a57f
sock_zerocopy_put net/core/skbuff.c:1243 (Triggered a new impact: Control flow hijacking)
--------------------------------------
Total 618 basic block
Page updated
Google Sites
Report abuse