WARNING: refcount bug in l2cap_chan_put

[syzbot <syzbot+198362c76088d1515529@syzkaller.appspotmail.com>]

Hello,

syzbot found the following crash on:

HEAD commit:    bee46b30 Add linux-next specific files for 20200221
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1244ea7ee00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=10693880b4976691
dashboard link: https://syzkaller.appspot.com/bug?extid=198362c76088d1515529
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=160a03d9e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10f8e1dde00000

Bisection is inconclusive: the bug happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13f03a7ee00000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=10083a7ee00000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f03a7ee00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+198362c76088d1515529@syzkaller.appspotmail.com

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 2940 at lib/refcount.c:28 refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 2940 Comm: kworker/1:12 Not tainted 5.6.0-rc2-next-20200221-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 panic+0x2e3/0x75c kernel/panic.c:221
 __warn.cold+0x2f/0x3e kernel/panic.c:582
 report_bug+0x289/0x300 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:175 [inline]
 fixup_bug arch/x86/kernel/traps.c:170 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x1dc/0x1f0 lib/refcount.c:28
Code: e9 d8 fe ff ff 48 89 df e8 81 81 10 fe e9 85 fe ff ff e8 07 54 d1 fd 48 c7 c7 00 c8 91 88 c6 05 6b f6 fc 06 01 e8 23 74 a1 fd <0f> 0b e9 ac fe ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 55 48
RSP: 0018:ffffc9000952fbd8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815ee766 RDI: fffff520012a5f6d
RBP: ffffc9000952fbe8 R08: ffff88809e82e600 R09: ffffed1015d26661
R10: ffffed1015d26660 R11: ffff8880ae933307 R12: 0000000000000003
R13: ffff888095b3f018 R14: dead000000000122 R15: ffffc9000952fc98
 refcount_sub_and_test include/linux/refcount.h:261 [inline]
 refcount_dec_and_test include/linux/refcount.h:281 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0x1d9/0x240 net/bluetooth/l2cap_core.c:501
 do_enable_set+0x54b/0x960 net/bluetooth/6lowpan.c:1075
 process_one_work+0xa05/0x17a0 kernel/workqueue.c:2266
 worker_thread+0x98/0xe40 kernel/workqueue.c:2412
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches