WARNING in tty_set_termios

From: syzbot
Date: Sat Jan 12 2019 - 22:43:21 EST


Hello,

syzbot found the following crash on:

HEAD commit: 66c56cfa64d9 Merge tag 'remove-dma_zalloc_coherent-5.0' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=167fd6d8c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b05cfdb4ee8ab9b2
dashboard link: https://syzkaller.appspot.com/bug?extid=a950165cbb86bdd023a4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=121cee07400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16fdaed8c00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a950165cbb86bdd023a4@xxxxxxxxxxxxxxxxxxxxxxxxx

WARNING: CPU: 0 PID: 1171 at drivers/tty/tty_ioctl.c:319 tty_set_termios+0x93a/0xac0 drivers/tty/tty_ioctl.c:319
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 1171 Comm: kworker/u5:0 Not tainted 5.0.0-rc1+ #22
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_power_on
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
panic+0x2cb/0x65c kernel/panic.c:214
__warn.cold+0x20/0x48 kernel/panic.c:571
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:tty_set_termios+0x93a/0xac0 drivers/tty/tty_ioctl.c:319
Code: 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ec 00 00 00 41 89 9f d0 03 00 00 e9 f6 fd ff ff e8 d6 18 a8 fd <0f> 0b e9 a9 f7 ff ff e8 4a 04 ec fd e9 48 f9 ff ff 4c 89 ef e8 9d
RSP: 0018:ffff8880a74f7600 EFLAGS: 00010293
RAX: ffff8880a74d4300 RBX: ffff8880a74f76c0 RCX: ffffffff83d9d62d
RDX: 0000000000000000 RSI: ffffffff83d9de8a RDI: 0000000000000005
RBP: ffff8880a74f76e8 R08: ffff8880a74d4300 R09: fffffbfff181d7b5
R10: fffffbfff181d7b4 R11: 0000000000000003 R12: ffff8880a74f7728
R13: 0000000000010004 R14: 000000000001c200 R15: ffff88808e3e60c0
hci_uart_set_baudrate+0x1cc/0x250 drivers/bluetooth/hci_ldisc.c:378
hci_uart_setup+0xa2/0x490 drivers/bluetooth/hci_ldisc.c:401
hci_dev_do_open+0x6b1/0x1920 net/bluetooth/hci_core.c:1423
hci_power_on+0x10d/0x880 net/bluetooth/hci_core.c:2130
process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches