bisecting fixing commit since b98aebd298246df37b472c52a2ee1023256d02e3 building syzkaller on 8c88c9c1c99c8cd8dabc951164c820b9c9f25114 testing commit b98aebd298246df37b472c52a2ee1023256d02e3 with gcc (GCC) 8.1.0 kernel signature: febcab648ffceee000abf296d6ec169e41911e75 all runs: crashed: KASAN: use-after-free Read in kfree_skb testing current HEAD e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b testing commit e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b with gcc (GCC) 8.1.0 kernel signature: 8a933e884e42845293fcf7271f6659ae433d6f10 all runs: OK # git bisect start e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b b98aebd298246df37b472c52a2ee1023256d02e3 Bisecting: 761 revisions left to test after this (roughly 10 steps) [c2ddc149cdf3d87a141eb4bd56fbfb543784778f] fbdev: sbuslib: use checked version of put_user() testing commit c2ddc149cdf3d87a141eb4bd56fbfb543784778f with gcc (GCC) 8.1.0 kernel signature: a8ac8be1b10c5075ed9d18b5de6cf032b90eb98d all runs: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good c2ddc149cdf3d87a141eb4bd56fbfb543784778f Bisecting: 380 revisions left to test after this (roughly 9 steps) [a184a9d6015ec0ec7ee7551d7157594ee89d02b2] sctp: don't compare hb_timer expire date before starting it testing commit a184a9d6015ec0ec7ee7551d7157594ee89d02b2 with gcc (GCC) 8.1.0 kernel signature: e9c0e3393dbbcf8a7eb18adb76ef9932ed1b984e all runs: OK # git bisect bad a184a9d6015ec0ec7ee7551d7157594ee89d02b2 Bisecting: 190 revisions left to test after this (roughly 8 steps) [0c7ebaf98433eee21d5418244e38c673b215875e] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD testing commit 0c7ebaf98433eee21d5418244e38c673b215875e with gcc (GCC) 8.1.0 kernel signature: 6eecfd63c134e16909ecfdc29f0e30ba4f2db7ab all runs: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 0c7ebaf98433eee21d5418244e38c673b215875e Bisecting: 95 revisions left to test after this (roughly 7 steps) [d98de9d9b8427db4be1b91949cc633aab5f7e76a] crypto: user - support incremental algorithm dumps testing commit d98de9d9b8427db4be1b91949cc633aab5f7e76a with gcc (GCC) 8.1.0 kernel signature: 6344a425fdd45454452c8dfd139eab074943e8e2 all runs: OK # git bisect bad d98de9d9b8427db4be1b91949cc633aab5f7e76a Bisecting: 47 revisions left to test after this (roughly 6 steps) [38a2fa7519028e84023e1ab855a6be26186b20ab] KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel testing commit 38a2fa7519028e84023e1ab855a6be26186b20ab with gcc (GCC) 8.1.0 kernel signature: e4f3314654bade58ec737308b0e48ddc789e0fa2 all runs: OK # git bisect bad 38a2fa7519028e84023e1ab855a6be26186b20ab Bisecting: 23 revisions left to test after this (roughly 5 steps) [96b59fd4c7f5ca1d3c6238a11a29ddb0e98e4531] nbd: prevent memory leak testing commit 96b59fd4c7f5ca1d3c6238a11a29ddb0e98e4531 with gcc (GCC) 8.1.0 kernel signature: 4f36d0e2bf29e306cad99e0c053918299f8bdb29 all runs: OK # git bisect bad 96b59fd4c7f5ca1d3c6238a11a29ddb0e98e4531 Bisecting: 11 revisions left to test after this (roughly 4 steps) [02e98a0d49ba63e70af4da25a728ab51d7e6bee8] md/raid10: prevent access of uninitialized resync_pages offset testing commit 02e98a0d49ba63e70af4da25a728ab51d7e6bee8 with gcc (GCC) 8.1.0 kernel signature: 019491fb13b2be0fd03c598faccd54ec275754d5 all runs: OK # git bisect bad 02e98a0d49ba63e70af4da25a728ab51d7e6bee8 Bisecting: 5 revisions left to test after this (roughly 3 steps) [0293f8d1bdd21b3eb71032edb5832f9090dea48e] ipv6: Fix handling of LLA with VRF and sockets bound to VRF testing commit 0293f8d1bdd21b3eb71032edb5832f9090dea48e with gcc (GCC) 8.1.0 kernel signature: 64a4f44aa64acc61aace55503ef775e559b5fb6c all runs: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 0293f8d1bdd21b3eb71032edb5832f9090dea48e Bisecting: 2 revisions left to test after this (roughly 2 steps) [fdfce30d9877e61f14692eb70df7f76a42a3726b] KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved testing commit fdfce30d9877e61f14692eb70df7f76a42a3726b with gcc (GCC) 8.1.0 kernel signature: 876da9eb89419c33f54b3a4f7fafb31de2c300c1 all runs: OK # git bisect bad fdfce30d9877e61f14692eb70df7f76a42a3726b Bisecting: 0 revisions left to test after this (roughly 1 step) [79d404a2aa86efe4f1ade51e054318bd811cce71] Bluetooth: Fix invalid-free in bcsp_close() testing commit 79d404a2aa86efe4f1ade51e054318bd811cce71 with gcc (GCC) 8.1.0 kernel signature: 7eb56e5b6d09fd9360cc1935931bc56d7b9ebae7 all runs: OK # git bisect bad 79d404a2aa86efe4f1ade51e054318bd811cce71 Bisecting: 0 revisions left to test after this (roughly 0 steps) [23ec01fdb1c3b9c6c4bf8399f74bb6e297e640e8] cfg80211: call disconnect_wk when AP stops testing commit 23ec01fdb1c3b9c6c4bf8399f74bb6e297e640e8 with gcc (GCC) 8.1.0 kernel signature: e3466eed9b00c93e0a1ebea0021d638ea935e24b all runs: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 23ec01fdb1c3b9c6c4bf8399f74bb6e297e640e8 79d404a2aa86efe4f1ade51e054318bd811cce71 is the first bad commit commit 79d404a2aa86efe4f1ade51e054318bd811cce71 Author: Tomas Bortoli Date: Fri Nov 1 21:42:44 2019 +0100 Bluetooth: Fix invalid-free in bcsp_close() commit cf94da6f502d8caecabd56b194541c873c8a7a3c upstream. Syzbot reported an invalid-free that I introduced fixing a memleak. bcsp_recv() also frees bcsp->rx_skb but never nullifies its value. Nullify bcsp->rx_skb every time it is freed. Signed-off-by: Tomas Bortoli Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com Signed-off-by: Marcel Holtmann Cc: Alexander Potapenko Signed-off-by: Greg Kroah-Hartman drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: 7eb56e5b6d09fd9360cc1935931bc56d7b9ebae7 parent signature: e3466eed9b00c93e0a1ebea0021d638ea935e24b revisions tested: 13, total time: 3h32m2.779997813s (build: 1h47m16.922571602s, test: 1h43m6.768237881s) first good commit: 79d404a2aa86efe4f1ade51e054318bd811cce71 Bluetooth: Fix invalid-free in bcsp_close() cc: ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "tomasbortoli@gmail.com"]