bisecting fixing commit since 54b4fa6d39551639cb10664f6ac78b01993a1d7e building syzkaller on 831e9a81a60573f12c44f35c7b04072f41854bdf testing commit 54b4fa6d39551639cb10664f6ac78b01993a1d7e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 59ce9fc2e8b6bb69851a88ef27fb03be28e18c5ce99db2f5eba2c36919d63ec3 all runs: crashed: KASAN: use-after-free Write in hci_sock_bind testing current HEAD 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 testing commit 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: bc5dfbb497bdcaa30a54d1ae7577a76717bfc3fe7bf4eff1c436b64b42bfb053 all runs: OK # git bisect start 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 54b4fa6d39551639cb10664f6ac78b01993a1d7e Bisecting: 3604 revisions left to test after this (roughly 12 steps) [286d11dbf7005e3f348e95f64261ceb285d23fa0] hil/parisc: Disable HIL driver when it gets stuck testing commit 286d11dbf7005e3f348e95f64261ceb285d23fa0 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 2a9022fe325ff2d539d9adb95321fcf2facc66f77718f486dd64e1bc2d885792 all runs: crashed: KASAN: use-after-free Write in hci_sock_bind # git bisect good 286d11dbf7005e3f348e95f64261ceb285d23fa0 Bisecting: 1802 revisions left to test after this (roughly 11 steps) [3b14c116f12d73a9cb548e5f8b4fb8733cf0ccad] libbpf: Fix INSTALL flag order testing commit 3b14c116f12d73a9cb548e5f8b4fb8733cf0ccad compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: cc578cf6f49dbbf0b43e93fd822f907e0086373535dc834bda6197b28bcde39a all runs: crashed: KASAN: use-after-free Write in hci_sock_bind # git bisect good 3b14c116f12d73a9cb548e5f8b4fb8733cf0ccad Bisecting: 901 revisions left to test after this (roughly 10 steps) [b6c9e3b46c3a4c78799ac550176856e7ff5e313c] selftests/bpf: Generalize dummy program types testing commit b6c9e3b46c3a4c78799ac550176856e7ff5e313c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e4ecd62c8ff382754dc71da3eb838d034a293ee522aecddd056b90abbedf0685 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good b6c9e3b46c3a4c78799ac550176856e7ff5e313c Bisecting: 450 revisions left to test after this (roughly 9 steps) [c4e4a6f1c976aba407fa45fd95e4564291324eb9] mm/huge_memory.c: don't discard hugepage if other processes are mapping it testing commit c4e4a6f1c976aba407fa45fd95e4564291324eb9 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: af1ac2e217e14fd44a5bc649b6952da7b3f2be6acfe02d0e371288c1283aff55 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good c4e4a6f1c976aba407fa45fd95e4564291324eb9 Bisecting: 225 revisions left to test after this (roughly 8 steps) [6f343d7689b7020a1a57eee7e8eab01471fdffb8] arm64: dts: ls208xa: remove bus-num from dspi node testing commit 6f343d7689b7020a1a57eee7e8eab01471fdffb8 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ad943898a63ed60dc7c2d3924f648701cf97cc60dc35c10d51e9eb63af81f400 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 6f343d7689b7020a1a57eee7e8eab01471fdffb8 Bisecting: 112 revisions left to test after this (roughly 7 steps) [16851e34b621bc7e652c508bb28c47948fb86958] virtio_net: Do not pull payload in skb->head testing commit 16851e34b621bc7e652c508bb28c47948fb86958 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 7f2c915b8e3ab41ced750eb9a4f4e6d8abd80e3b82e85d7d22d665234e714b73 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 16851e34b621bc7e652c508bb28c47948fb86958 Bisecting: 56 revisions left to test after this (roughly 6 steps) [a351cafd536e9fa8a8d16c7749af97325b6a1fa3] media: videobuf2-core: dequeue if start_streaming fails testing commit a351cafd536e9fa8a8d16c7749af97325b6a1fa3 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dc18007231a5dbcbf4a22726a84fbbb9e0ef95d7185cdadb4cdd8ce02f179f91 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good a351cafd536e9fa8a8d16c7749af97325b6a1fa3 Bisecting: 28 revisions left to test after this (roughly 5 steps) [51f990c70a320cd51317ba21be1150bc40a96d91] media: rtl28xxu: fix zero-length control request testing commit 51f990c70a320cd51317ba21be1150bc40a96d91 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a3c7b1b1d526e7f952e502c88f0fcd5e1fa89c538730a7faad68307ad210bba5 all runs: OK # git bisect bad 51f990c70a320cd51317ba21be1150bc40a96d91 Bisecting: 13 revisions left to test after this (roughly 4 steps) [d5008c3e90a9b39dd6a2b05edc0c293eda58dd2b] USB: serial: ch341: fix character loss at high transfer rates testing commit d5008c3e90a9b39dd6a2b05edc0c293eda58dd2b compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 7a64c1fa5198ca1f615be12a6237a2032510e8290129605dcf7ad114f24b2833 all runs: OK # git bisect bad d5008c3e90a9b39dd6a2b05edc0c293eda58dd2b Bisecting: 6 revisions left to test after this (roughly 3 steps) [423cbae7ee2a70ea8dd0bc129aa3aa32c54e0f12] net: pegasus: fix uninit-value in get_interrupt_interval testing commit 423cbae7ee2a70ea8dd0bc129aa3aa32c54e0f12 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dffac2ccdaf72a02a2f7bf5ecf14bf039e19eb9cae6a4b69ae7535ee956a52ed all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 423cbae7ee2a70ea8dd0bc129aa3aa32c54e0f12 Bisecting: 3 revisions left to test after this (roughly 2 steps) [76ab02d9b861da0785176f0228340f22023902fa] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() testing commit 76ab02d9b861da0785176f0228340f22023902fa compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ff1680d084ab5ebcd92c030ad2e4e8ef7ac07e9571ada7d628e94c177d7d8428 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 76ab02d9b861da0785176f0228340f22023902fa Bisecting: 1 revision left to test after this (roughly 1 step) [08433a2b5b0d3975feac4c6b50b02e8c47b74948] USB: usbtmc: Fix RCU stall warning testing commit 08433a2b5b0d3975feac4c6b50b02e8c47b74948 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: b0ef8e8f145bd7f9a033f50d02f1c619005fd153345bd70efad80687a9e7e28a all runs: OK # git bisect bad 08433a2b5b0d3975feac4c6b50b02e8c47b74948 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3719acc161d5c1ce09912cc1c9eddc2c5faa3c66] Bluetooth: defer cleanup of resources in hci_unregister_dev() testing commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: b0ef8e8f145bd7f9a033f50d02f1c619005fd153345bd70efad80687a9e7e28a all runs: OK # git bisect bad 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 is the first bad commit commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 Author: Tetsuo Handa Date: Wed Aug 4 19:26:56 2021 +0900 Bluetooth: defer cleanup of resources in hci_unregister_dev() [ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ] syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to calling lock_sock() with rw spinlock held [1]. It seems that history of this locking problem is a trial and error. Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to lock_sock() as an attempt to fix lockdep warning. Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the sleep in atomic context warning. Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from hci_sock.c") in 3.3-rc1 removed local_bh_disable(). Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to lock_sock() as an attempt to fix CVE-2021-3573. This difficulty comes from current implementation that hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all references from sockets because hci_unregister_dev() immediately reclaims resources as soon as returning from hci_sock_dev_event(HCI_DEV_UNREG). But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not doing what it should do. Therefore, instead of trying to detach sockets from device, let's accept not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG), by moving actual cleanup of resources from hci_unregister_dev() to hci_cleanup_dev() which is called by bt_host_release() when all references to this unregistered device (which is a kobject) are gone. Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets hci_pi(sk)->hdev, we need to check whether this device was unregistered and return an error based on HCI_UNREGISTER flag. There might be subtle behavioral difference in "monitor the hdev" functionality; please report if you found something went wrong due to this patch. Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] Reported-by: syzbot Suggested-by: Linus Torvalds Signed-off-by: Tetsuo Handa Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") Acked-by: Luiz Augusto von Dentz Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin include/net/bluetooth/hci_core.h | 1 + net/bluetooth/hci_core.c | 16 ++++++------- net/bluetooth/hci_sock.c | 49 +++++++++++++++++++++++++++------------- net/bluetooth/hci_sysfs.c | 3 +++ 4 files changed, 45 insertions(+), 24 deletions(-) culprit signature: b0ef8e8f145bd7f9a033f50d02f1c619005fd153345bd70efad80687a9e7e28a parent signature: ff1680d084ab5ebcd92c030ad2e4e8ef7ac07e9571ada7d628e94c177d7d8428 revisions tested: 15, total time: 4h32m46.188252199s (build: 2h59m12.121378808s, test: 1h31m30.92036088s) first good commit: 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 Bluetooth: defer cleanup of resources in hci_unregister_dev() recipients (to): ["luiz.von.dentz@intel.com" "penguin-kernel@i-love.sakura.ne.jp" "sashal@kernel.org" "torvalds@linux-foundation.org"] recipients (cc): []