ci starts bisection 2022-11-05 01:14:43.961744136 +0000 UTC m=+106409.512072971 bisecting fixing commit since 7ebfc85e2cd7b08f518b526173e9a33b56b3913b building syzkaller on 8dfcaa3d2828a113ae780da01f5f73ad64710e31 ensuring issue is reproducible on original commit 7ebfc85e2cd7b08f518b526173e9a33b56b3913b testing commit 7ebfc85e2cd7b08f518b526173e9a33b56b3913b gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a859f78c791e3114465e0c33e4bebedc7fa50b472e6e4c0972b229d24c0c45c4 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: WARNING in __cancel_work run #2: crashed: WARNING in __cancel_work run #3: crashed: WARNING in __cancel_work run #4: crashed: WARNING in __cancel_work run #5: crashed: WARNING in __cancel_work run #6: crashed: WARNING in __cancel_work run #7: crashed: WARNING in __cancel_work run #8: crashed: WARNING in __cancel_work run #9: crashed: WARNING in __cancel_work run #10: crashed: WARNING in __cancel_work run #11: crashed: WARNING in __cancel_work run #12: crashed: WARNING in __cancel_work run #13: crashed: WARNING in __cancel_work run #14: crashed: WARNING in __cancel_work run #15: crashed: WARNING in __cancel_work run #16: crashed: WARNING in __cancel_work run #17: crashed: WARNING in __cancel_work run #18: crashed: WARNING in __cancel_work run #19: crashed: WARNING in __cancel_work testing current HEAD 64c3dd0b98f586a5b7c8f5f4759ebb41cfd03861 testing commit 64c3dd0b98f586a5b7c8f5f4759ebb41cfd03861 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8851ab69e1026da8a1ffebd3be266a83d91b8f22f095f3db08292942129ca43a all runs: OK # git bisect start 64c3dd0b98f586a5b7c8f5f4759ebb41cfd03861 7ebfc85e2cd7b08f518b526173e9a33b56b3913b Bisecting: 8174 revisions left to test after this (roughly 13 steps) [ff6862c23d2e83d12d1759bf4337d41248fb4dc8] Merge tag 'arm-drivers-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit ff6862c23d2e83d12d1759bf4337d41248fb4dc8 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 15c0b3ace62298f7ffcbfdc50285dac0de91b4cd0cdd185ff14694879578473b all runs: OK # git bisect bad ff6862c23d2e83d12d1759bf4337d41248fb4dc8 Bisecting: 4046 revisions left to test after this (roughly 12 steps) [6690c2c4c4eaa2a01f1c50ccd35dbe479bba85e3] Merge branch 'mlx5-xsk-updates-part2-2022-09-28' testing commit 6690c2c4c4eaa2a01f1c50ccd35dbe479bba85e3 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 97856ca3343aa29bbe39f5eb0defd8cc57c65e2311fb119e81f62b8eb5cf0d20 all runs: crashed: WARNING in __cancel_work # git bisect good 6690c2c4c4eaa2a01f1c50ccd35dbe479bba85e3 Bisecting: 2115 revisions left to test after this (roughly 11 steps) [a47e60729d9624e931f988709ab76e043e2ee8b9] Merge tag 'backlight-next-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight testing commit a47e60729d9624e931f988709ab76e043e2ee8b9 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8fb9ecc8cf578515c532ae1182e975c9aa1cc83f94ea00e2747fde40c90c7e8b all runs: OK # git bisect bad a47e60729d9624e931f988709ab76e043e2ee8b9 Bisecting: 1130 revisions left to test after this (roughly 10 steps) [522667b24f08009591c90e75bfe2ffb67f555498] Merge tag 'landlock-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux testing commit 522667b24f08009591c90e75bfe2ffb67f555498 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: de525ad847ff8a87fc123714241e2dbf2b60fb34a1e0f5cfed8375df57b7788e all runs: crashed: WARNING in __cancel_work # git bisect good 522667b24f08009591c90e75bfe2ffb67f555498 Bisecting: 565 revisions left to test after this (roughly 9 steps) [9b98d395b85dd042fe83fb696b1ac02e6c93a520] net/mlx5: Start health poll at earlier stage of driver load testing commit 9b98d395b85dd042fe83fb696b1ac02e6c93a520 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 15030b39f90ed9dc5b9279d507447bd45ffcd62ecb3117cdd82811980f91506d all runs: OK # git bisect bad 9b98d395b85dd042fe83fb696b1ac02e6c93a520 Bisecting: 277 revisions left to test after this (roughly 8 steps) [a507ea32b9c2c407012bf89109ac0cf89fae313c] Merge tag 'for-net-next-2022-09-30' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit a507ea32b9c2c407012bf89109ac0cf89fae313c gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f39b1e5580fbac5fa019d0bc2a249577db92efe9d88919b3b26f670b2f6b606 all runs: OK # git bisect bad a507ea32b9c2c407012bf89109ac0cf89fae313c Bisecting: 146 revisions left to test after this (roughly 7 steps) [5f606b3e11250f352d245bfa7fb16a1a0a17b7a8] Merge tag 'mt76-for-kvalo-2022-09-15' of https://github.com/nbd168/wireless testing commit 5f606b3e11250f352d245bfa7fb16a1a0a17b7a8 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7437e9ef2b04c047c660da4b29ce0a67d9c37aa7783a45d541c06fc006470969 all runs: crashed: WARNING in __cancel_work # git bisect good 5f606b3e11250f352d245bfa7fb16a1a0a17b7a8 Bisecting: 66 revisions left to test after this (roughly 6 steps) [6cf5e9066dd3332cf4c77ea95a116f70e7f9acf7] Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git testing commit 6cf5e9066dd3332cf4c77ea95a116f70e7f9acf7 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7120bd3dcb3fc5252497781406c6adf6a107f434476a44b62fb51a9d024f6866 all runs: crashed: WARNING in __cancel_work # git bisect good 6cf5e9066dd3332cf4c77ea95a116f70e7f9acf7 Bisecting: 33 revisions left to test after this (roughly 5 steps) [f74ca25d6d6629ffd4fd80a1a73037253b57d06b] Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() testing commit f74ca25d6d6629ffd4fd80a1a73037253b57d06b gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ebd0088e0eba6ec407a12483089aa7c8514dcc6f81f96fa8ea0d3879c926e48f all runs: crashed: WARNING in __cancel_work # git bisect good f74ca25d6d6629ffd4fd80a1a73037253b57d06b Bisecting: 16 revisions left to test after this (roughly 4 steps) [cff2d762cde669023f345157f875b7ea6658992a] genetlink: reject use of nlmsg_flags for new commands testing commit cff2d762cde669023f345157f875b7ea6658992a gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b0463ceb8ad1ddf896364ff767186efedef590ab517405168703100fa3aeba57 all runs: crashed: WARNING in __cancel_work # git bisect good cff2d762cde669023f345157f875b7ea6658992a Bisecting: 8 revisions left to test after this (roughly 3 steps) [bb20da18ce936adda6b48aea79a8797c8eee479f] Bluetooth: MGMT: fix zalloc-simple.cocci warnings testing commit bb20da18ce936adda6b48aea79a8797c8eee479f gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3bf3d988f3504132d59c5847018aaf0a1caa09abb4ddef3c45b02f8bd26f6b29 all runs: OK # git bisect bad bb20da18ce936adda6b48aea79a8797c8eee479f Bisecting: 3 revisions left to test after this (roughly 2 steps) [812e92b824c1db16c9519f8624d48a9901a0d38f] Bluetooth: RFCOMM: Fix possible deadlock on socket shutdown/release testing commit 812e92b824c1db16c9519f8624d48a9901a0d38f gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 79448deca548208f7fe86b991c661218eebf07ef843a17cc935b66da94fbdcee all runs: crashed: WARNING in __cancel_work # git bisect good 812e92b824c1db16c9519f8624d48a9901a0d38f Bisecting: 1 revision left to test after this (roughly 1 step) [deee93d13d385103205879a8a0915036ecd83261] Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works testing commit deee93d13d385103205879a8a0915036ecd83261 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7d0f270b903249111efd2247226bc61dc7871f1dd3f1896562c7660d0fd64c2a all runs: OK # git bisect bad deee93d13d385103205879a8a0915036ecd83261 Bisecting: 0 revisions left to test after this (roughly 0 steps) [2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() testing commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 gcc compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0a273748bf0703aea52f626745846661008634c41a68261a77e0e831480e8d62 all runs: OK # git bisect bad 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 is the first bad commit commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 Author: Tetsuo Handa Date: Sun Sep 4 00:32:56 2022 +0900 Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer which fires before l2cap_chan_del() is called by closing file descriptor created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP). l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP) are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded. l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4 seconds from connect() request, for l2cap_conn_start() from l2cap_info_timeout() callback scheduled by schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); in l2cap_connect() is calling l2cap_chan_ready(). Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM mode as soon as l2cap_chan_create() allocates a channel, like I did in commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at l2cap_chan_create()"). Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Luiz Augusto von Dentz net/bluetooth/l2cap_core.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) culprit signature: 0a273748bf0703aea52f626745846661008634c41a68261a77e0e831480e8d62 parent signature: 79448deca548208f7fe86b991c661218eebf07ef843a17cc935b66da94fbdcee revisions tested: 16, total time: 4h12m12.997531386s (build: 2h5m55.136429394s, test: 2h3m54.347633649s) first good commit: 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() recipients (to): ["davem@davemloft.net" "edumazet@google.com" "johan.hedberg@gmail.com" "kuba@kernel.org" "linux-bluetooth@vger.kernel.org" "luiz.dentz@gmail.com" "luiz.von.dentz@intel.com" "marcel@holtmann.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "penguin-kernel@i-love.sakura.ne.jp"] recipients (cc): ["linux-kernel@vger.kernel.org"]