bisecting fixing commit since 14b58326976de6ef3998eefec1dd7f8b38b97a75 building syzkaller on ff51e5229e0ee846d2fd687cb0dbca13de758c66 testing commit 14b58326976de6ef3998eefec1dd7f8b38b97a75 with gcc (GCC) 8.1.0 kernel signature: 9440f2b2936f5b8f2fccfc5b07c503bad20b7b3d761ec2b6352ca1dea5cebcf3 run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount run #1: crashed: KASAN: use-after-free Write in ex_handler_refcount run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close run #3: crashed: KASAN: use-after-free Read in l2cap_chan_close run #4: crashed: KASAN: use-after-free Read in l2cap_chan_close run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Write in ex_handler_refcount run #9: OK testing current HEAD bae31eef2a167ef160ab2703b6a2f5bbecd98d92 testing commit bae31eef2a167ef160ab2703b6a2f5bbecd98d92 with gcc (GCC) 8.1.0 kernel signature: 36b2b4c5216fd5eed5078acdb01c185fc5d14c5bb84f37b9aca0fa6c11ee7bd8 all runs: OK # git bisect start bae31eef2a167ef160ab2703b6a2f5bbecd98d92 14b58326976de6ef3998eefec1dd7f8b38b97a75 Bisecting: 354 revisions left to test after this (roughly 9 steps) [413092c085caf504d7e68ff308b57be1688984f2] USB: yurex: Fix bad gfp argument testing commit 413092c085caf504d7e68ff308b57be1688984f2 with gcc (GCC) 8.1.0 kernel signature: fd3671052ed10965c6f7e60eaa87b5410a01dd34d37709019f6a0fb6d7c0b8a7 all runs: OK # git bisect bad 413092c085caf504d7e68ff308b57be1688984f2 Bisecting: 176 revisions left to test after this (roughly 8 steps) [a5b5d63d537341738b8cb3e93a4bf5387dc9119e] net: stmmac: dwmac1000: provide multicast filter fallback testing commit a5b5d63d537341738b8cb3e93a4bf5387dc9119e with gcc (GCC) 8.1.0 kernel signature: 1da962efb76a6aae1648b9ddaf6f016d977a1c455b156503ac7f28aefcd4bdd5 all runs: OK # git bisect bad a5b5d63d537341738b8cb3e93a4bf5387dc9119e Bisecting: 88 revisions left to test after this (roughly 7 steps) [6059d5a8c6217e843f69a38117800b9f26e0c08b] media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities() testing commit 6059d5a8c6217e843f69a38117800b9f26e0c08b with gcc (GCC) 8.1.0 kernel signature: 3d71e815a8ef875148e6e36ddb342a590d1d53e1b6ae33e169b1c290b463d3b7 all runs: OK # git bisect bad 6059d5a8c6217e843f69a38117800b9f26e0c08b Bisecting: 43 revisions left to test after this (roughly 6 steps) [2d5fdf1588074054c4a50213148cbcd35946a1c9] HID: input: Fix devices that return multiple bytes in battery report testing commit 2d5fdf1588074054c4a50213148cbcd35946a1c9 with gcc (GCC) 8.1.0 kernel signature: e5adfc2918a3414ef17bab877b41f147e9e65627382c7874a9c0aedf00d71612 run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount run #1: crashed: KASAN: use-after-free Write in ex_handler_refcount run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount run #6: crashed: KASAN: use-after-free Write in ex_handler_refcount run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount # git bisect good 2d5fdf1588074054c4a50213148cbcd35946a1c9 Bisecting: 21 revisions left to test after this (roughly 5 steps) [970673cb2e0aaae710528babd1d2783175f4b884] arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding testing commit 970673cb2e0aaae710528babd1d2783175f4b884 with gcc (GCC) 8.1.0 kernel signature: e21527f769896a5bc0acb3f969585f97ee9c4c28b538b7f1bffd5cce3d3d97ab all runs: OK # git bisect bad 970673cb2e0aaae710528babd1d2783175f4b884 Bisecting: 10 revisions left to test after this (roughly 4 steps) [1593a21976f59d832618517b64fe68bdb65eedb6] platform/x86: intel-hid: Fix return value check in check_acpi_dev() testing commit 1593a21976f59d832618517b64fe68bdb65eedb6 with gcc (GCC) 8.1.0 kernel signature: 10467e1942b3dc963a0c8f8065e99eee52ec3fe35783148f119080e786f1b66d run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount run #5: crashed: KASAN: use-after-free Read in l2cap_chan_close run #6: crashed: KASAN: use-after-free Write in ex_handler_refcount run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount # git bisect good 1593a21976f59d832618517b64fe68bdb65eedb6 Bisecting: 5 revisions left to test after this (roughly 3 steps) [6fa182ef2356ebc0f331d724bf5b84a0a22bbb9a] drm/tilcdc: fix leak & null ref in panel_connector_get_modes testing commit 6fa182ef2356ebc0f331d724bf5b84a0a22bbb9a with gcc (GCC) 8.1.0 kernel signature: cff5ee1c436ba45dd73efc0a13914450b7ce608a8889d4cba46555c2bc505a23 run #0: crashed: KASAN: use-after-free Read in l2cap_chan_close run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close run #2: crashed: KASAN: use-after-free Write in ex_handler_refcount run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount run #4: crashed: KASAN: use-after-free Read in l2cap_chan_close run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount run #6: crashed: KASAN: use-after-free Write in ex_handler_refcount run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Write in ex_handler_refcount run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount # git bisect good 6fa182ef2356ebc0f331d724bf5b84a0a22bbb9a Bisecting: 2 revisions left to test after this (roughly 2 steps) [dec0847921c5c9b1ad8fe9bd3fa4ef93f95860e2] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync testing commit dec0847921c5c9b1ad8fe9bd3fa4ef93f95860e2 with gcc (GCC) 8.1.0 kernel signature: 0728ebffd1a5af29dd2cfb0df02b2275762c0a0449808e5054b04e0ce2b55668 all runs: OK # git bisect bad dec0847921c5c9b1ad8fe9bd3fa4ef93f95860e2 Bisecting: 0 revisions left to test after this (roughly 1 step) [ad372ce97bf08929af5b174d0329450de0021c32] fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls testing commit ad372ce97bf08929af5b174d0329450de0021c32 with gcc (GCC) 8.1.0 kernel signature: 866f7ff8ca93cda04b68769181d8991414554a1c6709093473385ac1c73b0e4e all runs: OK # git bisect bad ad372ce97bf08929af5b174d0329450de0021c32 Bisecting: 0 revisions left to test after this (roughly 0 steps) [af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9] Bluetooth: add a mutex lock to avoid UAF in do_enale_set testing commit af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9 with gcc (GCC) 8.1.0 kernel signature: 9ee0d2661697f74d35121323b966c7c4f8623875bf33a8b45b1c4891c7e9f16b all runs: OK # git bisect bad af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9 af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9 is the first bad commit commit af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9 Author: Lihong Kou Date: Tue Jun 23 20:28:41 2020 +0800 Bluetooth: add a mutex lock to avoid UAF in do_enale_set [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug. BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events do_enable_set Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fb/0x318 lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:374 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 chan_create net/bluetooth/6lowpan.c:640 [inline] bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10d/0x220 mm/slab.c:3757 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888096950000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff888096950000, ffff888096950800) The buggy address belongs to the page: page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com Signed-off-by: Lihong Kou Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin net/bluetooth/6lowpan.c | 5 +++++ 1 file changed, 5 insertions(+) culprit signature: 9ee0d2661697f74d35121323b966c7c4f8623875bf33a8b45b1c4891c7e9f16b parent signature: cff5ee1c436ba45dd73efc0a13914450b7ce608a8889d4cba46555c2bc505a23 revisions tested: 12, total time: 3h33m57.353558692s (build: 1h46m34.989655926s, test: 1h45m51.174049876s) first good commit: af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9 Bluetooth: add a mutex lock to avoid UAF in do_enale_set recipients (to): ["koulihong@huawei.com" "marcel@holtmann.org" "sashal@kernel.org"] recipients (cc): []