bisecting fixing commit since d18b78abc0c6e7d3119367c931c583e02d466495 building syzkaller on 6436ce4bcd8e2c7dcca0b171ac91f51e96d973f8 testing commit d18b78abc0c6e7d3119367c931c583e02d466495 with gcc (GCC) 8.4.1 20210217 kernel signature: 10d9cba71152f82fc4972e3cb2f7918f201c0a80859da6d4080ede5f95b8e732 run #0: crashed: WARNING: ODEBUG bug in bt_host_release run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in bt_host_release run #5: crashed: WARNING: ODEBUG bug in bt_host_release run #6: crashed: WARNING: ODEBUG bug in bt_host_release run #7: crashed: general protection fault in __queue_work run #8: crashed: WARNING: ODEBUG bug in bt_host_release run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing current HEAD 6b7b0056defc6eb5c87bbe4690ccda547b2891aa testing commit 6b7b0056defc6eb5c87bbe4690ccda547b2891aa with gcc (GCC) 8.4.1 20210217 kernel signature: 4791ecb4b95cbdab4811a200de685ce5fdbfe79c5577182f57d74e22a8630e09 all runs: OK # git bisect start 6b7b0056defc6eb5c87bbe4690ccda547b2891aa d18b78abc0c6e7d3119367c931c583e02d466495 Bisecting: 1905 revisions left to test after this (roughly 11 steps) [7524b26f2c580127ad3f795b5084b63b07b10cd8] x86/kprobes: Restore BTF if the single-stepping is cancelled testing commit 7524b26f2c580127ad3f795b5084b63b07b10cd8 with gcc (GCC) 8.4.1 20210217 kernel signature: 76594646e5e9b6428582dc3b6bb20e30f57dda4d0c112f97affd158b7ca8a26f run #0: crashed: general protection fault in __queue_work run #1: crashed: general protection fault in __queue_work run #2: crashed: WARNING: ODEBUG bug in bt_host_release run #3: crashed: general protection fault in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: general protection fault in __queue_work run #7: crashed: general protection fault in __queue_work run #8: crashed: WARNING: ODEBUG bug in bt_host_release run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 7524b26f2c580127ad3f795b5084b63b07b10cd8 Bisecting: 952 revisions left to test after this (roughly 10 steps) [030194a5b292bb7613407668d85af0b987bb9839] Linux 4.19.180 testing commit 030194a5b292bb7613407668d85af0b987bb9839 with gcc (GCC) 8.4.1 20210217 kernel signature: e90e1d184fc73f7707f3eda392d4b719d042142f3907f098e76b9699a5ec2982 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: general protection fault in __queue_work run #2: crashed: general protection fault in __queue_work run #3: crashed: WARNING: ODEBUG bug in bt_host_release run #4: crashed: WARNING: ODEBUG bug in bt_host_release run #5: crashed: general protection fault in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in bt_host_release run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 030194a5b292bb7613407668d85af0b987bb9839 Bisecting: 476 revisions left to test after this (roughly 9 steps) [7642c940f11e4135471c3f1df484cea899060e87] platform/x86: thinkpad_acpi: Correct thermal sensor allocation testing commit 7642c940f11e4135471c3f1df484cea899060e87 with gcc (GCC) 8.4.1 20210217 kernel signature: d80fea949bedec3cddab5ef21fbee0b9fbd96406385a310f4082afe51b3728df run #0: crashed: general protection fault in __queue_work run #1: crashed: general protection fault in __queue_work run #2: crashed: general protection fault in __queue_work run #3: crashed: general protection fault in __queue_work run #4: crashed: general protection fault in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: general protection fault in __queue_work run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 7642c940f11e4135471c3f1df484cea899060e87 Bisecting: 238 revisions left to test after this (roughly 8 steps) [6af3de26ee2b42ff5104a0a0f048df82e37fbc82] vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer testing commit 6af3de26ee2b42ff5104a0a0f048df82e37fbc82 with gcc (GCC) 8.4.1 20210217 kernel signature: b2b947f15a8d9aeab8639f9fd1de42c289dc823d09c8f270c49bb3b259aa9b2d all runs: OK # git bisect bad 6af3de26ee2b42ff5104a0a0f048df82e37fbc82 Bisecting: 118 revisions left to test after this (roughly 7 steps) [7cba7ebfd905cae6a50f548477a0e17ccd176ddf] dm space map common: fix division bug in sm_ll_find_free_block() testing commit 7cba7ebfd905cae6a50f548477a0e17ccd176ddf with gcc (GCC) 8.4.1 20210217 kernel signature: 4487d352d01840c25068cc3c401bf3b89ea0d9ca5d7fd9642c3c51b4b9fd7876 run #0: crashed: general protection fault in __queue_work run #1: crashed: WARNING: ODEBUG bug in bt_host_release run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 7cba7ebfd905cae6a50f548477a0e17ccd176ddf Bisecting: 59 revisions left to test after this (roughly 6 steps) [ba10c5d3399e630112a890fc3fbebbab58d81299] mtd: rawnand: qcom: Return actual error code instead of -ENODEV testing commit ba10c5d3399e630112a890fc3fbebbab58d81299 with gcc (GCC) 8.4.1 20210217 kernel signature: fab1b4913623d45f64b6a29d48e2111ac6d30c783b604dcac59ec0a100a2f9ea all runs: OK # git bisect bad ba10c5d3399e630112a890fc3fbebbab58d81299 Bisecting: 29 revisions left to test after this (roughly 5 steps) [26f11be3769670eec978727befb1755f36378bf0] cfg80211: scan: drop entry from hidden_list on overflow testing commit 26f11be3769670eec978727befb1755f36378bf0 with gcc (GCC) 8.4.1 20210217 kernel signature: fd2e05b46e5411a233d3a80b8cd8be587498d7b115e8d235c00346646e7b8a8e all runs: OK # git bisect bad 26f11be3769670eec978727befb1755f36378bf0 Bisecting: 14 revisions left to test after this (roughly 4 steps) [4eab768d0767a27a1cb03c93c204e0de7d9f648c] ASoC: samsung: tm2_wm5110: check of of_parse return value testing commit 4eab768d0767a27a1cb03c93c204e0de7d9f648c with gcc (GCC) 8.4.1 20210217 kernel signature: 07b50784c9d7ccd76de78d265a0408246705b2eae3214312d62d7b12548c9879 all runs: OK # git bisect bad 4eab768d0767a27a1cb03c93c204e0de7d9f648c Bisecting: 6 revisions left to test after this (roughly 3 steps) [04c85f758849657691dde9fce66d18eee7a9ae8f] modules: rename the licence field in struct symsearch to license testing commit 04c85f758849657691dde9fce66d18eee7a9ae8f with gcc (GCC) 8.4.1 20210217 kernel signature: c06994361da50640e5d4a0b244027b11a826d44b0e48f4e3dd25a2f62599f91f run #0: crashed: WARNING: ODEBUG bug in bt_host_release run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: WARNING: ODEBUG bug in bt_host_release run #3: crashed: WARNING: ODEBUG bug in bt_host_release run #4: crashed: general protection fault in __queue_work run #5: crashed: WARNING: ODEBUG bug in bt_host_release run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 04c85f758849657691dde9fce66d18eee7a9ae8f Bisecting: 3 revisions left to test after this (roughly 2 steps) [75e26178e26f910f7f26c79c2824b726eecf0dfb] Bluetooth: verify AMP hci_chan before amp_destroy testing commit 75e26178e26f910f7f26c79c2824b726eecf0dfb with gcc (GCC) 8.4.1 20210217 kernel signature: cf4d94c5b51c0a669d682f668d3fdad5ac3332ae998b9bcf99c8740194737be0 run #0: crashed: general protection fault in __queue_work run #1: crashed: WARNING: ODEBUG bug in bt_host_release run #2: crashed: general protection fault in __queue_work run #3: crashed: WARNING: ODEBUG bug in bt_host_release run #4: crashed: WARNING: ODEBUG bug in bt_host_release run #5: crashed: general protection fault in __queue_work run #6: crashed: WARNING: ODEBUG bug in bt_host_release run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: crashed: WARNING: ODEBUG bug in bt_host_release run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 75e26178e26f910f7f26c79c2824b726eecf0dfb Bisecting: 1 revision left to test after this (roughly 1 step) [35113c4c9fa7c970ff456982e381dc9e9594154a] bluetooth: eliminate the potential race condition when removing the HCI controller testing commit 35113c4c9fa7c970ff456982e381dc9e9594154a with gcc (GCC) 8.4.1 20210217 kernel signature: bb94cd2cb7b20226e1afbda223e82c4ce1462f3345458049ba023a7515acc43d all runs: OK # git bisect bad 35113c4c9fa7c970ff456982e381dc9e9594154a Bisecting: 0 revisions left to test after this (roughly 0 steps) [40fa36443db3ddb570e5e5f27c44d23d680f9d1b] hsr: use netdev_err() instead of WARN_ONCE() testing commit 40fa36443db3ddb570e5e5f27c44d23d680f9d1b with gcc (GCC) 8.4.1 20210217 kernel signature: 75776cf4a10b4bdf1a3d1317a7d17a90577801f9c336c003dac5c9d601d2a825 run #0: crashed: WARNING: ODEBUG bug in bt_host_release run #1: crashed: WARNING: ODEBUG bug in bt_host_release run #2: crashed: general protection fault in __queue_work run #3: crashed: WARNING: ODEBUG bug in bt_host_release run #4: crashed: WARNING: ODEBUG bug in bt_host_release run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: general protection fault in __queue_work run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 40fa36443db3ddb570e5e5f27c44d23d680f9d1b 35113c4c9fa7c970ff456982e381dc9e9594154a is the first bad commit commit 35113c4c9fa7c970ff456982e381dc9e9594154a Author: Lin Ma Date: Mon Apr 12 19:17:57 2021 +0800 bluetooth: eliminate the potential race condition when removing the HCI controller commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream. There is a possible race condition vulnerability between issuing a HCI command and removing the cont. Specifically, functions hci_req_sync() and hci_dev_do_close() can race each other like below: thread-A in hci_req_sync() | thread-B in hci_dev_do_close() | hci_req_sync_lock(hdev); test_bit(HCI_UP, &hdev->flags); | ... | test_and_clear_bit(HCI_UP, &hdev->flags) hci_req_sync_lock(hdev); | | In this commit we alter the sequence in function hci_req_sync(). Hence, the thread-A cannot issue th. Signed-off-by: Lin Ma Cc: Marcel Holtmann Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_request.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) culprit signature: bb94cd2cb7b20226e1afbda223e82c4ce1462f3345458049ba023a7515acc43d parent signature: 75776cf4a10b4bdf1a3d1317a7d17a90577801f9c336c003dac5c9d601d2a825 Reproducer flagged being flaky revisions tested: 14, total time: 4h35m36.883272464s (build: 2h26m17.912627445s, test: 2h7m54.146856034s) first good commit: 35113c4c9fa7c970ff456982e381dc9e9594154a bluetooth: eliminate the potential race condition when removing the HCI controller recipients (to): ["davem@davemloft.net" "gregkh@linuxfoundation.org" "johan.hedberg@gmail.com" "linma@zju.edu.cn" "linux-bluetooth@vger.kernel.org" "marcel@holtmann.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"]