bisecting fixing commit since 811218eceeaa7618652e1b8d11caeff67ab42072 building syzkaller on a52ee10ae11c1342cfca60cf3957619bcf92bd1a testing commit 811218eceeaa7618652e1b8d11caeff67ab42072 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 452a30936639f7eb4c4b131127fe363ad8834aef425d46f108985b9be9603f67 run #0: crashed: general protection fault in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: general protection fault in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in bt_host_release run #5: crashed: WARNING: ODEBUG bug in bt_host_release run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 21aa26f618e9e59649722c2051d74cafafbb484f11d2298715b2a4d8f59d1811 all runs: OK # git bisect start b172b44fcb1771e083aad806fa96f3f60e2ddfac 811218eceeaa7618652e1b8d11caeff67ab42072 Bisecting: 1322 revisions left to test after this (roughly 10 steps) [cb82148370e16bb33dabdac1771ce018e05e88d7] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join testing commit cb82148370e16bb33dabdac1771ce018e05e88d7 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: b4ab7504e3d707f50725678b940d09442c8bb7eeddcf851b5e8ae13b5cb624bf all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free # git bisect skip cb82148370e16bb33dabdac1771ce018e05e88d7 Bisecting: 1321 revisions left to test after this (roughly 10 steps) [2708da3dbba9e05f7eb57bb79638194d08d3eb38] powerpc/iommu: Annotate nested lock for lockdep testing commit 2708da3dbba9e05f7eb57bb79638194d08d3eb38 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dd178d35c7dd64f9a2688ebb622e7c5ffcac751b09829443856923cc81a33a2f all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free # git bisect skip 2708da3dbba9e05f7eb57bb79638194d08d3eb38 Bisecting: 1321 revisions left to test after this (roughly 10 steps) [01aef04e4861a99a956418bf1d8cfef94ce18243] ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend() testing commit 01aef04e4861a99a956418bf1d8cfef94ce18243 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: edd41e8353c1941e5afd3f5062ac5c0949dc32b56cef8ef12ae32b15d9bf1ff8 all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free # git bisect skip 01aef04e4861a99a956418bf1d8cfef94ce18243 Bisecting: 1321 revisions left to test after this (roughly 10 steps) [5d9873e46c6d5a3c358341e40c373b79677f14e2] nvme-rdma: fix possible hang when failing to set io queues testing commit 5d9873e46c6d5a3c358341e40c373b79677f14e2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 8dc6d3015288f90a896300fa87ee151e46eaa99693a028ead1011d9a2453c348 run #0: crashed: general protection fault in __queue_work run #1: crashed: WARNING: ODEBUG bug in bt_host_release run #2: crashed: WARNING: ODEBUG bug in bt_host_release run #3: crashed: general protection fault in __queue_work run #4: crashed: general protection fault in __queue_work run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 5d9873e46c6d5a3c358341e40c373b79677f14e2 Bisecting: 990 revisions left to test after this (roughly 10 steps) [50316635e644a0b9e62d3263fb4e8be2104605b6] wq: handle VM suspension in stall detection testing commit 50316635e644a0b9e62d3263fb4e8be2104605b6 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 6d4d57df810bee5a8a8c583e724a2ac943b09a1b58b1dac92fd4ef190210b845 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 50316635e644a0b9e62d3263fb4e8be2104605b6 Bisecting: 495 revisions left to test after this (roughly 9 steps) [24493605bd1c9e56cb0229c8e006e3add2f0b706] clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround testing commit 24493605bd1c9e56cb0229c8e006e3add2f0b706 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: cf3351b262fd4802f4873303e769406e586b22bcdbd9889295f7bfe1fa24743a all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 24493605bd1c9e56cb0229c8e006e3add2f0b706 Bisecting: 247 revisions left to test after this (roughly 8 steps) [0365fcac3aa14b54d535a9dbf073eebaaa8e0287] iio: dac: ds4422/ds4424 drop of_node check testing commit 0365fcac3aa14b54d535a9dbf073eebaaa8e0287 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 5b8f2b0fbf35d47f68de822174a7b6d95a90ad8b4f4cc2dbfa950bfa70f2fe3e all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 0365fcac3aa14b54d535a9dbf073eebaaa8e0287 Bisecting: 123 revisions left to test after this (roughly 7 steps) [c15b387769446c37a892f958b169744dabf7ff23] bpf, selftests: Adjust few selftest outcomes wrt unreachable code testing commit c15b387769446c37a892f958b169744dabf7ff23 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: d1de7a14a0d83e3acca5d6eb88fb6296ef148253805896d4cfc140bb0fdc56c1 all runs: OK # git bisect bad c15b387769446c37a892f958b169744dabf7ff23 Bisecting: 61 revisions left to test after this (roughly 6 steps) [93175d935d76f4a7220fe9111ba452bb5c512fa4] padata: add separate cpuhp node for CPUHP_PADATA_DEAD testing commit 93175d935d76f4a7220fe9111ba452bb5c512fa4 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 33368889c9863c4af1ce122a1a17750e12c6d30f9d0c06f068542edef8634ace all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 93175d935d76f4a7220fe9111ba452bb5c512fa4 Bisecting: 30 revisions left to test after this (roughly 5 steps) [1071804cc89e984e0d2c966e890fd37f77a8e951] usb: gadget: f_hid: fixed NULL pointer dereference testing commit 1071804cc89e984e0d2c966e890fd37f77a8e951 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 64329646252ef99231c0cf388f609c359611c9277192e607998d5a9ef2d59d09 all runs: OK # git bisect bad 1071804cc89e984e0d2c966e890fd37f77a8e951 Bisecting: 15 revisions left to test after this (roughly 4 steps) [08882fba72a9be9446d744c60d6d418f547a0c96] net: ipv6: fix returned variable type in ip6_skb_dst_mtu testing commit 08882fba72a9be9446d744c60d6d418f547a0c96 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 36567a75c8a30dbf96109c279033d49f14b056518b064779bed656e260ca5b3c all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 08882fba72a9be9446d744c60d6d418f547a0c96 Bisecting: 7 revisions left to test after this (roughly 3 steps) [08433a2b5b0d3975feac4c6b50b02e8c47b74948] USB: usbtmc: Fix RCU stall warning testing commit 08433a2b5b0d3975feac4c6b50b02e8c47b74948 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a0fed10eca464c07ef1c036ce97f6046b68fb98faa6fc18496652205ea89c5bc all runs: OK # git bisect bad 08433a2b5b0d3975feac4c6b50b02e8c47b74948 Bisecting: 3 revisions left to test after this (roughly 2 steps) [bfee67c40873f47b2b4c4c7ea56cc9170e18daad] net: fec: fix use-after-free in fec_drv_remove testing commit bfee67c40873f47b2b4c4c7ea56cc9170e18daad compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: aa19a775bffcb016347e9e460b0b60bccdab90a5af1c3385fc27c9047bfec57a all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good bfee67c40873f47b2b4c4c7ea56cc9170e18daad Bisecting: 1 revision left to test after this (roughly 1 step) [76ab02d9b861da0785176f0228340f22023902fa] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() testing commit 76ab02d9b861da0785176f0228340f22023902fa compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 8fd7ff97aa7f07b9263a156ed9d3af552f7e293a8d3b8c16c92e5370e7e6d2b2 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested # git bisect good 76ab02d9b861da0785176f0228340f22023902fa Bisecting: 0 revisions left to test after this (roughly 0 steps) [3719acc161d5c1ce09912cc1c9eddc2c5faa3c66] Bluetooth: defer cleanup of resources in hci_unregister_dev() testing commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 4d8fdbc893a9c00119ea5e5ce8b620e5289f16d53c5f89045a01f8fcc679e7e2 all runs: OK # git bisect bad 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 is the first bad commit commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 Author: Tetsuo Handa Date: Wed Aug 4 19:26:56 2021 +0900 Bluetooth: defer cleanup of resources in hci_unregister_dev() [ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ] syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to calling lock_sock() with rw spinlock held [1]. It seems that history of this locking problem is a trial and error. Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to lock_sock() as an attempt to fix lockdep warning. Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the sleep in atomic context warning. Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from hci_sock.c") in 3.3-rc1 removed local_bh_disable(). Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to lock_sock() as an attempt to fix CVE-2021-3573. This difficulty comes from current implementation that hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all references from sockets because hci_unregister_dev() immediately reclaims resources as soon as returning from hci_sock_dev_event(HCI_DEV_UNREG). But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not doing what it should do. Therefore, instead of trying to detach sockets from device, let's accept not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG), by moving actual cleanup of resources from hci_unregister_dev() to hci_cleanup_dev() which is called by bt_host_release() when all references to this unregistered device (which is a kobject) are gone. Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets hci_pi(sk)->hdev, we need to check whether this device was unregistered and return an error based on HCI_UNREGISTER flag. There might be subtle behavioral difference in "monitor the hdev" functionality; please report if you found something went wrong due to this patch. Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] Reported-by: syzbot Suggested-by: Linus Torvalds Signed-off-by: Tetsuo Handa Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") Acked-by: Luiz Augusto von Dentz Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin include/net/bluetooth/hci_core.h | 1 + net/bluetooth/hci_core.c | 16 ++++++------- net/bluetooth/hci_sock.c | 49 +++++++++++++++++++++++++++------------- net/bluetooth/hci_sysfs.c | 3 +++ 4 files changed, 45 insertions(+), 24 deletions(-) culprit signature: 4d8fdbc893a9c00119ea5e5ce8b620e5289f16d53c5f89045a01f8fcc679e7e2 parent signature: 8fd7ff97aa7f07b9263a156ed9d3af552f7e293a8d3b8c16c92e5370e7e6d2b2 Reproducer flagged being flaky revisions tested: 17, total time: 4h44m51.962016543s (build: 2h56m2.121326917s, test: 1h47m15.829545701s) first good commit: 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 Bluetooth: defer cleanup of resources in hci_unregister_dev() recipients (to): ["luiz.von.dentz@intel.com" "penguin-kernel@i-love.sakura.ne.jp" "sashal@kernel.org" "torvalds@linux-foundation.org"] recipients (cc): []