bisecting cause commit starting from f8788d86ab28f61f7b46eb6be375f8a726783636 building syzkaller on 59b57593586656c1d5be820aeed0e751087e6ac6 testing commit f8788d86ab28f61f7b46eb6be375f8a726783636 with gcc (GCC) 8.1.0 kernel signature: f9b2e04bd533483b3a03bddb2bef0f620a7951b6f4221abd806a213f5ec4e361 run #0: crashed: WARNING: locking bug in finish_task_switch run #1: crashed: WARNING: locking bug in finish_task_switch run #2: crashed: WARNING: locking bug in finish_task_switch run #3: crashed: KASAN: use-after-free Write in hci_sock_bind run #4: crashed: WARNING: locking bug in finish_task_switch run #5: crashed: WARNING: locking bug in finish_task_switch run #6: crashed: WARNING: locking bug in finish_task_switch run #7: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #8: crashed: WARNING: locking bug in finish_task_switch run #9: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: f7e44e16fba777543a1dc30e346697a729398da7560fd0a3f6be59a6bf70a69a run #0: crashed: KASAN: use-after-free Write in hci_sock_bind run #1: crashed: WARNING: locking bug in finish_task_switch run #2: crashed: WARNING: locking bug in finish_task_switch run #3: crashed: WARNING: locking bug in finish_task_switch run #4: crashed: KASAN: use-after-free Write in hci_sock_bind run #5: crashed: WARNING: locking bug in finish_task_switch run #6: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #7: crashed: WARNING: locking bug in finish_task_switch run #8: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #9: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: ea1de30d38030668ba678462106cf2087adcf861882813f7ee6a33415c464102 run #0: crashed: KASAN: use-after-free Write in hci_sock_bind run #1: crashed: KASAN: use-after-free Write in hci_sock_bind run #2: crashed: WARNING: locking bug in finish_task_switch run #3: crashed: WARNING: locking bug in finish_task_switch run #4: crashed: KASAN: use-after-free Write in hci_sock_bind run #5: crashed: WARNING: locking bug in finish_task_switch run #6: crashed: WARNING: locking bug in finish_task_switch run #7: crashed: WARNING: locking bug in finish_task_switch run #8: crashed: WARNING: locking bug in finish_task_switch run #9: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 07e3636f6ad097c83dbc8cf2e40bc48bed55dfa50c13ca70c03dd8d5a05cab5f all runs: crashed: KASAN: use-after-free Write in hci_sock_bind testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 31b0b071f3e06d0c842576ed600736af8f5dc020af0147b38514b204cce1ffa1 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING: locking bug in finish_task_switch run #9: crashed: WARNING in kernfs_get testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: 0424eed91cc0a2216e3dcf05140c9670c5351038ff00f128d6242d47bd20ee6e run #0: crashed: WARNING in kernfs_get run #1: crashed: KASAN: use-after-free Write in hci_sock_bind run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: locking bug in finish_task_switch run #6: crashed: WARNING in kernfs_get run #7: crashed: KASAN: use-after-free Write in hci_sock_bind run #8: crashed: WARNING: locking bug in finish_task_switch run #9: crashed: WARNING: locking bug in finish_task_switch testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 382e04ec6b47cc02d4285a8f2ffcb202ad7f4e778421d293e6737d8936b709a1 run #0: crashed: KASAN: use-after-free Read in put_device run #1: crashed: WARNING in kernfs_get run #2: crashed: KASAN: use-after-free Write in hci_sock_bind run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: KASAN: use-after-free Read in put_device run #6: crashed: WARNING in kernfs_get run #7: crashed: KASAN: use-after-free Write in hci_sock_bind run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 65498dfc57abd7428012c8b2f4036116b625e2a34f3fa320b9ae0e5e9225fabd run #0: crashed: KASAN: use-after-free Write in hci_sock_bind run #1: crashed: WARNING in kernfs_get run #2: crashed: KASAN: use-after-free Write in hci_sock_bind run #3: crashed: WARNING in kernfs_get run #4: crashed: KASAN: use-after-free Read in hci_dev_do_close run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: da6c34313451becc9b1ebae2fb9c64a149b3618b82de2b58ad168a87a8551c82 run #0: crashed: WARNING in rfkill_unregister run #1: crashed: WARNING in kernfs_get run #2: crashed: KASAN: use-after-free Write in hci_sock_bind run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: KASAN: use-after-free Write in hci_sock_bind run #5: crashed: KASAN: use-after-free Read in put_device run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in hci_unregister_dev run #9: crashed: KASAN: use-after-free Read in put_device testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: 7054fe47bcb463db6b204b3e0fd94e3fb18f3debdde5966d8e52c597c68b11f6 run #0: crashed: KASAN: use-after-free Read in put_device run #1: crashed: KASAN: use-after-free Write in hci_sock_bind run #2: crashed: KASAN: use-after-free Write in hci_sock_bind run #3: crashed: KASAN: use-after-free Read in put_device run #4: crashed: KASAN: use-after-free Read in put_device run #5: crashed: KASAN: use-after-free Write in hci_sock_bind run #6: crashed: KASAN: use-after-free Read in hci_dev_do_close run #7: crashed: KASAN: use-after-free Read in put_device run #8: crashed: KASAN: use-after-free Read in put_device run #9: crashed: KASAN: use-after-free Read in put_device testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: b2e4116d0159620e7e3d27d0e03718cefc553e48688282eb5077c8189e2e57c9 run #0: crashed: KASAN: use-after-free Read in hci_dev_do_close run #1: crashed: KASAN: use-after-free Write in hci_sock_bind run #2: crashed: KASAN: use-after-free Write in hci_sock_bind run #3: crashed: KASAN: use-after-free Write in hci_sock_bind run #4: crashed: KASAN: use-after-free Read in put_device run #5: crashed: KASAN: use-after-free Write in hci_sock_bind run #6: crashed: KASAN: use-after-free Write in hci_sock_bind run #7: crashed: KASAN: use-after-free Write in hci_sock_bind run #8: crashed: KASAN: use-after-free Read in put_device run #9: crashed: KASAN: use-after-free Write in hci_sock_bind testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 kernel signature: 54e9df1d6fd4c38bd87cc2d0936e86849cce2c4a1c16a772f43c43512bb5bc04 all runs: crashed: KASAN: use-after-free Read in put_device testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: 29c988d8f8d145aa40a2a8726e5629296e6f77f0c92b59954bd9e79e9df7e1fe run #0: crashed: KASAN: use-after-free Read in put_device run #1: crashed: KASAN: use-after-free Read in hci_dev_do_close run #2: crashed: KASAN: use-after-free Read in put_device run #3: crashed: KASAN: use-after-free Read in hci_dev_do_close run #4: crashed: KASAN: use-after-free Read in put_device run #5: crashed: KASAN: use-after-free Read in put_device run #6: crashed: KASAN: use-after-free Read in put_device run #7: crashed: KASAN: use-after-free Read in put_device run #8: crashed: KASAN: use-after-free Read in put_device run #9: crashed: KASAN: use-after-free Read in put_device testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: 33579a7e90f2a7da5f277987579f73609980a7a61cfd2bcfe4e645b859326022 all runs: crashed: KASAN: use-after-free Read in put_device testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 kernel signature: 2314914c9b3615ed05ec5de046a117faec5aac304559fb5d0fa1a1fd834da33e all runs: crashed: KASAN: use-after-free Read in put_device testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 kernel signature: b50a84a81cb0f35156dae5f054d4ed6590f5af9c2bddd845fbe09fdff6b1b160 all runs: crashed: BUG: sleeping function called from invalid context in tap_get_minor testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 kernel signature: b8479714fc243d1e1b96396b36642133f993d71fdd4317deefcedce48733f274 all runs: crashed: BUG: sleeping function called from invalid context in tap_get_minor testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 kernel signature: e6d3f7efaf84d60cc85f5c5c9567fc98a33a533bbc6acc9a63452316b2801078 all runs: crashed: KASAN: use-after-free Read in put_device testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 kernel signature: 9978e2b46cb1c1645ccbb60bd28c2fdc469faecbb9e73d89a873ec2f756c5597 all runs: OK # git bisect start c470abd4fde40ea6a0846a2beab642a578c0b8cd 69973b830859bc6529a7a0468ba0d80ee5117826 Bisecting: 7099 revisions left to test after this (roughly 13 steps) [f4000cd99750065d5177555c0a805c97174d1b9f] Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit f4000cd99750065d5177555c0a805c97174d1b9f with gcc (GCC) 5.5.0 kernel signature: f3b11a8f08d9256e2275a748b42076a21d2e8f7b5623b3539a1bb020c637dc43 all runs: boot failed: can't ssh into the instance # git bisect skip f4000cd99750065d5177555c0a805c97174d1b9f Bisecting: 7099 revisions left to test after this (roughly 13 steps) [ab1effc09519f3bb4b84dd6d8276cedf07b17a1b] staging: ks7010: Add blank line after declarations testing commit ab1effc09519f3bb4b84dd6d8276cedf07b17a1b with gcc (GCC) 5.5.0 kernel signature: 6c89b20f29e2c2457941c4460507a9f9d59f2cb2e3f0a112f1700a17b37ba9ee all runs: OK # git bisect good ab1effc09519f3bb4b84dd6d8276cedf07b17a1b Bisecting: 7022 revisions left to test after this (roughly 13 steps) [09cb6464fe5e7fcd5177911429badd139c4481b7] Merge tag 'for-f2fs-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs testing commit 09cb6464fe5e7fcd5177911429badd139c4481b7 with gcc (GCC) 5.5.0 kernel signature: a9243f320b6337996cfbfa57c8ae456deee1fe7843873830cbe3eb1c68fc18a4 all runs: boot failed: can't ssh into the instance # git bisect skip 09cb6464fe5e7fcd5177911429badd139c4481b7 Bisecting: 7022 revisions left to test after this (roughly 13 steps) [68226b4dfa9b2e064e2f9e792bf7469f465054c7] [media] dvb-tc90522: Rename a jump label in tc90522_probe() testing commit 68226b4dfa9b2e064e2f9e792bf7469f465054c7 with gcc (GCC) 5.5.0 kernel signature: 558afd353d9f45b8e41cbc0ecb12c1f0b5a3a4bbf48261754f165f863690129f all runs: OK # git bisect good 68226b4dfa9b2e064e2f9e792bf7469f465054c7 Bisecting: 6886 revisions left to test after this (roughly 13 steps) [d03502684b65492339d70f11aa8ed6df3961a3bf] s390/zcrypt: add missing memory clobber to ap_qci inline assembly testing commit d03502684b65492339d70f11aa8ed6df3961a3bf with gcc (GCC) 5.5.0 kernel signature: 577e9a81447ccb2dd2af7287b3105898f67ea6cabb6ddb6008db69d1a3eda9f3 all runs: boot failed: can't ssh into the instance # git bisect skip d03502684b65492339d70f11aa8ed6df3961a3bf Bisecting: 6886 revisions left to test after this (roughly 13 steps) [a149e7c7ce812561f0fdc7a86ddc42f294e5eb3e] ipv6: sr: add support for SRH injection through setsockopt testing commit a149e7c7ce812561f0fdc7a86ddc42f294e5eb3e with gcc (GCC) 5.5.0 kernel signature: e99b04a96eeedb6c733fad0964bb630e4888767e74f0186bf93aa86b0d244a8f all runs: OK # git bisect good a149e7c7ce812561f0fdc7a86ddc42f294e5eb3e Bisecting: 6483 revisions left to test after this (roughly 13 steps) [a829a8445f09036404060f4d6489cb13433f4304] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit a829a8445f09036404060f4d6489cb13433f4304 with gcc (GCC) 5.5.0 kernel signature: 8fd3d2e5ac7d3c25b2b64cf52d3f5c9566568e0d42296b68684681a1c7b9b3d6 run #0: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.0.225:./syz-fuzzer"] Warning: Permanently added '10.128.0.225' (ECDSA) to the list of known hosts. run #1: boot failed: can't ssh into the instance run #2: boot failed: can't ssh into the instance run #3: boot failed: can't ssh into the instance run #4: boot failed: can't ssh into the instance run #5: boot failed: can't ssh into the instance run #6: boot failed: can't ssh into the instance run #7: boot failed: can't ssh into the instance run #8: boot failed: can't ssh into the instance run #9: boot failed: can't ssh into the instance # git bisect skip a829a8445f09036404060f4d6489cb13433f4304 Bisecting: 6483 revisions left to test after this (roughly 13 steps) [9004fda59577d439564d44d6d1db52d262fe3f99] Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 9004fda59577d439564d44d6d1db52d262fe3f99 with gcc (GCC) 5.5.0 kernel signature: 9ae7a630b43bfca954818a3643e86baca21aa11d48bc7499b4285033b6642366 all runs: OK # git bisect good 9004fda59577d439564d44d6d1db52d262fe3f99 Bisecting: 1048 revisions left to test after this (roughly 10 steps) [93f955aad4bacee5acebad141d1a03cd51f27b4e] tipc: fix nametbl_lock soft lockup at node/link events testing commit 93f955aad4bacee5acebad141d1a03cd51f27b4e with gcc (GCC) 5.5.0 kernel signature: 5591e96762dbf423150a99ef83ef012475ac41d374518d8172108914af001f16 all runs: OK # git bisect good 93f955aad4bacee5acebad141d1a03cd51f27b4e Bisecting: 516 revisions left to test after this (roughly 9 steps) [1b1bc42c1692e9b62756323c675a44cb1a1f9dbd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 1b1bc42c1692e9b62756323c675a44cb1a1f9dbd with gcc (GCC) 5.5.0 kernel signature: 16c7de56488f58b23395628da17b26a670471a5ae866990eb58a50315fefbba9 all runs: OK # git bisect good 1b1bc42c1692e9b62756323c675a44cb1a1f9dbd Bisecting: 260 revisions left to test after this (roughly 8 steps) [b6789123bccba8b5feb9901ed2e8c3c39181979d] mm: fix KPF_SWAPCACHE in /proc/kpageflags testing commit b6789123bccba8b5feb9901ed2e8c3c39181979d with gcc (GCC) 5.5.0 kernel signature: 8071d9e3de8df47351bc66a7389ee5b02964469a1c86dd6de3006ec9c5c751ab all runs: OK # git bisect good b6789123bccba8b5feb9901ed2e8c3c39181979d Bisecting: 120 revisions left to test after this (roughly 7 steps) [1ee18329fae936089c6c599250ae92482ff2b81f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 1ee18329fae936089c6c599250ae92482ff2b81f with gcc (GCC) 5.5.0 kernel signature: 10fedea3cecce27813b687a0d1c88b38cadaf1f1ce2f0b59f3edd29d355965c0 all runs: OK # git bisect good 1ee18329fae936089c6c599250ae92482ff2b81f Bisecting: 53 revisions left to test after this (roughly 6 steps) [3c7a9f32f9392c9dfce24f33bdc6799852903e27] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 3c7a9f32f9392c9dfce24f33bdc6799852903e27 with gcc (GCC) 5.5.0 kernel signature: dc1b9d24878244e1d095197f9989beb7a7846949126f9cf092ed81041aab0a6b all runs: OK # git bisect good 3c7a9f32f9392c9dfce24f33bdc6799852903e27 Bisecting: 26 revisions left to test after this (roughly 5 steps) [2fe1e8a7b2f4dcac3fcb07ff06b0ae7396201fd6] Merge tag 'powerpc-4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 2fe1e8a7b2f4dcac3fcb07ff06b0ae7396201fd6 with gcc (GCC) 5.5.0 kernel signature: d756944f769dbc9cff274577a1e8016e3d5e8c2f90f38f89298fc3dc0e8c2026 all runs: OK # git bisect good 2fe1e8a7b2f4dcac3fcb07ff06b0ae7396201fd6 Bisecting: 12 revisions left to test after this (roughly 4 steps) [244ff16fb4717708491fa1b3b2a68f9074742d71] Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 244ff16fb4717708491fa1b3b2a68f9074742d71 with gcc (GCC) 5.5.0 kernel signature: 36f48227845af6a55a8a9d743882555d8cc90b74b98b8cfd1a4ac76ddab45e3a all runs: OK # git bisect good 244ff16fb4717708491fa1b3b2a68f9074742d71 Bisecting: 7 revisions left to test after this (roughly 3 steps) [b92ce305fcbc8d85d1732fecf17c823c760868bd] Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit b92ce305fcbc8d85d1732fecf17c823c760868bd with gcc (GCC) 5.5.0 kernel signature: 90314568ac49c3e9ca86d6bf8bdec74a2d53ed351027c95c8870a09c54f1a904 all runs: OK # git bisect good b92ce305fcbc8d85d1732fecf17c823c760868bd Bisecting: 3 revisions left to test after this (roughly 2 steps) [2763f92f858f7c4c3198335c0542726eaed07ba3] Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 2763f92f858f7c4c3198335c0542726eaed07ba3 with gcc (GCC) 5.5.0 kernel signature: 151295bde3782ba155242c8d0063484b26fdb7ed7d22e57ede462d0434fff239 all runs: OK # git bisect good 2763f92f858f7c4c3198335c0542726eaed07ba3 Bisecting: 1 revision left to test after this (roughly 1 step) [fd3fc0b4d7305fa7246622dcc0dec69c42443f45] scsi: don't BUG_ON() empty DMA transfers testing commit fd3fc0b4d7305fa7246622dcc0dec69c42443f45 with gcc (GCC) 5.5.0 kernel signature: 8d05464cd437a4fb19595d8db5ba69d55d9598c1413ba923db34c423a563e9d1 all runs: OK # git bisect good fd3fc0b4d7305fa7246622dcc0dec69c42443f45 Bisecting: 0 revisions left to test after this (roughly 0 steps) [137d01df511b3afe1f05499aea05f3bafc0fb221] Fix missing sanity check in /dev/sg testing commit 137d01df511b3afe1f05499aea05f3bafc0fb221 with gcc (GCC) 5.5.0 kernel signature: 90e61aff61a1642a7af73979939aeebf0ebeb03a4dd36c9c92777dd51a024099 all runs: OK # git bisect good 137d01df511b3afe1f05499aea05f3bafc0fb221 c470abd4fde40ea6a0846a2beab642a578c0b8cd is the first bad commit commit c470abd4fde40ea6a0846a2beab642a578c0b8cd Author: Linus Torvalds Date: Sun Feb 19 14:34:00 2017 -0800 Linux 4.10 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: e6d3f7efaf84d60cc85f5c5c9567fc98a33a533bbc6acc9a63452316b2801078 parent signature: 90e61aff61a1642a7af73979939aeebf0ebeb03a4dd36c9c92777dd51a024099 revisions tested: 38, total time: 8h4m13.960535244s (build: 3h6m47.595197988s, test: 4h54m6.86361829s) first bad commit: c470abd4fde40ea6a0846a2beab642a578c0b8cd Linux 4.10 cc: ["linux-kbuild@vger.kernel.org" "linux-kernel@vger.kernel.org" "mmarek@suse.com" "torvalds@linux-foundation.org"] crash: KASAN: use-after-free Read in put_device Bluetooth: Can't register HCI device Bluetooth: Can't register HCI device Bluetooth: Can't register HCI device Bluetooth: Can't register HCI device ================================================================== BUG: KASAN: use-after-free in kobject_put+0x8d/0xa0 lib/kobject.c:687 at addr ffff880129b515a4 Bluetooth: Can't register HCI device Bluetooth: Can't register HCI device Read of size 1 by task syz-executor.4/29383 Bluetooth: Can't register HCI device CPU: 1 PID: 29383 Comm: syz-executor.4 Not tainted 4.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0xe6/0x120 lib/dump_stack.c:51 Bluetooth: Can't register HCI device kasan_object_err+0x1c/0x70 mm/kasan/report.c:162 print_address_description mm/kasan/report.c:200 [inline] kasan_report_error mm/kasan/report.c:289 [inline] kasan_report.part.2+0x1c9/0x480 mm/kasan/report.c:311 kasan_report mm/kasan/report.c:329 [inline] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:329 kobject_put+0x8d/0xa0 lib/kobject.c:687 put_device+0x12/0x20 drivers/base/core.c:1801 hci_free_dev+0x10/0x20 net/bluetooth/hci_core.c:3016 vhci_release+0x73/0xe0 drivers/bluetooth/hci_vhci.c:355 __fput+0x25c/0x730 fs/file_table.c:208 ____fput+0x9/0x10 fs/file_table.c:244 task_work_run+0xd9/0x150 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x15a/0x1a0 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 RIP: 0033:0x415fe1 RSP: 002b:00007ffd886d0c30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000415fe1 RDX: 0000001b2ca20000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff R10: 00007ffd886d0d10 R11: 0000000000000293 R12: 000000000076bf20 R13: 0000000000770418 R14: 0000000000049032 R15: 000000000076bf2c Object at ffff880129b504c0, in cache kmalloc-8192 size: 8192 Allocated: PID = 29386 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x46/0xd0 mm/kasan/kasan.c:502 set_track mm/kasan/kasan.c:514 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605 kmem_cache_alloc_trace+0x142/0x800 mm/slab.c:3626 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] hci_alloc_dev+0x41/0x1b50 net/bluetooth/hci_core.c:2929 __vhci_create_device+0xf5/0x500 drivers/bluetooth/hci_vhci.c:114 vhci_create_device drivers/bluetooth/hci_vhci.c:163 [inline] vhci_get_user drivers/bluetooth/hci_vhci.c:219 [inline] vhci_write+0x27d/0x3c0 drivers/bluetooth/hci_vhci.c:299 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x303/0x740 fs/read_write.c:512 vfs_write+0x156/0x4e0 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xcb/0x1a0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 29383 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x46/0xd0 mm/kasan/kasan.c:502 set_track mm/kasan/kasan.c:514 [inline] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:578 __cache_free mm/slab.c:3502 [inline] kfree+0xcf/0x2c0 mm/slab.c:3819 bt_host_release+0x10/0x20 net/bluetooth/hci_sysfs.c:85 device_release+0x71/0x1e0 drivers/base/core.c:813 kobject_cleanup lib/kobject.c:645 [inline] kobject_release+0xc1/0x160 lib/kobject.c:674 kref_sub include/linux/kref.h:73 [inline] kref_put include/linux/kref.h:98 [inline] kobject_put+0x4d/0xa0 lib/kobject.c:691 put_device+0x12/0x20 drivers/base/core.c:1801 hci_dev_put include/net/bluetooth/hci_core.h:992 [inline] hci_unregister_dev+0x5c7/0x790 net/bluetooth/hci_core.c:3187 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x25c/0x730 fs/file_table.c:208 ____fput+0x9/0x10 fs/file_table.c:244 task_work_run+0xd9/0x150 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x15a/0x1a0 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff880129b51480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129b51500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff880129b51580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880129b51600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129b51680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================