bisecting fixing commit since 0c88e405c97ed1828443b67891e6d4bb6e56cd4e building syzkaller on 486f93ef445f733b35d844f33ba9edeb8423f5fa testing commit 0c88e405c97ed1828443b67891e6d4bb6e56cd4e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 6e06ce2c8b01618799be4c52da60553597c610235526956e7bf335b148bf605c run #0: crashed: BUG: corrupted list in kobject_add_internal run #1: crashed: BUG: corrupted list in kobject_add_internal run #2: crashed: BUG: corrupted list in kobject_add_internal run #3: crashed: BUG: corrupted list in kobject_add_internal run #4: crashed: BUG: corrupted list in kobject_add_internal run #5: crashed: BUG: corrupted list in kobject_add_internal run #6: crashed: BUG: corrupted list in kobject_add_internal run #7: crashed: BUG: corrupted list in kobject_add_internal run #8: crashed: BUG: corrupted list in kobject_add_internal run #9: crashed: BUG: corrupted list in kobject_add_internal run #10: crashed: BUG: corrupted list in kobject_add_internal run #11: crashed: BUG: corrupted list in kobject_add_internal run #12: crashed: BUG: corrupted list in sysfs_warn_dup run #13: crashed: BUG: corrupted list in kobject_add_internal run #14: crashed: BUG: corrupted list in kobject_add_internal run #15: crashed: BUG: corrupted list in kobject_add_internal run #16: crashed: BUG: corrupted list in kobject_add_internal run #17: crashed: BUG: corrupted list in kobject_add_internal run #18: crashed: BUG: corrupted list in kobject_add_internal run #19: crashed: BUG: corrupted list in kobject_add_internal testing current HEAD 2950c9c5e0df6bd34af45a5168bbee345e95eae2 testing commit 2950c9c5e0df6bd34af45a5168bbee345e95eae2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: df2870e3ede13e2098e5e7989aa7e9ec41f6fecd3c1763b8b21a359cd18b3d66 run #0: crashed: BUG: corrupted list in klist_dec_and_del run #1: crashed: kernel panic: Fatal exception run #2: crashed: BUG: corrupted list in klist_dec_and_del run #3: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor576099539" "root@10.128.0.251:./syz-executor576099539"] run #4: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor169031805" "root@10.128.0.82:./syz-executor169031805"] Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. run #5: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor875062712" "root@10.128.1.122:./syz-executor875062712"] Warning: Permanently added '10.128.1.122' (ECDSA) to the list of known hosts. run #6: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor925568951" "root@10.128.0.97:./syz-executor925568951"] Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. run #7: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor046755754" "root@10.128.0.146:./syz-executor046755754"] Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. run #8: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor327927553" "root@10.128.0.73:./syz-executor327927553"] run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor558288603" "root@10.128.10.5:./syz-executor558288603"] revisions tested: 2, total time: 37m19.018772104s (build: 23m6.607578013s, test: 13m29.797073363s) the crash still happens on HEAD commit msg: Linux 4.19.207 crash: BUG: corrupted list in klist_dec_and_del kernel BUG at lib/list_debug.c:53! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 17878 Comm: syz-executor.3 Not tainted 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid.cold.1+0x48/0x4a lib/list_debug.c:51 Code: 27 50 88 e8 a0 fb f7 ff 0f 0b 48 89 de 48 c7 c7 60 28 50 88 e8 8f fb f7 ff 0f 0b 48 89 de 48 c7 c7 00 28 50 88 e8 7e fb f7 ff <0f> 0b 41 83 c5 01 b8 ff ff 37 00 44 89 2d bc 38 35 04 48 c1 e0 2a RSP: 0018:ffff888096f67638 EFLAGS: 00010282 RAX: 0000000000000054 RBX: ffff8880a9bf4ee0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff885024a0 RDI: ffffffff8bad9720 RBP: ffff888096f67650 R08: ffffed1017464ea9 R09: ffffed1017464ea8 R10: ffffed1017464ea8 R11: ffff8880ba327547 R12: ffff8880a1bfc0a0 R13: ffff8880a1bfc0a0 R14: 0000000000000001 R15: ffff888091fec840 FS: 0000000003464400(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000034646d0 CR3: 000000009c824000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] klist_release lib/klist.c:190 [inline] kref_put include/linux/kref.h:70 [inline] klist_dec_and_del+0x69/0x450 lib/klist.c:207 klist_put+0x6c/0x110 lib/klist.c:218 klist_del+0xe/0x10 lib/klist.c:231 device_del+0x15c/0xa60 drivers/base/core.c:2321 hci_conn_del_sysfs+0xba/0x150 net/bluetooth/hci_sysfs.c:78 hci_conn_cleanup+0x1ff/0x4e0 net/bluetooth/hci_conn.c:128 hci_conn_del+0x22c/0x6b0 net/bluetooth/hci_conn.c:611 hci_conn_hash_flush+0x171/0x230 net/bluetooth/hci_conn.c:1513 hci_dev_do_close+0x5dc/0xf10 net/bluetooth/hci_core.c:1687 hci_unregister_dev+0x12f/0x400 net/bluetooth/hci_core.c:3288 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 get_signal+0x30b/0x1970 kernel/signal.c:2589 do_signal+0x87/0x1870 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x159/0x1e0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath+0x31a/0x3b0 arch/x86/entry/common.c:271 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:407 RIP: 0033:0x463e7b Code: ed 0f 85 60 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d 91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 89 00 00 00 41 89 c5 85 c0 0f 85 90 00 00 RSP: 002b:00007ffc985d9ec0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000463e7b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000003464400 R10: 00000000034646d0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 Modules linked in: Bluetooth: hci0: Ignoring connect complete event for existing connection ---[ end trace 51a974c03e05af4a ]--- Bluetooth: hci0: Ignoring connect complete event for existing connection RIP: 0010:__list_del_entry_valid.cold.1+0x48/0x4a lib/list_debug.c:51 Bluetooth: hci1: Ignoring connect complete event for existing connection Code: 27 50 88 e8 a0 fb f7 ff 0f 0b 48 89 de 48 c7 c7 60 28 50 88 e8 8f fb f7 ff 0f 0b 48 89 de 48 c7 c7 00 28 50 88 e8 7e fb f7 ff <0f> 0b 41 83 c5 01 b8 ff ff 37 00 44 89 2d bc 38 35 04 48 c1 e0 2a Bluetooth: hci1: Ignoring connect complete event for existing connection RSP: 0018:ffff888096f67638 EFLAGS: 00010282 RAX: 0000000000000054 RBX: ffff8880a9bf4ee0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff885024a0 RDI: ffffffff8bad9720 RBP: ffff888096f67650 R08: ffffed1017464ea9 R09: ffffed1017464ea8 R10: ffffed1017464ea8 R11: ffff8880ba327547 R12: ffff8880a1bfc0a0 R13: ffff8880a1bfc0a0 R14: 0000000000000001 R15: ffff888091fec840 FS: 0000000003464400(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 list_del corruption. prev->next should be ffff8880aae03ba0, but was ffff8880a9b505f8 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ------------[ cut here ]------------ CR2: 00000000034646d0 CR3: 000000000986d000 CR4: 00000000001406e0 kernel BUG at lib/list_debug.c:53! invalid opcode: 0000 [#2] PREEMPT SMP KASAN DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 CPU: 0 PID: 17873 Comm: syz-executor.5 Tainted: G D 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid.cold.1+0x48/0x4a lib/list_debug.c:51 Code: 27 50 88 e8 a0 fb f7 ff 0f 0b 48 89 de 48 c7 c7 60 28 50 88 e8 8f fb f7 ff 0f 0b 48 89 de 48 c7 c7 00 28 50 88 e8 7e fb f7 ff <0f> 0b 41 83 c5 01 b8 ff ff 37 00 44 89 2d bc 38 35 04 48 c1 e0 2a DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 RSP: 0018:ffff8880b07b7628 EFLAGS: 00010282 RAX: 0000000000000054 RBX: ffff8880aae03ba0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff885024a0 RDI: ffffffff8bad9720 RBP: ffff8880b07b7640 R08: ffffed1017444ea9 R09: ffffed1017444ea8 R10: ffffed1017444ea8 R11: ffff8880ba227547 R12: ffff8880aae03ce0 R13: ffff8880aae03ce0 R14: 0000000000000001 R15: ffff8880aa992500 FS: 0000000002c19400(0000) GS:ffff8880ba200000(0000) knlGS:0000000000000000