bisecting fixing commit since 54b4fa6d39551639cb10664f6ac78b01993a1d7e building syzkaller on 831e9a81a60573f12c44f35c7b04072f41854bdf testing commit 54b4fa6d39551639cb10664f6ac78b01993a1d7e with gcc (GCC) 8.4.1 20210217 kernel signature: c65eb7e449f477468e204bf77d83566d2d7c33220c073b53308641504a9de2d6 all runs: crashed: KASAN: use-after-free Write in hci_sock_bind testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217 kernel signature: 7fc1b8da6ebf94ed4ec8738dbb360197f9f67f15240606b2012339c7c2349324 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested revisions tested: 2, total time: 25m54.102718978s (build: 16m56.747646996s, test: 8m30.94213768s) the crash still happens on HEAD commit msg: Linux 4.19.195 crash: BUG: sleeping function called from invalid context in lock_sock_nested batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 BUG: sleeping function called from invalid context at net/core/sock.c:2863 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! in_atomic(): 1, irqs_disabled(): 0, pid: 7164, name: syz-executor.5 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 1 lock held by syz-executor.5/7164: #0: 00000000527471c0 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 0 PID: 7164 Comm: syz-executor.5 Not tainted 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff0910df60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 000000000041741b batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 RDX: 0000000000000000 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000001b2be20070 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! R10: 00007fff0910e030 R11: 0000000000000293 R12: 00000000000003e8 R13: 000000000053bf00 R14: 000000000053bf0c R15: 000000000053bf00 IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_0 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready BUG: sleeping function called from invalid context at net/core/sock.c:2863 in_atomic(): 1, irqs_disabled(): 0, pid: 7403, name: syz-executor.2 1 lock held by syz-executor.2/7403: #0: 00000000527471c0 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 0 PID: 7403 Comm: syz-executor.2 Tainted: G W 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffe62ba61f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 000000000041741b RDX: 0000000000000000 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000001b33820070 R10: 00007ffe62ba62c0 R11: 0000000000000293 R12: 00000000000003e8 R13: 000000000053bf00 R14: 000000000053bf0c R15: 000000000053bf00 BUG: sleeping function called from invalid context at net/core/sock.c:2863 in_atomic(): 1, irqs_disabled(): 0, pid: 7994, name: syz-executor.0 1 lock held by syz-executor.0/7994: #0: 00000000527471c0 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 0 PID: 7994 Comm: syz-executor.0 Tainted: G W 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff1e1f00c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000041741b RDX: 00000000000f4240 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000538070 R11: 0000000000000293 R12: 00000000005402a8 R13: 000000000053bf00 R14: 00007fff1e1f01c0 R15: 000000000053bf00 BUG: scheduling while atomic: syz-executor.1/8129/0x00000002 1 lock held by syz-executor.1/8129: #0: 00000000527471c0 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Modules linked in: Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 1 PID: 8129 Comm: syz-executor.1 Tainted: G W 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 __schedule_bug.cold.89+0x7c/0x8d kernel/sched/core.c:3319 schedule_debug kernel/sched/core.c:3334 [inline] __schedule+0x13e0/0x1d40 kernel/sched/core.c:3439 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __lock_sock+0x129/0x200 net/core/sock.c:2320 lock_sock_nested+0xda/0x100 net/core/sock.c:2866 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffe3b60d880 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 000000000041741b RDX: 0000000000000000 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000001b2c320070 R10: 00007ffe3b60d950 R11: 0000000000000293 R12: 00000000000003e8 R13: 000000000053bf00 R14: 000000000053bf0c R15: 000000000053bf00