bisecting fixing commit since 5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7 building syzkaller on ff51e5229e0ee846d2fd687cb0dbca13de758c66 testing commit 5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7 with gcc (GCC) 8.4.1 20210217 kernel signature: 5caf404d0e3e1e3d795e3dd32c2dd6e7fc0be5be7d59f34197c41da40bcaa465 run #0: crashed: KASAN: use-after-free Write in hci_conn_del run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: use-after-free Write in hci_conn_del run #7: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #8: crashed: KASAN: use-after-free Write in hci_conn_del run #9: crashed: KASAN: use-after-free Read in sco_chan_del run #10: crashed: KASAN: use-after-free Write in hci_conn_del run #11: crashed: KASAN: use-after-free Write in hci_conn_del run #12: crashed: KASAN: use-after-free Write in hci_conn_del run #13: crashed: KASAN: use-after-free Read in __queue_work run #14: crashed: WARNING: ODEBUG bug in hci_conn_del run #15: crashed: WARNING: ODEBUG bug in hci_conn_del run #16: crashed: WARNING in __queue_work run #17: OK run #18: OK run #19: OK testing current HEAD e73f0f0ee7541171d89f2e2491130c7771ba58d3 testing commit e73f0f0ee7541171d89f2e2491130c7771ba58d3 with gcc (GCC) 10.2.1 20210217 kernel signature: 56f6ad465ba97d865cead15e047111ed669cba832eab3e00db65bc2fd1496ee0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: use-after-free Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #7: crashed: KASAN: use-after-free Write in hci_conn_del run #8: crashed: WARNING in __queue_work run #9: OK revisions tested: 2, total time: 30m36.659915467s (build: 12m28.001103311s, test: 17m16.983633704s) the crash still happens on HEAD commit msg: Linux 5.14-rc1 crash: WARNING in __queue_work ------------[ cut here ]------------ WARNING: CPU: 1 PID: 11547 at kernel/workqueue.c:1419 current_wq_worker kernel/workqueue_internal.h:67 [inline] WARNING: CPU: 1 PID: 11547 at kernel/workqueue.c:1419 is_chained_work kernel/workqueue.c:1358 [inline] WARNING: CPU: 1 PID: 11547 at kernel/workqueue.c:1419 __queue_work+0x88b/0xc30 kernel/workqueue.c:1419 Modules linked in: CPU: 1 PID: 11547 Comm: syz-executor.4 Not tainted 5.14.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__queue_work+0x88b/0xc30 kernel/workqueue.c:1419 Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 3c f3 60 00 41 f6 45 2c 20 75 2c <0f> 0b 48 83 c4 50 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 0b e9 ef fb RSP: 0018:ffffc9000315faf0 EFLAGS: 00010046 RAX: 0000000000000007 RBX: ffff888133a59800 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffff888133a59800 RDI: ffff88813911226c RBP: ffff88810e41e130 R08: 1ffff11021c83c30 R09: ffff88810e41e137 R10: ffffed1021c83c26 R11: ffff8881037dd550 R12: 0000000000000040 R13: ffff888139112240 R14: 0000000000000000 R15: 0000000000000001 FS: 00007f342ed20700(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000530198 CR3: 0000000126475000 CR4: 0000000000350ee0 Call Trace: queue_delayed_work_on+0x113/0x150 kernel/workqueue.c:1681 queue_delayed_work include/linux/workqueue.h:522 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:1187 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:1157 [inline] sco_chan_del+0x19c/0x3c0 net/bluetooth/sco.c:149 sco_sock_close net/bluetooth/sco.c:448 [inline] sco_sock_release+0x5e/0x240 net/bluetooth/sco.c:1064 __sock_release+0xbb/0x270 net/socket.c:647 sock_close+0xf/0x20 net/socket.c:1293 __fput+0x209/0x870 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 get_signal+0x14af/0x1b70 kernel/signal.c:2581 arch_do_signal_or_restart+0x2a9/0x1d10 arch/x86/kernel/signal.c:865 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x20e/0x280 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x40/0x70 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x464909 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f342ed20188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: fffffffffffffffc RBX: 000000000055bfa0 RCX: 0000000000464909 RDX: 0000000000000008 RSI: 0000000020000140 RDI: 0000000000000006 RBP: 00000000004ae620 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000055bfa0 R13: 00007fff8effda0f R14: 00007f342ed20300 R15: 0000000000022000 irq event stamp: 260 hardirqs last enabled at (259): [] __cancel_work kernel/workqueue.c:3235 [inline] hardirqs last enabled at (259): [] cancel_delayed_work+0x24d/0x360 kernel/workqueue.c:3257 hardirqs last disabled at (260): [] queue_delayed_work_on+0xbc/0x150 kernel/workqueue.c:1678 softirqs last enabled at (256): [] lock_sock_nested+0x81/0xf0 net/core/sock.c:3104 softirqs last disabled at (254): [] spin_lock_bh include/linux/spinlock.h:359 [inline] softirqs last disabled at (254): [] lock_sock_nested+0x39/0xf0 net/core/sock.c:3101 ---[ end trace 68112764d62751d0 ]---