bisecting cause commit starting from d12d7e1cfe38e0c36d28c7a9fbbc436ad0d17c14 building syzkaller on af01ee7dda3c1b644f43230ae466b6dc7ceb97c3 testing commit d12d7e1cfe38e0c36d28c7a9fbbc436ad0d17c14 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b29174628a95eeda3971265ccfd04ad8afda34c961f52a8b70ab54b3a5f92116 run #0: crashed: possible deadlock in sco_conn_del run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: crashed: possible deadlock in sco_conn_del run #9: crashed: possible deadlock in sco_conn_del run #10: crashed: possible deadlock in sco_conn_del run #11: crashed: possible deadlock in sco_conn_del run #12: crashed: possible deadlock in sco_conn_del run #13: crashed: possible deadlock in sco_conn_del run #14: crashed: possible deadlock in sco_conn_del run #15: crashed: possible deadlock in sco_conn_del run #16: crashed: possible deadlock in sco_conn_del run #17: crashed: possible deadlock in sco_conn_del run #18: OK run #19: OK testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e118cb2f9b8708bd8f74fd5531a5feccd71d9fd0fe305966c4c21c29388727a8 all runs: OK # git bisect start d12d7e1cfe38e0c36d28c7a9fbbc436ad0d17c14 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 8482 revisions left to test after this (roughly 13 steps) [b14ffae378aa1db993e62b01392e70d1e585fb23] Merge tag 'drm-next-2022-03-24' of git://anongit.freedesktop.org/drm/drm testing commit b14ffae378aa1db993e62b01392e70d1e585fb23 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 442c1c2430412eb5bad629deb8e45fa54d6cb046333458ec7b63453a0669d4f2 all runs: OK # git bisect good b14ffae378aa1db993e62b01392e70d1e585fb23 Bisecting: 4226 revisions left to test after this (roughly 12 steps) [74164d284b2909de0ba13518cc063e9ea9334749] Merge tag 'pwm/for-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit 74164d284b2909de0ba13518cc063e9ea9334749 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d85ed284b82f15e2bc3b0ec9df231ac37521b245cfe23751fd7d625f70d3dca0 all runs: OK # git bisect good 74164d284b2909de0ba13518cc063e9ea9334749 Bisecting: 2032 revisions left to test after this (roughly 11 steps) [87d91a94661c320823fb7baebf14408444de49b6] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git testing commit 87d91a94661c320823fb7baebf14408444de49b6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 762bd907e6bbe017495db21347314fdb373a206f577891b088363bc88c4aed8b all runs: OK # git bisect good 87d91a94661c320823fb7baebf14408444de49b6 Bisecting: 1018 revisions left to test after this (roughly 10 steps) [52cc792efae1e59551bf8eabf7e2ead993c19ac9] Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux.git testing commit 52cc792efae1e59551bf8eabf7e2ead993c19ac9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4a814b22c7bf0bc3628f231dcd2041b65c945ab6bb3406345eb538c431690eca run #0: crashed: possible deadlock in sco_conn_del run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: crashed: possible deadlock in sco_conn_del run #9: OK # git bisect bad 52cc792efae1e59551bf8eabf7e2ead993c19ac9 Bisecting: 455 revisions left to test after this (roughly 9 steps) [6e45a53f370bf5eec5c2cafbab54ac7aa39130db] Merge branch 'drm-next' of https://gitlab.freedesktop.org/agd5f/linux testing commit 6e45a53f370bf5eec5c2cafbab54ac7aa39130db compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e977fe4b0e80bb5712d59065d6e8a274b69eabbe8b2b4dd1bd259dce13bf4835 all runs: crashed: possible deadlock in sco_conn_del # git bisect bad 6e45a53f370bf5eec5c2cafbab54ac7aa39130db Bisecting: 278 revisions left to test after this (roughly 8 steps) [3870b54e0684a17ac95ae7ec8fffbcb6357731ea] drm/vc4: kms: Improve logging testing commit 3870b54e0684a17ac95ae7ec8fffbcb6357731ea compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ef57a79024fe967c1eabb000ab8ca4fd22b09fd2a3703ecd50019059589c84c3 all runs: OK # git bisect good 3870b54e0684a17ac95ae7ec8fffbcb6357731ea Bisecting: 138 revisions left to test after this (roughly 7 steps) [342cd657764d4f5ea4de7281576fb0f26b06951a] Merge branch 'mtd/next' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git testing commit 342cd657764d4f5ea4de7281576fb0f26b06951a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f6c8ec5532667c987085da4afc96bc28d1a4a2a5f4797093829402d260865ee6 all runs: crashed: possible deadlock in sco_conn_del # git bisect bad 342cd657764d4f5ea4de7281576fb0f26b06951a Bisecting: 66 revisions left to test after this (roughly 6 steps) [ebc7a4962765ad789b678c5445ee8b749662fb5f] Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git testing commit ebc7a4962765ad789b678c5445ee8b749662fb5f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ddf20cff31850001aa5c7d8147102bb9047e3d50bfc636e33ce223ea4d8c85a all runs: OK # git bisect good ebc7a4962765ad789b678c5445ee8b749662fb5f Bisecting: 32 revisions left to test after this (roughly 5 steps) [43ffc7321ed6ce13e5424fa687576f4442c25f9d] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git testing commit 43ffc7321ed6ce13e5424fa687576f4442c25f9d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 908a8257023bc6377ef5267b5907d1dbf591ff45ef54fb4eb2fa79134efb36d7 run #0: crashed: possible deadlock in sco_conn_del run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: OK run #9: OK # git bisect bad 43ffc7321ed6ce13e5424fa687576f4442c25f9d Bisecting: 16 revisions left to test after this (roughly 4 steps) [2451da081a343e079d9f5a7b063fcdf0bc439aa8] net/mlx5: Unify device IPsec capabilities check testing commit 2451da081a343e079d9f5a7b063fcdf0bc439aa8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1958b9dfc8c35f6585c60e138c2c69e95df44b8de11ca405b973cd561f0ca5c0 all runs: OK # git bisect good 2451da081a343e079d9f5a7b063fcdf0bc439aa8 Bisecting: 8 revisions left to test after this (roughly 3 steps) [fa5cd0fd5bdf940e392ff5a83238034cb6abe605] Bluetooth: Print broken quirks testing commit fa5cd0fd5bdf940e392ff5a83238034cb6abe605 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6e73e882dd476f5263d277770d81e73f1d17a34416e12efdc74bf53af742f40d all runs: crashed: possible deadlock in sco_conn_del # git bisect bad fa5cd0fd5bdf940e392ff5a83238034cb6abe605 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9d5632f179b1d419cdf236cabcd2b92c66f2c698] Bluetooth: Keep MGMT pending queue ordered FIFO testing commit 9d5632f179b1d419cdf236cabcd2b92c66f2c698 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 16fe7a5df08afba3636a97e1ac7c861e57608503f8d384ef98887054003ff465 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: OK run #9: OK # git bisect bad 9d5632f179b1d419cdf236cabcd2b92c66f2c698 Bisecting: 1 revision left to test after this (roughly 1 step) [252e3dbcae50e9776b6ff3427e3e7decc7b61030] Bluetooth: mt7921s: Fix the incorrect pointer check testing commit 252e3dbcae50e9776b6ff3427e3e7decc7b61030 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1c8d1e1b2d930121b566c1ea9b2de5351a8c63b1907584fe7ce51ea8277a2402 all runs: OK # git bisect good 252e3dbcae50e9776b6ff3427e3e7decc7b61030 Bisecting: 0 revisions left to test after this (roughly 0 steps) [92b8aa6d18f7a9ae36a0f71d31742aeef201207a] Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout testing commit 92b8aa6d18f7a9ae36a0f71d31742aeef201207a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 115f58e84534e273f97e2d367fbd4c5f7139018b3ea5fb40bcfde9986454ec92 run #0: crashed: possible deadlock in sco_conn_del run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: crashed: possible deadlock in sco_conn_del run #9: OK # git bisect bad 92b8aa6d18f7a9ae36a0f71d31742aeef201207a 92b8aa6d18f7a9ae36a0f71d31742aeef201207a is the first bad commit commit 92b8aa6d18f7a9ae36a0f71d31742aeef201207a Author: Ying Hsu Date: Sat Mar 26 07:09:28 2022 +0000 Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout Connecting the same socket twice consecutively in sco_sock_connect() could lead to a race condition where two sco_conn objects are created but only one is associated with the socket. If the socket is closed before the SCO connection is established, the timer associated with the dangling sco_conn object won't be canceled. As the sock object is being freed, the use-after-free problem happens when the timer callback function sco_sock_timeout() accesses the socket. Here's the call trace: dump_stack+0x107/0x163 ? refcount_inc+0x1c/ print_address_description.constprop.0+0x1c/0x47e ? refcount_inc+0x1c/0x7b kasan_report+0x13a/0x173 ? refcount_inc+0x1c/0x7b check_memory_region+0x132/0x139 refcount_inc+0x1c/0x7b sco_sock_timeout+0xb2/0x1ba process_one_work+0x739/0xbd1 ? cancel_delayed_work+0x13f/0x13f ? __raw_spin_lock_init+0xf0/0xf0 ? to_kthread+0x59/0x85 worker_thread+0x593/0x70e kthread+0x346/0x35a ? drain_workqueue+0x31a/0x31a ? kthread_bind+0x4b/0x4b ret_from_fork+0x1f/0x30 Link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b Reported-by: syzbot+2bef95d3ab4daa10155b@syzkaller.appspotmail.com Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill") Signed-off-by: Ying Hsu Reviewed-by: Joseph Hwang Signed-off-by: Marcel Holtmann net/bluetooth/sco.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) culprit signature: 115f58e84534e273f97e2d367fbd4c5f7139018b3ea5fb40bcfde9986454ec92 parent signature: 1c8d1e1b2d930121b566c1ea9b2de5351a8c63b1907584fe7ce51ea8277a2402 revisions tested: 16, total time: 2h56m48.58748421s (build: 1h38m21.761292517s, test: 1h16m51.11328239s) first bad commit: 92b8aa6d18f7a9ae36a0f71d31742aeef201207a Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout recipients (to): ["josephsih@chromium.org" "marcel@holtmann.org" "yinghsu@chromium.org"] recipients (cc): [] crash: possible deadlock in sco_conn_del ====================================================== WARNING: possible circular locking dependency detected 5.18.0-rc1-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor539/4084 is trying to acquire lock: ffff8880219db130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1682 [inline] ffff8880219db130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0xd4/0x210 net/bluetooth/sco.c:197 but task is already holding lock: ffffffff8c68dee8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1576 [inline] ffffffff8c68dee8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb9/0x210 net/bluetooth/hci_conn.c:1458 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (hci_cb_list_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:600 [inline] __mutex_lock+0x12f/0x12f0 kernel/locking/mutex.c:733 hci_connect_cfm include/net/bluetooth/hci_core.h:1561 [inline] hci_remote_features_evt+0x4eb/0x860 net/bluetooth/hci_event.c:3736 hci_event_func net/bluetooth/hci_event.c:6890 [inline] hci_event_packet+0x609/0xcf0 net/bluetooth/hci_event.c:6939 hci_rx_work+0x3e4/0xba0 net/bluetooth/hci_core.c:3819 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 -> #1 (&hdev->lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:600 [inline] __mutex_lock+0x12f/0x12f0 kernel/locking/mutex.c:733 sco_sock_connect+0x16a/0x8f0 net/bluetooth/sco.c:593 __sys_connect+0xf5/0x120 net/socket.c:1917 __do_sys_connect net/socket.c:1927 [inline] __se_sys_connect net/socket.c:1924 [inline] __x64_sys_connect+0x6a/0xb0 net/socket.c:1924 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:3065 [inline] check_prevs_add kernel/locking/lockdep.c:3188 [inline] validate_chain kernel/locking/lockdep.c:3803 [inline] __lock_acquire+0x2a44/0x5660 kernel/locking/lockdep.c:5029 lock_acquire kernel/locking/lockdep.c:5641 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5606 lock_sock_nested+0x2b/0xd0 net/core/sock.c:3312 lock_sock include/net/sock.h:1682 [inline] sco_conn_del+0xd4/0x210 net/bluetooth/sco.c:197 hci_disconn_cfm include/net/bluetooth/hci_core.h:1579 [inline] hci_conn_hash_flush+0xfb/0x210 net/bluetooth/hci_conn.c:1458 hci_dev_close_sync+0x462/0xef0 net/bluetooth/hci_sync.c:4121 hci_dev_do_close+0x23/0x60 net/bluetooth/hci_core.c:553 hci_rfkill_set_block+0x111/0x140 net/bluetooth/hci_core.c:935 rfkill_set_block+0x191/0x440 net/rfkill/core.c:345 rfkill_fop_write+0x233/0x470 net/rfkill/core.c:1286 vfs_write+0x1b7/0x8f0 fs/read_write.c:589 ksys_write+0x16b/0x1c0 fs/read_write.c:644 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae other info that might help us debug this: Chain exists of: sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(hci_cb_list_lock); lock(&hdev->lock); lock(hci_cb_list_lock); lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); *** DEADLOCK *** 4 locks held by syz-executor539/4084: #0: ffffffff8c858928 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x119/0x470 net/rfkill/core.c:1278 #1: ffff88807e135048 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x1b/0x60 net/bluetooth/hci_core.c:551 #2: ffff88807e134078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x1f0/0xef0 net/bluetooth/hci_sync.c:4108 #3: ffffffff8c68dee8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1576 [inline] #3: ffffffff8c68dee8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb9/0x210 net/bluetooth/hci_conn.c:1458 stack backtrace: CPU: 0 PID: 4084 Comm: syz-executor539 Not tainted 5.18.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2145 check_prev_add kernel/locking/lockdep.c:3065 [inline] check_prevs_add kernel/locking/lockdep.c:3188 [inline] validate_chain kernel/locking/lockdep.c:3803 [inline] __lock_acquire+0x2a44/0x5660 kernel/locking/lockdep.c:5029 lock_acquire kernel/locking/lockdep.c:5641 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5606 lock_sock_nested+0x2b/0xd0 net/core/sock.c:3312 lock_sock include/net/sock.h:1682 [inline] sco_conn_del+0xd4/0x210 net/bluetooth/sco.c:197 hci_disconn_cfm include/net/bluetooth/hci_core.h:1579 [inline] hci_conn_hash_flush+0xfb/0x210 net/bluetooth/hci_conn.c:1458 hci_dev_close_sync+0x462/0xef0 net/bluetooth/hci_sync.c:4121 hci_dev_do_close+0x23/0x60 net/bluetooth/hci_core.c:553 hci_rfkill_set_block+0x111/0x140 net/bluetooth/hci_core.c:935 rfkill_set_block+0x191/0x440 net/rfkill/core.c:345 rfkill_fop_write+0x233/0x470 net/rfkill/core.c:1286 vfs_write+0x1b7/0x8f0 fs/read_write.c:589 ksys_write+0x16b/0x1c0 fs/read_write.c:644 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc27cdae609 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc27c55d2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fc27ce374c0 RCX: 00007fc27cdae609 RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe70663b1e R13: 00007ffe70663b1f R14: 00007fc27ce374c8 R15: 0000000000022000