bisecting fixing commit since c076c79e03c6094e578df5d210fde808b3ad32e6
building syzkaller on cb436c69d9bcb0330518a48559649c9436ed5e7a
testing commit c076c79e03c6094e578df5d210fde808b3ad32e6 with gcc (GCC) 8.1.0
kernel signature: cba2b962b1568f5d85a4fa420dfbaea04fc14d1018d0694556604011ee6e282a
run #0: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #3: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #4: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #5: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount
testing current HEAD c37da90efff5f183bea6ae4c2af33571f61fe317
testing commit c37da90efff5f183bea6ae4c2af33571f61fe317 with gcc (GCC) 8.1.0
kernel signature: 1762fc3904fd1470d26a3e3ab0725ded82963ede84d59194012009b8e5f42c91
all runs: OK
# git bisect start c37da90efff5f183bea6ae4c2af33571f61fe317 c076c79e03c6094e578df5d210fde808b3ad32e6
Bisecting: 256 revisions left to test after this (roughly 8 steps)
[706695d477fb16a5920098535380ee39337e7ea8] driver core: Avoid binding drivers to dead devices
testing commit 706695d477fb16a5920098535380ee39337e7ea8 with gcc (GCC) 8.1.0
kernel signature: d600128db696f5d1c725ee5b8d464db247c2b92a72ef39675a2c835382c4a0e4
all runs: OK
# git bisect bad 706695d477fb16a5920098535380ee39337e7ea8
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[7106f943302247ed9fcde84afdca06cbe9e19dce] ipvs: allow connection reuse for unconfirmed conntrack
testing commit 7106f943302247ed9fcde84afdca06cbe9e19dce with gcc (GCC) 8.1.0
kernel signature: 00f5aeae96adadf3b24a99c8b94e6366506f50bccc96cee33bfb05eb91a20540
all runs: OK
# git bisect bad 7106f943302247ed9fcde84afdca06cbe9e19dce
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[ecf6e2538009f1756cfd2d191905611077ddb23f] arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio
testing commit ecf6e2538009f1756cfd2d191905611077ddb23f with gcc (GCC) 8.1.0
kernel signature: d083cdec4696b6e6b2466de1b3bc152ad116ca6d964e1440c01a4b9b4eb87804
run #0: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #1: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #2: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #4: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #5: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #6: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount
# git bisect good ecf6e2538009f1756cfd2d191905611077ddb23f
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[2b8064de21e82b2d643f55849ab903b8f252ea7f] drm/radeon: disable AGP by default
testing commit 2b8064de21e82b2d643f55849ab903b8f252ea7f with gcc (GCC) 8.1.0
kernel signature: 949dae0abf3e714c7c3e872a2ea3ae8a4f530ad88bfe6d8c6487b3f001e7779c
all runs: OK
# git bisect bad 2b8064de21e82b2d643f55849ab903b8f252ea7f
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[c4579cda1929584ae50c20e673c1991068397739] ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
testing commit c4579cda1929584ae50c20e673c1991068397739 with gcc (GCC) 8.1.0
kernel signature: c94ad3ca43a59bf90ca3acd0213366366191b340418f926eddac500d9cd9102a
run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #2: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #6: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #8: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount
# git bisect good c4579cda1929584ae50c20e673c1991068397739
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[98d7ab74d3346aebc3c14e012023267af4b4edda] crypto: aesni - Fix build with LLVM_IAS=1
testing commit 98d7ab74d3346aebc3c14e012023267af4b4edda with gcc (GCC) 8.1.0
kernel signature: 85c6b72b4d28938e5ccea9aec51ea6ae78d8c7b14c529b1f6748b82e7c5c49fc
all runs: OK
# git bisect bad 98d7ab74d3346aebc3c14e012023267af4b4edda
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[f73b59725d73ad239a5670e85b8765ec23099f0d] loop: be paranoid on exit and prevent new additions / removals
testing commit f73b59725d73ad239a5670e85b8765ec23099f0d with gcc (GCC) 8.1.0
kernel signature: 9ebde2f276be73307374f9e44ccf0e0cf06fc37e475201cd71e593fdaff33400
all runs: OK
# git bisect bad f73b59725d73ad239a5670e85b8765ec23099f0d
Bisecting: 1 revision left to test after this (roughly 1 step)
[fe104ad82e51fc70636f060a6d805be75ce47004] soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag
testing commit fe104ad82e51fc70636f060a6d805be75ce47004 with gcc (GCC) 8.1.0
kernel signature: 7efec6d1bf99147d3d18d3fefe207551059555aae4bba778cdecba22a0775164
run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #1: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #2: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #3: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #6: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #7: crashed: KASAN: use-after-free Write in ex_handler_refcount
run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close
run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount
# git bisect good fe104ad82e51fc70636f060a6d805be75ce47004
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[29e1dfcd5150097f32f34891c85a50d9ead19df3] Bluetooth: add a mutex lock to avoid UAF in do_enale_set
testing commit 29e1dfcd5150097f32f34891c85a50d9ead19df3 with gcc (GCC) 8.1.0
kernel signature: db062728c7fb88db4bb5bdeda4739c78cbe92d42cafb00b98865c029140b7f85
all runs: OK
# git bisect bad 29e1dfcd5150097f32f34891c85a50d9ead19df3
29e1dfcd5150097f32f34891c85a50d9ead19df3 is the first bad commit
commit 29e1dfcd5150097f32f34891c85a50d9ead19df3
Author: Lihong Kou <koulihong@huawei.com>
Date:   Tue Jun 23 20:28:41 2020 +0800

    Bluetooth: add a mutex lock to avoid UAF in do_enale_set
    
    [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
    
    In the case we set or free the global value listen_chan in
    different threads, we can encounter the UAF problems because
    the method is not protected by any lock, add one to avoid
    this bug.
    
    BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
    net/bluetooth/l2cap_core.c:730
    Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868
    
    CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine,
    BIOS Google 01/01/2011
    Workqueue: events do_enable_set
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x1fb/0x318 lib/dump_stack.c:118
     print_address_description+0x74/0x5c0 mm/kasan/report.c:374
     __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
     kasan_report+0x26/0x50 mm/kasan/common.c:641
     __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
     l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
     do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
     process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
     worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
     kthread+0x332/0x350 kernel/kthread.c:255
     ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    Allocated by task 2870:
     save_stack mm/kasan/common.c:72 [inline]
     set_track mm/kasan/common.c:80 [inline]
     __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
     kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
     kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
     kmalloc include/linux/slab.h:555 [inline]
     kzalloc include/linux/slab.h:669 [inline]
     l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
     chan_create net/bluetooth/6lowpan.c:640 [inline]
     bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
     do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
     process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
     worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
     kthread+0x332/0x350 kernel/kthread.c:255
     ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    Freed by task 2870:
     save_stack mm/kasan/common.c:72 [inline]
     set_track mm/kasan/common.c:80 [inline]
     kasan_set_free_info mm/kasan/common.c:337 [inline]
     __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
     kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
     __cache_free mm/slab.c:3426 [inline]
     kfree+0x10d/0x220 mm/slab.c:3757
     l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
     kref_put include/linux/kref.h:65 [inline]
     l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
     do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
     process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
     worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
     kthread+0x332/0x350 kernel/kthread.c:255
     ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    The buggy address belongs to the object at ffff888096950000
     which belongs to the cache kmalloc-2k of size 2048
    The buggy address is located 0 bytes inside of
     2048-byte region [ffff888096950000, ffff888096950800)
    The buggy address belongs to the page:
    page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
    flags: 0xfffe0000000200(slab)
    raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
    raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
     ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    
    Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com
    Signed-off-by: Lihong Kou <koulihong@huawei.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 net/bluetooth/6lowpan.c | 5 +++++
 1 file changed, 5 insertions(+)
culprit signature: db062728c7fb88db4bb5bdeda4739c78cbe92d42cafb00b98865c029140b7f85
parent  signature: 7efec6d1bf99147d3d18d3fefe207551059555aae4bba778cdecba22a0775164
revisions tested: 11, total time: 3h29m57.505832222s (build: 1h59m36.148428953s, test: 1h28m15.357344935s)
first good commit: 29e1dfcd5150097f32f34891c85a50d9ead19df3 Bluetooth: add a mutex lock to avoid UAF in do_enale_set
recipients (to): ["koulihong@huawei.com" "marcel@holtmann.org" "sashal@kernel.org"]
recipients (cc): []