bisecting fixing commit since cb95712138ec5e480db5160b41172bbc6f6494cc building syzkaller on cef5ae6814696260ff58c538a1b6044af90c5979 testing commit cb95712138ec5e480db5160b41172bbc6f6494cc with gcc (GCC) 8.4.1 20210217 kernel signature: 9b18ca80919f5801857d441e22eb090b0b0b8a9a34d95381668c75c616aa0623 run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb run #10: crashed: KASAN: use-after-free Read in lock_sock_nested run #11: crashed: KASAN: use-after-free Read in lock_sock_nested run #12: crashed: KASAN: use-after-free Read in lock_sock_nested run #13: crashed: KASAN: use-after-free Read in lock_sock_nested run #14: crashed: KASAN: use-after-free Read in lock_sock_nested run #15: crashed: KASAN: use-after-free Read in lock_sock_nested run #16: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #17: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb run #18: crashed: KASAN: use-after-free Read in lock_sock_nested run #19: crashed: KASAN: use-after-free Read in lock_sock_nested testing current HEAD d434405aaab7d0ebc516b68a8fc4100922d7f5ef testing commit d434405aaab7d0ebc516b68a8fc4100922d7f5ef with gcc (GCC) 10.2.1 20210217 kernel signature: 9daba37f8eacfa4f9a17ccd3a0e2ddc9dcb4b1df9ed759c831fbfcd2056ef379 run #0: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #4: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb run #5: crashed: WARNING: locking bug in l2cap_sock_teardown_cb run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: WARNING: locking bug in l2cap_sock_teardown_cb run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested revisions tested: 2, total time: 22m0.675298542s (build: 13m6.718968778s, test: 8m0.131603559s) the crash still happens on HEAD commit msg: Linux 5.12-rc7 crash: KASAN: use-after-free Read in lock_sock_nested ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3ad2/0x5050 kernel/locking/lockdep.c:4771 Read of size 8 at addr ffff88812255b0a0 by task kworker/1:0/19 CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x10c/0x14b lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __lock_acquire+0x3ad2/0x5050 kernel/locking/lockdep.c:4771 lock_acquire kernel/locking/lockdep.c:5511 [inline] lock_acquire+0x212/0x850 kernel/locking/lockdep.c:5476 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x39/0xf0 net/core/sock.c:3057 l2cap_sock_teardown_cb+0x83/0x3a0 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0x96/0x1010 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0xe2/0x9d0 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x122/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the page: page:00000000500375c4 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x12255b flags: 0x17ffe0000000000() raw: 017ffe0000000000 ffffea000468fb08 ffffea00046e6588 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88812255af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88812255b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88812255b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88812255b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88812255b180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 19 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 19 Comm: kworker/1:0 Tainted: G B 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout RIP: 0010:refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Code: ad ee 03 0f 0b e9 53 ff ff ff 48 89 df e8 9d e3 4a fe e9 23 ff ff ff 48 c7 c7 c0 5b 12 88 c6 05 d1 3c e3 06 01 e8 8a ad ee 03 <0f> 0b e9 2c ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 RSP: 0018:ffffc9000015fcd0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88812255b080 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff88129540 RDI: fffff5200002bf8c RBP: 0000000000000003 R08: 0000000000000001 R09: ffff8881f65310e7 R10: ffffed103eca621c R11: 0000000063666572 R12: ffff88811bfca000 R13: ffff88811bfca4b8 R14: ffffffff88887560 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0040658008 CR3: 000000011c8c4002 CR4: 00000000001706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: l2cap_chan_timeout+0x171/0x3a0 net/bluetooth/l2cap_core.c:438 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 irq event stamp: 293152 hardirqs last enabled at (293151): [] __cancel_work kernel/workqueue.c:3234 [inline] hardirqs last enabled at (293151): [] cancel_delayed_work+0x24d/0x360 kernel/workqueue.c:3256 hardirqs last disabled at (293150): [] try_to_grab_pending kernel/workqueue.c:1241 [inline] hardirqs last disabled at (293150): [] __cancel_work kernel/workqueue.c:3227 [inline] hardirqs last disabled at (293150): [] cancel_delayed_work+0x2ba/0x360 kernel/workqueue.c:3256 softirqs last enabled at (293136): [] spin_unlock_bh include/linux/spinlock.h:399 [inline] softirqs last enabled at (293136): [] nsim_dev_trap_report drivers/net/netdevsim/dev.c:585 [inline] softirqs last enabled at (293136): [] nsim_dev_trap_report_work+0x7fc/0xb40 drivers/net/netdevsim/dev.c:611 softirqs last disabled at (293152): [] spin_lock_bh include/linux/spinlock.h:359 [inline] softirqs last disabled at (293152): [] lock_sock_nested+0x39/0xf0 net/core/sock.c:3057 ---[ end trace 78476454faf61814 ]---