ci starts bisection 2023-05-16 06:14:03.446621657 +0000 UTC m=+33586.143899166 bisecting fixing commit since c9c3395d5e3dcc6daee66c6908354d47bf98cb0c building syzkaller on bcdf85f8bd3fccff5bc9507a589c4847d9b35405 ensuring issue is reproducible on original commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 472e716c8675d75bfc4362084ab99ac214a7356e62ee7effacce6ff3a5fe8cb2 run #0: crashed: possible deadlock in sco_conn_del run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: crashed: possible deadlock in sco_conn_del run #9: crashed: possible deadlock in sco_conn_del run #10: crashed: possible deadlock in sco_conn_del run #11: crashed: possible deadlock in sco_conn_del run #12: crashed: INFO: rcu detected stall in corrupted run #13: crashed: INFO: rcu detected stall in corrupted run #14: crashed: INFO: rcu detected stall in corrupted run #15: crashed: INFO: rcu detected stall in corrupted run #16: crashed: INFO: rcu detected stall in corrupted run #17: crashed: INFO: rcu detected stall in corrupted run #18: crashed: INFO: rcu detected stall in corrupted run #19: crashed: INFO: rcu detected stall in corrupted testing current HEAD f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6 testing commit f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c86e7c898ed40a6761cf4ff535310c6940ff2af974819a7f95cbf7e223741c58 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush crash still not fixed/happens on the oldest tested release revisions tested: 2, total time: 53m59.424862467s (build: 46m2.161311924s, test: 7m14.396724146s) crash still not fixed on HEAD or HEAD had kernel test errors commit msg: Linux 6.4-rc2 crash: KASAN: slab-use-after-free Read in hci_conn_hash_flush ================================================================== BUG: KASAN: slab-use-after-free in hci_conn_hash_flush+0x1f7/0x220 net/bluetooth/hci_conn.c:2470 Read of size 8 at addr ffff888079184000 by task syz-executor.1/5527 CPU: 1 PID: 5527 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 hci_conn_hash_flush+0x1f7/0x220 net/bluetooth/hci_conn.c:2470 hci_dev_close_sync+0x4e1/0xfa0 net/bluetooth/hci_sync.c:4941 hci_dev_do_close+0x27/0x60 net/bluetooth/hci_core.c:554 hci_rfkill_set_block+0x110/0x140 net/bluetooth/hci_core.c:956 rfkill_set_block+0x191/0x440 net/rfkill/core.c:345 rfkill_fop_write+0x237/0x480 net/rfkill/core.c:1286 vfs_write+0x205/0xd10 fs/read_write.c:582 ksys_write+0x16f/0x1c0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f469d48c0f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f469e123168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f469d5ac050 RCX: 00007f469d48c0f9 RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f469d4e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc3137db7f R14: 00007f469e123300 R15: 0000000000022000 Allocated by task 5524: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] ____kasan_kmalloc mm/kasan/common.c:333 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:559 [inline] kzalloc include/linux/slab.h:680 [inline] hci_conn_add+0xae/0x14c0 net/bluetooth/hci_conn.c:986 hci_connect_sco+0x2f2/0xd10 net/bluetooth/hci_conn.c:1663 sco_connect net/bluetooth/sco.c:264 [inline] sco_sock_connect+0x28b/0x990 net/bluetooth/sco.c:610 __sys_connect+0xf9/0x130 net/socket.c:2020 __do_sys_connect net/socket.c:2030 [inline] __se_sys_connect net/socket.c:2027 [inline] __x64_sys_connect+0x6e/0xb0 net/socket.c:2027 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 5527: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] __cache_free mm/slab.c:3389 [inline] __do_kmem_cache_free mm/slab.c:3576 [inline] __kmem_cache_free+0xcd/0x2c0 mm/slab.c:3583 device_release+0x97/0x200 drivers/base/core.c:2484 kobject_cleanup lib/kobject.c:683 [inline] kobject_release lib/kobject.c:714 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x13d/0x3e0 lib/kobject.c:731 hci_conn_del+0x177/0x810 net/bluetooth/hci_conn.c:1162 hci_conn_unlink+0x2fa/0x3f0 net/bluetooth/hci_conn.c:1087 hci_conn_hash_flush+0x160/0x220 net/bluetooth/hci_conn.c:2479 hci_dev_close_sync+0x4e1/0xfa0 net/bluetooth/hci_sync.c:4941 hci_dev_do_close+0x27/0x60 net/bluetooth/hci_core.c:554 hci_rfkill_set_block+0x110/0x140 net/bluetooth/hci_core.c:956 rfkill_set_block+0x191/0x440 net/rfkill/core.c:345 rfkill_fop_write+0x237/0x480 net/rfkill/core.c:1286 vfs_write+0x205/0xd10 fs/read_write.c:582 ksys_write+0x16f/0x1c0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888079184000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes inside of freed 4096-byte region [ffff888079184000, ffff888079185000) The buggy address belongs to the physical page: page:ffffea0001e46100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79184 head:ffffea0001e46100 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0x1() raw: 00fff00000010200 ffff888011440900 ffffea0000ac3990 ffffea000074a610 raw: 0000000000000000 ffff888079184000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0x342040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 5296, tgid 5296 (dhcpcd-run-hook), ts 71660915744, free_ts 71621932487 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0xf41/0x2c00 mm/page_alloc.c:3502 __alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4768 __alloc_pages_node include/linux/gfp.h:237 [inline] kmem_getpages mm/slab.c:1360 [inline] cache_grow_begin+0x9b/0x3b0 mm/slab.c:2569 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942 ____cache_alloc mm/slab.c:3018 [inline] ____cache_alloc mm/slab.c:3001 [inline] __do_cache_alloc mm/slab.c:3201 [inline] slab_alloc_node mm/slab.c:3249 [inline] __kmem_cache_alloc_node+0x360/0x3f0 mm/slab.c:3540 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] kzalloc include/linux/slab.h:680 [inline] tomoyo_dump_page+0x49a/0x600 security/tomoyo/domain.c:906 tomoyo_environ security/tomoyo/domain.c:637 [inline] tomoyo_find_next_domain+0xa79/0x1d00 security/tomoyo/domain.c:879 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline] tomoyo_bprm_check_security+0x110/0x1a0 security/tomoyo/tomoyo.c:91 security_bprm_check+0x38/0x80 security/security.c:1102 search_binary_handler fs/exec.c:1725 [inline] exec_binprm fs/exec.c:1779 [inline] bprm_execve fs/exec.c:1854 [inline] bprm_execve+0x5e8/0x14f0 fs/exec.c:1810 do_execveat_common+0x602/0x800 fs/exec.c:1962 do_execve fs/exec.c:2036 [inline] __do_sys_execve fs/exec.c:2112 [inline] __se_sys_execve fs/exec.c:2107 [inline] __x64_sys_execve+0x8e/0xc0 fs/exec.c:2107 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1302 [inline] free_unref_page_prepare+0x629/0xca0 mm/page_alloc.c:2564 free_unref_page+0x33/0x370 mm/page_alloc.c:2659 slab_destroy mm/slab.c:1612 [inline] slabs_destroy+0x85/0xc0 mm/slab.c:1632 cache_flusharray mm/slab.c:3360 [inline] ___cache_free+0x2ae/0x3d0 mm/slab.c:3423 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x4f/0x1a0 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x195/0x220 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:711 [inline] slab_alloc_node mm/slab.c:3256 [inline] __kmem_cache_alloc_node+0x1fc/0x3f0 mm/slab.c:3540 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] kzalloc include/linux/slab.h:680 [inline] tomoyo_environ security/tomoyo/domain.c:633 [inline] tomoyo_find_next_domain+0xa1f/0x1d00 security/tomoyo/domain.c:879 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline] tomoyo_bprm_check_security+0x110/0x1a0 security/tomoyo/tomoyo.c:91 security_bprm_check+0x38/0x80 security/security.c:1102 search_binary_handler fs/exec.c:1725 [inline] exec_binprm fs/exec.c:1779 [inline] bprm_execve fs/exec.c:1854 [inline] bprm_execve+0x5e8/0x14f0 fs/exec.c:1810 do_execveat_common+0x602/0x800 fs/exec.c:1962 do_execve fs/exec.c:2036 [inline] __do_sys_execve fs/exec.c:2112 [inline] __se_sys_execve fs/exec.c:2107 [inline] __x64_sys_execve+0x8e/0xc0 fs/exec.c:2107 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 Memory state around the buggy address: ffff888079183f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888079183f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888079184000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888079184080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888079184100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================