bisecting cause commit starting from eca94432934fe5f141d084f2e36ee2c0e614cc04 building syzkaller on 55565fa0377f97cf09bfab365707e08b0156c11b testing commit eca94432934fe5f141d084f2e36ee2c0e614cc04 with gcc (GCC) 8.1.0 all runs: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #3: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #4: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #5: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #6: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #7: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #8: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! run #9: crashed: BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low! testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: OK # git bisect start v5.0 v4.20 Bisecting: 7011 revisions left to test after this (roughly 13 steps) [af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0 all runs: OK # git bisect good af7ddd8a627c62a835524b3f5b471edbbbcce025 Bisecting: 3532 revisions left to test after this (roughly 12 steps) [c9bef4a651769927445900564781a9c99fdf6258] Merge tag 'pinctrl-v4.21-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit c9bef4a651769927445900564781a9c99fdf6258 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #9: OK # git bisect bad c9bef4a651769927445900564781a9c99fdf6258 Bisecting: 1583 revisions left to test after this (roughly 11 steps) [02061181d3a9ccfe15ef6bc15fa56283acc47620] Merge tag 'staging-4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 02061181d3a9ccfe15ef6bc15fa56283acc47620 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #3: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #4: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #5: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 02061181d3a9ccfe15ef6bc15fa56283acc47620 Bisecting: 925 revisions left to test after this (roughly 10 steps) [24dc83635ffe3c93d8122099a83ee228c9b7e4f7] Merge tag 'gpio-v4.21-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit 24dc83635ffe3c93d8122099a83ee228c9b7e4f7 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 24dc83635ffe3c93d8122099a83ee228c9b7e4f7 Bisecting: 489 revisions left to test after this (roughly 9 steps) [4ed7bdc1eb4c82cf4bfdf6a94dd36fd695f6f387] Merge tag 'for-4.21/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit 4ed7bdc1eb4c82cf4bfdf6a94dd36fd695f6f387 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 4ed7bdc1eb4c82cf4bfdf6a94dd36fd695f6f387 Bisecting: 239 revisions left to test after this (roughly 8 steps) [1e46731efd9c9322cb4699f845c739d2ea68555c] scsi: smartpqi: check for null device pointers testing commit 1e46731efd9c9322cb4699f845c739d2ea68555c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 1e46731efd9c9322cb4699f845c739d2ea68555c Bisecting: 119 revisions left to test after this (roughly 7 steps) [cdd3ff87f10813e42ef6573a1c92a91a9fc24709] scsi: qedi: Add packet filter in light L2 Rx path. testing commit cdd3ff87f10813e42ef6573a1c92a91a9fc24709 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad cdd3ff87f10813e42ef6573a1c92a91a9fc24709 Bisecting: 59 revisions left to test after this (roughly 6 steps) [e4db40e7a1a2cd6af3b6d5f8f3fba15533872398] scsi: hisi_sas: use dma_set_mask_and_coherent testing commit e4db40e7a1a2cd6af3b6d5f8f3fba15533872398 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad e4db40e7a1a2cd6af3b6d5f8f3fba15533872398 Bisecting: 29 revisions left to test after this (roughly 5 steps) [c47b6f2d54d40c053f6a15d52489eb9e1a319da2] scsi: megaraid_sas: Update driver version testing commit c47b6f2d54d40c053f6a15d52489eb9e1a319da2 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c47b6f2d54d40c053f6a15d52489eb9e1a319da2 Bisecting: 14 revisions left to test after this (roughly 4 steps) [de93b40d98ead27ee2f7f7df93fdd4914a6c8d8d] scsi: megaraid_sas: Add check for reset adapter bit testing commit de93b40d98ead27ee2f7f7df93fdd4914a6c8d8d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #3: OK run #4: OK run #5: OK run #6: OK run #7: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #8: OK run #9: OK # git bisect bad de93b40d98ead27ee2f7f7df93fdd4914a6c8d8d Bisecting: 6 revisions left to test after this (roughly 3 steps) [9029a72500b95578a35877a43473b82cb0386c53] scsi: mpt3sas: Fix Sync cache command failure during driver unload testing commit 9029a72500b95578a35877a43473b82cb0386c53 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9029a72500b95578a35877a43473b82cb0386c53 Bisecting: 3 revisions left to test after this (roughly 2 steps) [02abcbc25a06cdbb93bd60ceeb062b8445dae0ff] scsi: mpt3sas: Added new #define variable IOC_OPERATIONAL_WAIT_COUNT testing commit 02abcbc25a06cdbb93bd60ceeb062b8445dae0ff with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 02abcbc25a06cdbb93bd60ceeb062b8445dae0ff Bisecting: 0 revisions left to test after this (roughly 1 step) [6c2938f7bfd937280f71973600b1bed615d997b5] scsi: mpt3sas: Add support for Aero controllers testing commit 6c2938f7bfd937280f71973600b1bed615d997b5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 6c2938f7bfd937280f71973600b1bed615d997b5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ff92b9dd9268507e23fc10cc4341626cef50367c] scsi: mpt3sas: Update MPI headers to support Aero controllers testing commit ff92b9dd9268507e23fc10cc4341626cef50367c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in hci_cmd_timeout run #1: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor327092180" "root@10.128.15.194:./syz-executor327092180"]: exit status 1 ssh: connect to host 10.128.15.194 port 22: Connection timed out lost connection run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ff92b9dd9268507e23fc10cc4341626cef50367c ff92b9dd9268507e23fc10cc4341626cef50367c is the first bad commit commit ff92b9dd9268507e23fc10cc4341626cef50367c Author: Suganath Prabu Date: Thu Oct 25 19:33:40 2018 +0530 scsi: mpt3sas: Update MPI headers to support Aero controllers Updating MPI headers to the latest version 2.6.7 to add support to the driver to detect the new 3816 and 3916 chip based controllers. Separate out firmware image data from mpi2_ioc.h to new file mpi2_image.h Signed-off-by: Suganath Prabu Signed-off-by: Martin K. Petersen :040000 040000 8e7cfa3fe9b72618a1040429591921ee57cc3559 9d3c997a4e9f5ae6c1115aab4829136e450136fa M drivers revisions tested: 18, total time: 5h13m26.55917871s (build: 1h38m53.098107531s, test: 3h28m55.303075133s) first bad commit: ff92b9dd9268507e23fc10cc4341626cef50367c scsi: mpt3sas: Update MPI headers to support Aero controllers cc: ["chaitra.basappa@broadcom.com" "jejb@linux.vnet.ibm.com" "linux-kernel@vger.kernel.org" "linux-scsi@vger.kernel.org" "martin.petersen@oracle.com" "mpt-fusionlinux.pdl@broadcom.com" "sathya.prakash@broadcom.com" "suganath-prabu.subramani@broadcom.com"] crash: KASAN: use-after-free Read in hci_cmd_timeout Bluetooth: hci1: Entering manufacturer mode failed (-110) Bluetooth: hci1: command 0xfc11 tx timeout Bluetooth: hci3: Entering manufacturer mode failed (-110) Bluetooth: hci4: Entering manufacturer mode failed (-110) ================================================================== BUG: KASAN: use-after-free in hci_cmd_timeout+0x1b4/0x1d0 net/bluetooth/hci_core.c:2574 Read of size 2 at addr ffff880090873a08 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 4.20.0-rc1+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events hci_cmd_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16b/0x224 lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443 hci_cmd_timeout+0x1b4/0x1d0 net/bluetooth/hci_core.c:2574 process_one_work+0x830/0x1670 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 7220: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3684 [inline] __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3698 __kmalloc_reserve.isra.40+0x2c/0xc0 net/core/skbuff.c:137 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205 kobject: 'rfkill127' (00000000bf9eedec): kobject_cleanup, parent (null) alloc_skb include/linux/skbuff.h:997 [inline] bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline] hci_prepare_cmd+0x2c/0x200 net/bluetooth/hci_request.c:287 hci_req_add_ev+0x7f/0x1f0 net/bluetooth/hci_request.c:321 __hci_cmd_sync_ev+0xf8/0x1a0 net/bluetooth/hci_request.c:133 __hci_cmd_sync+0x12/0x20 net/bluetooth/hci_request.c:182 btintel_enter_mfg+0x29/0x70 drivers/bluetooth/btintel.c:82 ag6xx_setup+0x112/0x7c0 drivers/bluetooth/hci_ag6xx.c:180 hci_uart_setup+0x19c/0x3a0 drivers/bluetooth/hci_ldisc.c:418 hci_dev_do_open+0x5a6/0x1360 net/bluetooth/hci_core.c:1423 hci_power_on+0xe2/0x410 net/bluetooth/hci_core.c:2130 process_one_work+0x830/0x1670 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 7220: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x220 mm/slab.c:3817 skb_free_head+0x74/0x90 net/core/skbuff.c:550 skb_release_data+0x43c/0x5b0 net/core/skbuff.c:570 skb_release_all+0x3d/0x50 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:641 [inline] kfree_skb+0x97/0x270 net/core/skbuff.c:659 hci_dev_do_open+0x46c/0x1360 net/bluetooth/hci_core.c:1509 hci_power_on+0xe2/0x410 net/bluetooth/hci_core.c:2130 process_one_work+0x830/0x1670 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff880090873a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff880090873a00, ffff880090873c00) The buggy address belongs to the page: page:ffffea0002421cc0 count:1 mapcount:0 mapping:ffff88012c364940 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea0002554848 ffffea00023d4a48 ffff88012c364940 raw: 0000000000000000 ffff880090873000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880090873900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880090873980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff880090873a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880090873a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880090873b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================