bisecting fixing commit since 961f830af0658ef5ef8a7708786d634a6115f16b building syzkaller on 01975a06cb1a7b426ae17985374f2fff3ec38b62 testing commit 961f830af0658ef5ef8a7708786d634a6115f16b compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 6a09493918fffad8bca021b1dc4f1e0a3b7af1d1da4badee97d347ea94faee08 all runs: crashed: KASAN: use-after-free Read in hci_chan_del testing current HEAD addba38e7c3bc19036a05c83bcce7878dc644d87 testing commit addba38e7c3bc19036a05c83bcce7878dc644d87 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 79aec7a5cafdb2d6217095f49dc777824f2fa8cdb8f0a2e0c9caf5a05b573ff3 all runs: OK # git bisect start addba38e7c3bc19036a05c83bcce7878dc644d87 961f830af0658ef5ef8a7708786d634a6115f16b Bisecting: 2583 revisions left to test after this (roughly 11 steps) [5305246aac12dc1de8d4cb5d5e2b4f29dda7ec49] HID: Ignore battery for Elan touchscreen on ASUS UX550 testing commit 5305246aac12dc1de8d4cb5d5e2b4f29dda7ec49 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 70d3cc049a0c3ae178736dfc896483dc32c2b6e791a25448706c10cc18ccd0a4 all runs: crashed: KASAN: use-after-free Read in hci_chan_del # git bisect good 5305246aac12dc1de8d4cb5d5e2b4f29dda7ec49 Bisecting: 1291 revisions left to test after this (roughly 10 steps) [609a2d6557e8a6d5dbb6bfcfc5b42185526a0c0b] x86/kprobes: Fix to check non boostable prefixes correctly testing commit 609a2d6557e8a6d5dbb6bfcfc5b42185526a0c0b compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 7d6a264ad0a98b7d00f6f0c4bc4cdaee9830dbe9fab057d52947eb1db2fe7d3b all runs: OK # git bisect bad 609a2d6557e8a6d5dbb6bfcfc5b42185526a0c0b Bisecting: 645 revisions left to test after this (roughly 9 steps) [36b16052dcca7594c5dffb12106b68261e82e91e] ALSA: hda: Avoid spurious unsol event handling during S3/S4 testing commit 36b16052dcca7594c5dffb12106b68261e82e91e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: b3f5fd5c243c28b3325d848a28c470cf492b9b0e4c3af46b206e7cc6ccefd1f7 all runs: crashed: KASAN: use-after-free Read in hci_chan_del # git bisect good 36b16052dcca7594c5dffb12106b68261e82e91e Bisecting: 322 revisions left to test after this (roughly 8 steps) [22e025c1733b330ecdc49f23365f914f6d39ac12] net: ieee802154: fix nl802154 del llsec devkey testing commit 22e025c1733b330ecdc49f23365f914f6d39ac12 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: d6e26131011a37d12dde57990273378127c056d778c2cab9cba66eee72c6908f all runs: crashed: KASAN: use-after-free Read in hci_chan_del # git bisect good 22e025c1733b330ecdc49f23365f914f6d39ac12 Bisecting: 161 revisions left to test after this (roughly 7 steps) [b41b026fee47105dec2f1515043296ae1f1f5ae5] amdgpu: avoid incorrect %hu format string testing commit b41b026fee47105dec2f1515043296ae1f1f5ae5 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a64b15daf242ffd40a63053a89122afb6a68b11da376bc75dd447630419a1e8f all runs: crashed: KASAN: use-after-free Read in hci_chan_del # git bisect good b41b026fee47105dec2f1515043296ae1f1f5ae5 Bisecting: 80 revisions left to test after this (roughly 6 steps) [76e8de3a5c64a0101c335c4e13607be3e86b8129] ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries testing commit 76e8de3a5c64a0101c335c4e13607be3e86b8129 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: eec9d0eee7c30dc4b31805e2f7db9496d9d8153389e19ce2e5900203534677bc all runs: OK # git bisect bad 76e8de3a5c64a0101c335c4e13607be3e86b8129 Bisecting: 40 revisions left to test after this (roughly 5 steps) [27876060e2995440cb61a06c341d1592098f29c0] usb: gadget: Fix double free of device descriptor pointers testing commit 27876060e2995440cb61a06c341d1592098f29c0 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 9fd694ece8c82208190bf45a2a468d56a7611f5cedd9793a0ed9654556e2fe17 all runs: crashed: KASAN: use-after-free Read in hci_chan_del # git bisect good 27876060e2995440cb61a06c341d1592098f29c0 Bisecting: 20 revisions left to test after this (roughly 4 steps) [40fa36443db3ddb570e5e5f27c44d23d680f9d1b] hsr: use netdev_err() instead of WARN_ONCE() testing commit 40fa36443db3ddb570e5e5f27c44d23d680f9d1b compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 75776cf4a10b4bdf1a3d1317a7d17a90577801f9c336c003dac5c9d601d2a825 run #0: crashed: WARNING: ODEBUG bug in netdev_freemem run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect good 40fa36443db3ddb570e5e5f27c44d23d680f9d1b Bisecting: 10 revisions left to test after this (roughly 3 steps) [0bd7540ac19018cbb4ce1b02d07c9d0f1c155430] misc: vmw_vmci: explicitly initialize vmci_datagram payload testing commit 0bd7540ac19018cbb4ce1b02d07c9d0f1c155430 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 07b50784c9d7ccd76de78d265a0408246705b2eae3214312d62d7b12548c9879 all runs: OK # git bisect bad 0bd7540ac19018cbb4ce1b02d07c9d0f1c155430 Bisecting: 4 revisions left to test after this (roughly 2 steps) [7bbbf337c585687999fe638659c727dc611c707d] MIPS: pci-rt2880: fix slot 0 configuration testing commit 7bbbf337c585687999fe638659c727dc611c707d compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 07b50784c9d7ccd76de78d265a0408246705b2eae3214312d62d7b12548c9879 all runs: OK # git bisect bad 7bbbf337c585687999fe638659c727dc611c707d Bisecting: 2 revisions left to test after this (roughly 1 step) [48fba458fe54cc2a980a05c13e6c19b8b2cfb610] net/nfc: fix use-after-free llcp_sock_bind/connect testing commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 07b50784c9d7ccd76de78d265a0408246705b2eae3214312d62d7b12548c9879 all runs: OK # git bisect bad 48fba458fe54cc2a980a05c13e6c19b8b2cfb610 Bisecting: 0 revisions left to test after this (roughly 0 steps) [35113c4c9fa7c970ff456982e381dc9e9594154a] bluetooth: eliminate the potential race condition when removing the HCI controller testing commit 35113c4c9fa7c970ff456982e381dc9e9594154a compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: bb94cd2cb7b20226e1afbda223e82c4ce1462f3345458049ba023a7515acc43d all runs: OK # git bisect bad 35113c4c9fa7c970ff456982e381dc9e9594154a 35113c4c9fa7c970ff456982e381dc9e9594154a is the first bad commit commit 35113c4c9fa7c970ff456982e381dc9e9594154a Author: Lin Ma Date: Mon Apr 12 19:17:57 2021 +0800 bluetooth: eliminate the potential race condition when removing the HCI controller commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream. There is a possible race condition vulnerability between issuing a HCI command and removing the cont. Specifically, functions hci_req_sync() and hci_dev_do_close() can race each other like below: thread-A in hci_req_sync() | thread-B in hci_dev_do_close() | hci_req_sync_lock(hdev); test_bit(HCI_UP, &hdev->flags); | ... | test_and_clear_bit(HCI_UP, &hdev->flags) hci_req_sync_lock(hdev); | | In this commit we alter the sequence in function hci_req_sync(). Hence, the thread-A cannot issue th. Signed-off-by: Lin Ma Cc: Marcel Holtmann Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") Signed-off-by: Greg Kroah-Hartman net/bluetooth/hci_request.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) culprit signature: bb94cd2cb7b20226e1afbda223e82c4ce1462f3345458049ba023a7515acc43d parent signature: 75776cf4a10b4bdf1a3d1317a7d17a90577801f9c336c003dac5c9d601d2a825 Reproducer flagged being flaky revisions tested: 14, total time: 4h7m38.600469337s (build: 2h30m36.113480908s, test: 1h35m11.35847071s) first good commit: 35113c4c9fa7c970ff456982e381dc9e9594154a bluetooth: eliminate the potential race condition when removing the HCI controller recipients (to): ["davem@davemloft.net" "gregkh@linuxfoundation.org" "johan.hedberg@gmail.com" "linma@zju.edu.cn" "linux-bluetooth@vger.kernel.org" "marcel@holtmann.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"]