bisecting fixing commit since 73b7a6047971aa6ce4a70fc4901964d14f077171 building syzkaller on 2c1f2513486f21d26b1942ce77ffc782677fbf4e testing commit 73b7a6047971aa6ce4a70fc4901964d14f077171 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d8f9d74d017e4ce14fe68328d7e84480996b7bdecf720ff03ef85de321fad746 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested testing current HEAD 72a2ff567fc38a3648507c5386a383007400bb3a testing commit 72a2ff567fc38a3648507c5386a383007400bb3a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a9ae939f1c0345bb2158d55ff55e13de7cc0afe79a6671a7c95fb104ae08d2e1 all runs: OK # git bisect start 72a2ff567fc38a3648507c5386a383007400bb3a 73b7a6047971aa6ce4a70fc4901964d14f077171 Bisecting: 38406 revisions left to test after this (roughly 15 steps) [dbe69e43372212527abf48609aba7fc39a6daa27] Merge tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit dbe69e43372212527abf48609aba7fc39a6daa27 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6dd18c6ce67b8511156cbdac2a6d4c1e1c7278406da65f5de99c4838187c60b8 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good dbe69e43372212527abf48609aba7fc39a6daa27 Bisecting: 19145 revisions left to test after this (roughly 14 steps) [a9c9a6f741cdaa2fa9ba24a790db8d07295761e3] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit a9c9a6f741cdaa2fa9ba24a790db8d07295761e3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 69c5689a50becfdfe1201479dfa24686678ff77545836430ddf6743d5bb1349e all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good a9c9a6f741cdaa2fa9ba24a790db8d07295761e3 Bisecting: 9552 revisions left to test after this (roughly 13 steps) [d7e0a795bf37a13554c80cfc5ba97abedf53f391] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit d7e0a795bf37a13554c80cfc5ba97abedf53f391 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 16c9b3847d85dc91fc84a85b0db5f02491d3677ccce48aed754b0c1e2df7b41a all runs: OK # git bisect bad d7e0a795bf37a13554c80cfc5ba97abedf53f391 Bisecting: 4775 revisions left to test after this (roughly 12 steps) [49f8275c7d9247cf1dd4440fc8162f784252c849] Merge tag 'folio-5.16' of git://git.infradead.org/users/willy/pagecache testing commit 49f8275c7d9247cf1dd4440fc8162f784252c849 compiler: gcc (GCC) 10.2.1 20210217 ./include/linux/page-flags.h:806:29: error: macro "PAGEFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:807:32: error: macro "TESTSCFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:806:1: error: unknown type name 'PAGEFLAG_FALSE' ./include/linux/page-flags.h:807:18: error: expected ';' before 'static' # git bisect skip 49f8275c7d9247cf1dd4440fc8162f784252c849 Bisecting: 4775 revisions left to test after this (roughly 12 steps) [6f38e1158bba17c5e45236ac7eedb0a6cbbc2ded] perf cs-etm: Refactor initialisation of kernel start address testing commit 6f38e1158bba17c5e45236ac7eedb0a6cbbc2ded compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fdefd56a0b6a050250704082fe58f0de5ab8014d32e5b675b3df196d2cb0355f all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 6f38e1158bba17c5e45236ac7eedb0a6cbbc2ded Bisecting: 4775 revisions left to test after this (roughly 12 steps) [f0ab00174eb7574732737fc0734d4b406aed6231] PCI: Make saved capability state private to core testing commit f0ab00174eb7574732737fc0734d4b406aed6231 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 924394898a32c8f6cd6c24c2128399237afe37148c01a8373565a5ae1fb31422 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good f0ab00174eb7574732737fc0734d4b406aed6231 Bisecting: 4775 revisions left to test after this (roughly 12 steps) [0fcfe2247e75070361af2b6845030cada92cdbf8] powerpc/powernv/pci: Add MSI domains testing commit 0fcfe2247e75070361af2b6845030cada92cdbf8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 39ecd8c9a3e525e436123fc7ad6b118d1c439a271133a022a9314dbe78d841bb all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 0fcfe2247e75070361af2b6845030cada92cdbf8 Bisecting: 4775 revisions left to test after this (roughly 12 steps) [b6707e770d832da586a4b42d4d45b3a91d5f98c2] media: allegro: lookup VCU settings testing commit b6707e770d832da586a4b42d4d45b3a91d5f98c2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a1941efa51126ac72074a19696fbeaa646022e56b40d07ebcec7187574ab160a all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good b6707e770d832da586a4b42d4d45b3a91d5f98c2 Bisecting: 2878 revisions left to test after this (roughly 12 steps) [d54f486035fd89f14845a7f34a97a3f5da4e70f2] Merge tag 'hwmon-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit d54f486035fd89f14845a7f34a97a3f5da4e70f2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4605534c5707beaad2824ac9c06078207f797dbd5118b66fc1553750e2c2c351 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good d54f486035fd89f14845a7f34a97a3f5da4e70f2 Bisecting: 1517 revisions left to test after this (roughly 11 steps) [24f7cf9b851ee9c395225481308af4ab5065e20a] Merge tag 'mac80211-next-for-net-next-2021-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit 24f7cf9b851ee9c395225481308af4ab5065e20a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9fd7de10ac6f1a7650918e00d2a273bb9773337d84f33422eb8dca16f8a97315 all runs: OK # git bisect bad 24f7cf9b851ee9c395225481308af4ab5065e20a Bisecting: 646 revisions left to test after this (roughly 9 steps) [d0f1c248b4ff71cada1b9e4ed61a1992cd94c3df] Merge tag 'for-net-next-2021-10-01' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit d0f1c248b4ff71cada1b9e4ed61a1992cd94c3df compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6af9175623e285913d12c7e3418af53c2fa9c8fad7dc18a813c9f8bba9884a83 all runs: OK # git bisect bad d0f1c248b4ff71cada1b9e4ed61a1992cd94c3df Bisecting: 356 revisions left to test after this (roughly 9 steps) [fc13d8c03773e48cd775aecdbd281b1cbad87ac2] net: bcmgenet: pull mac_config from adjust_link testing commit fc13d8c03773e48cd775aecdbd281b1cbad87ac2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c52c230a4edde027ff3c1da86c6df4f3531884ff5d79b730e31be3c031446fc6 all runs: basic kernel testing failed: WARNING in devlink_nl_region_notify # git bisect skip fc13d8c03773e48cd775aecdbd281b1cbad87ac2 Bisecting: 356 revisions left to test after this (roughly 9 steps) [98576013bf2831d7208e598043889db8c2d3665c] net/mlx5: DR, Add missing string for action type SAMPLER testing commit 98576013bf2831d7208e598043889db8c2d3665c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e2e46e81de23021797aa948dcb5d5ceef577471cb6a0f5d399617df9adcb6824 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 98576013bf2831d7208e598043889db8c2d3665c Bisecting: 139 revisions left to test after this (roughly 7 steps) [434ef35095d6d9da013d4d8f3777ffd99cce699a] selftests: net: mscc: ocelot: add a test for egress VLAN modification testing commit 434ef35095d6d9da013d4d8f3777ffd99cce699a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 58d915f28b787f6a0b10bdbd40011aa109f607faf3d1d71f2558838ca6c1ce47 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 434ef35095d6d9da013d4d8f3777ffd99cce699a Bisecting: 69 revisions left to test after this (roughly 6 steps) [5e8fba848eaadb7394ffe88c0b2508ff2e2c9832] Merge branch 'mlx4-const-dev_addr' testing commit 5e8fba848eaadb7394ffe88c0b2508ff2e2c9832 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 20bc9b91856e1bfe31357e1f348efc0b6b33eafe37099ade0395427652997706 run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 5e8fba848eaadb7394ffe88c0b2508ff2e2c9832 Bisecting: 34 revisions left to test after this (roughly 5 steps) [8bba13b1d08d42e2e8308924fa5c1551a7b2b011] Bluetooth: btintel: Fix incorrect out of memory check testing commit 8bba13b1d08d42e2e8308924fa5c1551a7b2b011 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9cc603685982007c2fafa2d2339050e0ab4ec39bebfba64b86974ea173a8aad7 all runs: OK # git bisect bad 8bba13b1d08d42e2e8308924fa5c1551a7b2b011 Bisecting: 16 revisions left to test after this (roughly 4 steps) [15957cab9db009c10925994b59a64410a707c17e] Bluetooth: btusb: Add support for IMC Networks Mediatek Chip(MT7921) testing commit 15957cab9db009c10925994b59a64410a707c17e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c36a4c025b540db1707ca66f06d140a64b4b25318b25e31e9b15698df7cb793b all runs: OK # git bisect bad 15957cab9db009c10925994b59a64410a707c17e Bisecting: 8 revisions left to test after this (roughly 3 steps) [1eeaa1ae79d84df025eaca363fdce3f397313647] Bluetooth: Fix enabling advertising for central role testing commit 1eeaa1ae79d84df025eaca363fdce3f397313647 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 20a15c19b25c3af78836c866a63349e09efffd5f1ec0bf69667c78d0976e4c9e run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 1eeaa1ae79d84df025eaca363fdce3f397313647 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1bff51ea59a9afb67d2dd78518ab0582a54a472c] Bluetooth: fix use-after-free error in lock_sock_nested() testing commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 79f2c074799641b2f0cc8fcf996c5291190afc0ead7652a85554f3d41de28830 all runs: OK # git bisect bad 1bff51ea59a9afb67d2dd78518ab0582a54a472c Bisecting: 1 revision left to test after this (roughly 1 step) [15a91f918597da9a1c11a913cee8e37f3ca5dd3c] Bluetooth: btintel: Fix boot address testing commit 15a91f918597da9a1c11a913cee8e37f3ca5dd3c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 616c09b9f0bb9f69b5f7912156762c377e496b3376abd7d507bdefb8a55cf605 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 15a91f918597da9a1c11a913cee8e37f3ca5dd3c Bisecting: 0 revisions left to test after this (roughly 0 steps) [35191a0fe986bacf69bd842de81119dca7970f11] Bluetooth: btintel: Read boot address irrespective of controller mode testing commit 35191a0fe986bacf69bd842de81119dca7970f11 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c33d85626647af4ea7a549b0518dd00a30d6033ca32886cf8804b0f4b9e5bffe all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 35191a0fe986bacf69bd842de81119dca7970f11 1bff51ea59a9afb67d2dd78518ab0582a54a472c is the first bad commit commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c Author: Wang ShaoBo Date: Tue Aug 31 17:35:37 2021 -0700 Bluetooth: fix use-after-free error in lock_sock_nested() use-after-free error in lock_sock_nested is reported: [ 179.140137][ T3731] ===================================================== [ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0 [ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54 [ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout [ 179.152730][ T3731] Call Trace: [ 179.153301][ T3731] dump_stack+0x24c/0x2e0 [ 179.154063][ T3731] kmsan_report+0xfb/0x1e0 [ 179.154855][ T3731] __msan_warning+0x5c/0xa0 [ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0 [ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180 [ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890 [ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180 [ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 [ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420 [ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50 [ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180 [ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 [ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050 [ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70 [ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590 [ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560 [ 179.168818][ T3731] process_one_work+0x121d/0x1ff0 [ 179.169598][ T3731] worker_thread+0x121b/0x2370 [ 179.170346][ T3731] kthread+0x4ef/0x610 [ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0 [ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110 [ 179.172587][ T3731] ret_from_fork+0x1f/0x30 [ 179.173348][ T3731] [ 179.173752][ T3731] Uninit was created at: [ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0 [ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0 [ 179.176060][ T3731] kfree+0x3a5/0x1180 [ 179.176664][ T3731] __sk_destruct+0x8af/0xb80 [ 179.177375][ T3731] __sk_free+0x812/0x8c0 [ 179.178032][ T3731] sk_free+0x97/0x130 [ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0 [ 179.179457][ T3731] sock_close+0x150/0x450 [ 179.180117][ T3731] __fput+0x6bd/0xf00 [ 179.180787][ T3731] ____fput+0x37/0x40 [ 179.181481][ T3731] task_work_run+0x140/0x280 [ 179.182219][ T3731] do_exit+0xe51/0x3e60 [ 179.182930][ T3731] do_group_exit+0x20e/0x450 [ 179.183656][ T3731] get_signal+0x2dfb/0x38f0 [ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10 [ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560 [ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60 [ 179.186984][ T3731] do_syscall_64+0xc5/0x140 [ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 179.188604][ T3731] ===================================================== In our case, there are two Thread A and B: Context: Thread A: Context: Thread B: l2cap_chan_timeout() __se_sys_shutdown() l2cap_chan_close() l2cap_sock_shutdown() l2cap_chan_del() l2cap_chan_close() l2cap_sock_teardown_cb() l2cap_sock_teardown_cb() Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED, and can be treated as killable in l2cap_sock_kill() if sock_orphan() has excuted, at this time we close sock through sock_close() which end to call l2cap_sock_kill() like Thread C: Context: Thread C: sock_close() l2cap_sock_release() sock_orphan() l2cap_sock_kill() #free sock if refcnt is 1 If C completed, Once A or B reaches l2cap_sock_teardown_cb() again, use-after-free happened. We should set chan->data to NULL if sock is destructed, for telling teardown operation is not allowed in l2cap_sock_teardown_cb(), and also we should avoid killing an already killed socket in l2cap_sock_close_cb(). Signed-off-by: Wang ShaoBo Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann net/bluetooth/l2cap_sock.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) culprit signature: 79f2c074799641b2f0cc8fcf996c5291190afc0ead7652a85554f3d41de28830 parent signature: c33d85626647af4ea7a549b0518dd00a30d6033ca32886cf8804b0f4b9e5bffe revisions tested: 22, total time: 4h20m50.506750163s (build: 2h0m27.983114246s, test: 2h17m45.174624517s) first good commit: 1bff51ea59a9afb67d2dd78518ab0582a54a472c Bluetooth: fix use-after-free error in lock_sock_nested() recipients (to): ["bobo.shaobowang@huawei.com" "luiz.von.dentz@intel.com" "marcel@holtmann.org"] recipients (cc): []