ci starts bisection 2023-06-16 11:02:47.804046482 +0000 UTC m=+22951.766885852 bisecting fixing commit since e4cf7c25bae5c3b5089a3c23a897f450149caef2 building syzkaller on ab32d50881df9f96f2af301aadca62ad00b7e099 ensuring issue is reproducible on original commit e4cf7c25bae5c3b5089a3c23a897f450149caef2 testing commit e4cf7c25bae5c3b5089a3c23a897f450149caef2 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 17b4d15b6c708f0b48296d2c68da277ce5cb48729ec6dcef033b721a169910a5 run #0: crashed: possible deadlock in sco_conn_del run #1: crashed: possible deadlock in sco_conn_del run #2: crashed: possible deadlock in sco_conn_del run #3: crashed: possible deadlock in sco_conn_del run #4: crashed: possible deadlock in sco_conn_del run #5: crashed: possible deadlock in sco_conn_del run #6: crashed: possible deadlock in sco_conn_del run #7: crashed: possible deadlock in sco_conn_del run #8: crashed: possible deadlock in sco_conn_del run #9: crashed: possible deadlock in sco_conn_del run #10: crashed: possible deadlock in sco_conn_del run #11: crashed: possible deadlock in sco_conn_del run #12: crashed: possible deadlock in sco_conn_del run #13: crashed: INFO: rcu detected stall in corrupted run #14: crashed: INFO: rcu detected stall in corrupted run #15: crashed: INFO: rcu detected stall in corrupted run #16: crashed: INFO: rcu detected stall in corrupted run #17: crashed: INFO: rcu detected stall in corrupted run #18: crashed: INFO: rcu detected stall in corrupted run #19: crashed: INFO: rcu detected stall in corrupted testing current HEAD 40f71e7cd3c6ac04293556ab0504a372393838ff testing commit 40f71e7cd3c6ac04293556ab0504a372393838ff gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 28f44a1d1bed5e38831dea54c906ff30e80450a84792a3b08558c4ec7dd596bf all runs: OK too many neither good nor bad results, skipping this commit # git bisect start 40f71e7cd3c6ac04293556ab0504a372393838ff e4cf7c25bae5c3b5089a3c23a897f450149caef2 Bisecting: 16738 revisions left to test after this (roughly 14 steps) [9578a10d4a2b4bcbbebefb4156c16c82ee725b3a] Merge tag 'drm-misc-next-2023-03-23' of git://anongit.freedesktop.org/drm/drm-misc into drm-next testing commit 9578a10d4a2b4bcbbebefb4156c16c82ee725b3a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ea046314300e1fe7139b65e62174af34424b1ce7e234025e6e7dad2385299c3 all runs: crashed: possible deadlock in sco_conn_del # git bisect good 9578a10d4a2b4bcbbebefb4156c16c82ee725b3a Bisecting: 7767 revisions left to test after this (roughly 13 steps) [6e98b09da931a00bf4e0477d0fa52748bf28fcce] Merge tag 'net-next-6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 6e98b09da931a00bf4e0477d0fa52748bf28fcce gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5ae100a16a5c3d4b62091a814e522fb7deb4c65c8651964bc71312d9699ca5a1 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good 6e98b09da931a00bf4e0477d0fa52748bf28fcce Bisecting: 3887 revisions left to test after this (roughly 12 steps) [d55571c0084465f1f7e1e29f22bd910d366a6e1d] Merge tag 'kbuild-v6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit d55571c0084465f1f7e1e29f22bd910d366a6e1d gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fabf75f06342cc1b4e57be27ee70015098ad740041520057e9deb8d74ea07541 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good d55571c0084465f1f7e1e29f22bd910d366a6e1d Bisecting: 1816 revisions left to test after this (roughly 11 steps) [f085df1be60abf670315c11036261cfaec16b2eb] Merge tag 'perf-tools-for-v6.4-3-2023-05-06' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit f085df1be60abf670315c11036261cfaec16b2eb gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0befcdf8d94b71eba986a4d7ef1f6f51a8af70b6dc801c20234e7cd34b7ed775 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good f085df1be60abf670315c11036261cfaec16b2eb Bisecting: 907 revisions left to test after this (roughly 10 steps) [4e893b5aa4ac2c8a56a40d18fe87e9d2295e5dcf] Merge tag 'for-linus-6.4-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 4e893b5aa4ac2c8a56a40d18fe87e9d2295e5dcf gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: aeae4b504faffe472156545d5d07b116a7fc17e6db61b914b992f4a35d28289d all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 4e893b5aa4ac2c8a56a40d18fe87e9d2295e5dcf Bisecting: 457 revisions left to test after this (roughly 9 steps) [a59487458824184abf568721fe7d1beb1e0d099e] Merge tag 'ceph-for-6.4-rc3' of https://github.com/ceph/ceph-client testing commit a59487458824184abf568721fe7d1beb1e0d099e gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6014388006c1cff0e7cf381ffc5dbc298b610feb66d1720b58f9e9e5bcd82e83 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good a59487458824184abf568721fe7d1beb1e0d099e Bisecting: 231 revisions left to test after this (roughly 8 steps) [029c77f89a15e0e2f209ac5be9ec1d9672b8b09a] Merge tag 'sound-6.4-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 029c77f89a15e0e2f209ac5be9ec1d9672b8b09a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4af1e2fca7d1ecd846ee89f4011882995adf1a07c860173e06e34d565371346c all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good 029c77f89a15e0e2f209ac5be9ec1d9672b8b09a Bisecting: 118 revisions left to test after this (roughly 7 steps) [9828ed3f695a138f7add89fa2a186ababceb8006] module: error out early on concurrent load of the same module file testing commit 9828ed3f695a138f7add89fa2a186ababceb8006 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 44acb93634d9f59f264d5eddc4510f62704a78296bfd96bde4ea148677a5f8a4 all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 9828ed3f695a138f7add89fa2a186ababceb8006 Bisecting: 60 revisions left to test after this (roughly 6 steps) [878ecb0897f4737a4c9401f3523fd49589025671] ipv6: Fix out-of-bounds access in ipv6_find_tlv() testing commit 878ecb0897f4737a4c9401f3523fd49589025671 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2a39a4258064585ba38a7b81ed8337329473e4d3e2fb7bf9d3f123da6fa8239f all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 878ecb0897f4737a4c9401f3523fd49589025671 Bisecting: 25 revisions left to test after this (roughly 5 steps) [640bf95b2c7c2981fb471acdafbd3e0458f8390d] 3c589_cs: Fix an error handling path in tc589_probe() testing commit 640bf95b2c7c2981fb471acdafbd3e0458f8390d gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2927ea4dab2f699ce17917bb8c14517771c9df3f3c19fad87405379dcee8eb92 all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad 640bf95b2c7c2981fb471acdafbd3e0458f8390d Bisecting: 12 revisions left to test after this (roughly 4 steps) [cfcb942863f6fce9266e1957a021e6c7295dee42] sfc: fix devlink info error handling testing commit cfcb942863f6fce9266e1957a021e6c7295dee42 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f04565319535d40680d640ab95b04e2f9693a4cbe3170ef4918914658b053fc1 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good cfcb942863f6fce9266e1957a021e6c7295dee42 Bisecting: 6 revisions left to test after this (roughly 3 steps) [a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a] Bluetooth: Fix UAF in hci_conn_hash_flush again testing commit a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dffbbaaca16465a25f48c40e527e2696d5094042880553270d3cacaf09ce8918 all runs: OK too many neither good nor bad results, skipping this commit # git bisect bad a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a Bisecting: 2 revisions left to test after this (roughly 2 steps) [9025944fddfed5966c8f102f1fe921ab3aee2c12] net: fec: add dma_wmb to ensure correct descriptor values testing commit 9025944fddfed5966c8f102f1fe921ab3aee2c12 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d8898c811e9680323707783ced50823a5377144a1228ff887f0d7b7877f626a6 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good 9025944fddfed5966c8f102f1fe921ab3aee2c12 Bisecting: 0 revisions left to test after this (roughly 1 step) [2910431ab0e500dfc5df12299bb15eef0f30b43e] Bluetooth: Refcnt drop must be placed last in hci_conn_unlink testing commit 2910431ab0e500dfc5df12299bb15eef0f30b43e gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b5319bb1fb30e87bf678022b5fac6713ff110366025baab2d74ed996877676e0 all runs: crashed: KASAN: slab-use-after-free Read in hci_conn_hash_flush # git bisect good 2910431ab0e500dfc5df12299bb15eef0f30b43e a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a is the first bad commit commit a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a Author: Ruihan Li Date: Wed May 3 21:39:36 2023 +0800 Bluetooth: Fix UAF in hci_conn_hash_flush again Commit 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") reintroduced a previously fixed bug [1] ("KASAN: slab-use-after-free Read in hci_conn_hash_flush"). This bug was originally fixed by commit 5dc7d23e167e ("Bluetooth: hci_conn: Fix possible UAF"). The hci_conn_unlink function was added to avoid invalidating the link traversal caused by successive hci_conn_del operations releasing extra connections. However, currently hci_conn_unlink itself also releases extra connections, resulted in the reintroduced bug. This patch follows a more robust solution for cleaning up all connections, by repeatedly removing the first connection until there are none left. This approach does not rely on the inner workings of hci_conn_del and ensures proper cleanup of all connections. Meanwhile, we need to make sure that hci_conn_del never fails. Indeed it doesn't, as it now always returns zero. To make this a bit clearer, this patch also changes its return type to void. Reported-by: syzbot+8bb72f86fc823817bc5d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-bluetooth/000000000000aa920505f60d25ad@google.com/ Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") Signed-off-by: Ruihan Li Co-developed-by: Luiz Augusto von Dentz Signed-off-by: Luiz Augusto von Dentz include/net/bluetooth/hci_core.h | 2 +- net/bluetooth/hci_conn.c | 33 ++++++++++++++++++++++----------- 2 files changed, 23 insertions(+), 12 deletions(-) culprit signature: dffbbaaca16465a25f48c40e527e2696d5094042880553270d3cacaf09ce8918 parent signature: b5319bb1fb30e87bf678022b5fac6713ff110366025baab2d74ed996877676e0 revisions tested: 16, total time: 4h6m1.60516089s (build: 2h21m8.808023096s, test: 1h41m7.166502228s) first good commit: a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a Bluetooth: Fix UAF in hci_conn_hash_flush again recipients (to): ["lrh2000@pku.edu.cn" "luiz.von.dentz@intel.com"] recipients (cc): []