bisecting fixing commit since c70672d8d316ebd46ea447effadfe57ab7a30a50 building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7 testing commit c70672d8d316ebd46ea447effadfe57ab7a30a50 compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 47d57663290040bfd76ce3b50a8cc77662709bcbb881cc2589b9c227ef90dee6 run #0: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #7: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested run #10: crashed: KASAN: use-after-free Read in lock_sock_nested run #11: crashed: WARNING: locking bug in l2cap_sock_teardown_cb run #12: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #13: crashed: KASAN: use-after-free Read in lock_sock_nested run #14: crashed: KASAN: use-after-free Read in lock_sock_nested run #15: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #16: crashed: KASAN: use-after-free Read in lock_sock_nested run #17: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #18: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #19: crashed: KASAN: use-after-free Read in lock_sock_nested testing current HEAD a4849f6000e29235a2707f22e39da6b897bb9543 testing commit a4849f6000e29235a2707f22e39da6b897bb9543 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ade582d7267deaeaa9dacbc2986ce4a30338d2ae3e6727e42a50662d81ff8f92 all runs: OK # git bisect start a4849f6000e29235a2707f22e39da6b897bb9543 c70672d8d316ebd46ea447effadfe57ab7a30a50 Bisecting: 53680 revisions left to test after this (roughly 16 steps) [68a32ba14177d4a21c4a9a941cf1d7aea86d436f] Merge tag 'drm-next-2021-04-28' of git://anongit.freedesktop.org/drm/drm testing commit 68a32ba14177d4a21c4a9a941cf1d7aea86d436f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8545aa45c26d6a688071635c684499f569058ba0f478c0e02c91fd296c4bf15e run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #6: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #7: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put # git bisect good 68a32ba14177d4a21c4a9a941cf1d7aea86d436f Bisecting: 26846 revisions left to test after this (roughly 15 steps) [a8729efbbb847f6ea9b06e73491ec8ddb560465e] Merge tag 'asoc-v5.15' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus testing commit a8729efbbb847f6ea9b06e73491ec8ddb560465e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: af9560cc1494fdfa9738398b7d0bd16ad3fd28c075d4067c48b676986e5ae087 run #0: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #3: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #4: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #5: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #6: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #7: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #8: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #9: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put # git bisect good a8729efbbb847f6ea9b06e73491ec8ddb560465e Bisecting: 13433 revisions left to test after this (roughly 14 steps) [e15f5972b8031f9069f41e24adff63bd34463b3a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit e15f5972b8031f9069f41e24adff63bd34463b3a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e86c59a68533d9626422096495b8920be91c23af01481044833e66a5fda0587f all runs: OK # git bisect bad e15f5972b8031f9069f41e24adff63bd34463b3a Bisecting: 6690 revisions left to test after this (roughly 13 steps) [866147b8fa59530812fc769027a94468d89401e7] Merge tag 'drivers-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 866147b8fa59530812fc769027a94468d89401e7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 78ca582876b0741c45abb4d543f50b5c4999604be732027e6b1149fc3b168cf5 all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 866147b8fa59530812fc769027a94468d89401e7 Bisecting: 3374 revisions left to test after this (roughly 12 steps) [cc09ee80c3b18ae1a897a30a17fe710b2b2f620a] Merge tag 'mm-slub-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/linux testing commit cc09ee80c3b18ae1a897a30a17fe710b2b2f620a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e5d16edbd00c0bdbd67bab8f016aabe068b196e9163b7244ea023516c4cb347d run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: WARNING: locking bug in l2cap_sock_teardown_cb run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good cc09ee80c3b18ae1a897a30a17fe710b2b2f620a Bisecting: 1692 revisions left to test after this (roughly 11 steps) [b05173028cc52384be42dcf81abdb4133caccfa5] Merge branch 'snmp-optimizations' testing commit b05173028cc52384be42dcf81abdb4133caccfa5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b1c6eb969ee084d66dec2c7ccd2ec296930973eed288d6a6af2946c7ade6f5a0 run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: WARNING: locking bug in l2cap_sock_teardown_cb run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: WARNING: locking bug in l2cap_sock_teardown_cb # git bisect good b05173028cc52384be42dcf81abdb4133caccfa5 Bisecting: 846 revisions left to test after this (roughly 10 steps) [49f885b2d97093451410e7279aa29d81e094e108] net: dsa: tag_ocelot_8021q: break circular dependency with ocelot switch lib testing commit 49f885b2d97093451410e7279aa29d81e094e108 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 729ba40886209387dce31e6bd63cf93a93c23d580b22fecfdeba3e2c0fe396ea run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 49f885b2d97093451410e7279aa29d81e094e108 Bisecting: 417 revisions left to test after this (roughly 9 steps) [44cc24b04bed578e32a4334cacf95799335b3274] Merge tag 'wireless-drivers-next-2021-10-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 44cc24b04bed578e32a4334cacf95799335b3274 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a955e9c3c7bccb00c449c3142a0723a106e41bb6c7921fb74e6a58ca61323f1 all runs: OK # git bisect bad 44cc24b04bed578e32a4334cacf95799335b3274 Bisecting: 213 revisions left to test after this (roughly 8 steps) [95bf387e3569e079dc621028e7c1c55ef01b0ed7] Merge tag 'mlx5-updates-2021-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 95bf387e3569e079dc621028e7c1c55ef01b0ed7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d091ecc8abb19582d2fc39e79b8f64c43d4a4e54e62cec2038ee29b1c81cb8c7 run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: use-after-free Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 95bf387e3569e079dc621028e7c1c55ef01b0ed7 Bisecting: 106 revisions left to test after this (roughly 7 steps) [b8eeac565b162b6a00423a5d9ed2d1284342bdfd] ethernet: use device_get_ethdev_address() testing commit b8eeac565b162b6a00423a5d9ed2d1284342bdfd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a955e9c3c7bccb00c449c3142a0723a106e41bb6c7921fb74e6a58ca61323f1 all runs: OK # git bisect bad b8eeac565b162b6a00423a5d9ed2d1284342bdfd Bisecting: 53 revisions left to test after this (roughly 6 steps) [34af56e8ad3a628de108cb5221c44ebffa001f97] Bluetooth: hci_qca: enable Qualcomm WCN399x for AOSP extension testing commit 34af56e8ad3a628de108cb5221c44ebffa001f97 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4abeb401d72205d8baad7d26788b621421f1a5eb803c1143b68b4de97cc49ec1 all runs: OK # git bisect bad 34af56e8ad3a628de108cb5221c44ebffa001f97 Bisecting: 26 revisions left to test after this (roughly 5 steps) [f6873401a60865702069fb2e3f67671fff9c082c] Bluetooth: Allow setting of codec for HFP offload use case testing commit f6873401a60865702069fb2e3f67671fff9c082c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 17e9e11118ca46741d89cc0ef59ec8fff3eae6a8b6415792b942f0972c6b507c all runs: OK # git bisect bad f6873401a60865702069fb2e3f67671fff9c082c Bisecting: 12 revisions left to test after this (roughly 4 steps) [35191a0fe986bacf69bd842de81119dca7970f11] Bluetooth: btintel: Read boot address irrespective of controller mode testing commit 35191a0fe986bacf69bd842de81119dca7970f11 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 38adc734b734a0639b99ea7d1fe3372686b22078cb7e7fc92dc10d3f39ccf1ab all runs: crashed: KASAN: use-after-free Read in lock_sock_nested # git bisect good 35191a0fe986bacf69bd842de81119dca7970f11 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f4712fa993f688d0a48e0c28728fcdeb88c1ea58] Bluetooth: call sock_hold earlier in sco_conn_del testing commit f4712fa993f688d0a48e0c28728fcdeb88c1ea58 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a91cf477fe280c8e5635740bc571854da1c8077fef7f185d451ce3f34445829e all runs: OK # git bisect bad f4712fa993f688d0a48e0c28728fcdeb88c1ea58 Bisecting: 2 revisions left to test after this (roughly 2 steps) [09a19d6dd974c677669eff44a9044f65d7be359d] Bluetooth: btusb: Add protocol for MediaTek bluetooth devices(MT7922) testing commit 09a19d6dd974c677669eff44a9044f65d7be359d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4dbb1c80f4188cad430554c98f206621400c92aa15f321181bea98a5b1fdc000 all runs: OK # git bisect bad 09a19d6dd974c677669eff44a9044f65d7be359d Bisecting: 0 revisions left to test after this (roughly 1 step) [5a87679ffd4436474cf9de1a7df9406906fdf148] Bluetooth: btusb: Support public address configuration for MediaTek Chip. testing commit 5a87679ffd4436474cf9de1a7df9406906fdf148 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bc443c869c2e660a817f2c47aa0c1203e1a7376926cf3725d05548313dc42679 all runs: OK # git bisect bad 5a87679ffd4436474cf9de1a7df9406906fdf148 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1bff51ea59a9afb67d2dd78518ab0582a54a472c] Bluetooth: fix use-after-free error in lock_sock_nested() testing commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 20eef7dc9ee83084b249c6dead46430c1f474dfa6dd06c185c8a89642a202df6 all runs: OK # git bisect bad 1bff51ea59a9afb67d2dd78518ab0582a54a472c 1bff51ea59a9afb67d2dd78518ab0582a54a472c is the first bad commit commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c Author: Wang ShaoBo Date: Tue Aug 31 17:35:37 2021 -0700 Bluetooth: fix use-after-free error in lock_sock_nested() use-after-free error in lock_sock_nested is reported: [ 179.140137][ T3731] ===================================================== [ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0 [ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54 [ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout [ 179.152730][ T3731] Call Trace: [ 179.153301][ T3731] dump_stack+0x24c/0x2e0 [ 179.154063][ T3731] kmsan_report+0xfb/0x1e0 [ 179.154855][ T3731] __msan_warning+0x5c/0xa0 [ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0 [ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180 [ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890 [ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180 [ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 [ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420 [ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50 [ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180 [ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 [ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050 [ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70 [ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590 [ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 [ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560 [ 179.168818][ T3731] process_one_work+0x121d/0x1ff0 [ 179.169598][ T3731] worker_thread+0x121b/0x2370 [ 179.170346][ T3731] kthread+0x4ef/0x610 [ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0 [ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110 [ 179.172587][ T3731] ret_from_fork+0x1f/0x30 [ 179.173348][ T3731] [ 179.173752][ T3731] Uninit was created at: [ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0 [ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0 [ 179.176060][ T3731] kfree+0x3a5/0x1180 [ 179.176664][ T3731] __sk_destruct+0x8af/0xb80 [ 179.177375][ T3731] __sk_free+0x812/0x8c0 [ 179.178032][ T3731] sk_free+0x97/0x130 [ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0 [ 179.179457][ T3731] sock_close+0x150/0x450 [ 179.180117][ T3731] __fput+0x6bd/0xf00 [ 179.180787][ T3731] ____fput+0x37/0x40 [ 179.181481][ T3731] task_work_run+0x140/0x280 [ 179.182219][ T3731] do_exit+0xe51/0x3e60 [ 179.182930][ T3731] do_group_exit+0x20e/0x450 [ 179.183656][ T3731] get_signal+0x2dfb/0x38f0 [ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10 [ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560 [ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60 [ 179.186984][ T3731] do_syscall_64+0xc5/0x140 [ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 179.188604][ T3731] ===================================================== In our case, there are two Thread A and B: Context: Thread A: Context: Thread B: l2cap_chan_timeout() __se_sys_shutdown() l2cap_chan_close() l2cap_sock_shutdown() l2cap_chan_del() l2cap_chan_close() l2cap_sock_teardown_cb() l2cap_sock_teardown_cb() Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED, and can be treated as killable in l2cap_sock_kill() if sock_orphan() has excuted, at this time we close sock through sock_close() which end to call l2cap_sock_kill() like Thread C: Context: Thread C: sock_close() l2cap_sock_release() sock_orphan() l2cap_sock_kill() #free sock if refcnt is 1 If C completed, Once A or B reaches l2cap_sock_teardown_cb() again, use-after-free happened. We should set chan->data to NULL if sock is destructed, for telling teardown operation is not allowed in l2cap_sock_teardown_cb(), and also we should avoid killing an already killed socket in l2cap_sock_close_cb(). Signed-off-by: Wang ShaoBo Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann net/bluetooth/l2cap_sock.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) culprit signature: 20eef7dc9ee83084b249c6dead46430c1f474dfa6dd06c185c8a89642a202df6 parent signature: 38adc734b734a0639b99ea7d1fe3372686b22078cb7e7fc92dc10d3f39ccf1ab revisions tested: 19, total time: 3h58m21.185726888s (build: 1h54m48.643014062s, test: 2h0m50.618868946s) first good commit: 1bff51ea59a9afb67d2dd78518ab0582a54a472c Bluetooth: fix use-after-free error in lock_sock_nested() recipients (to): ["bobo.shaobowang@huawei.com" "luiz.von.dentz@intel.com" "marcel@holtmann.org"] recipients (cc): []