bisecting fixing commit since 54b4fa6d39551639cb10664f6ac78b01993a1d7e building syzkaller on 831e9a81a60573f12c44f35c7b04072f41854bdf testing commit 54b4fa6d39551639cb10664f6ac78b01993a1d7e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 4cdb0b294cad3f56c643a10c8828a4f264f38eb03de8142feb51d39d762c68c9 all runs: crashed: KASAN: use-after-free Write in hci_sock_bind testing current HEAD 4938296e03bd227e5020d63d418956fe52baf97c testing commit 4938296e03bd227e5020d63d418956fe52baf97c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 8fc3bfdf20aa54c1c844535d86fe220dec4e294912f692311250a2bdcf221bfd all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested revisions tested: 2, total time: 30m51.655893333s (build: 22m35.380941279s, test: 7m33.797187977s) the crash still happens on HEAD commit msg: Linux 4.19.198 crash: BUG: sleeping function called from invalid context in lock_sock_nested batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! BUG: sleeping function called from invalid context at net/core/sock.c:2863 in_atomic(): 1, irqs_disabled(): 0, pid: 7098, name: syz-executor.2 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 1 lock held by syz-executor.2/7098: #0: 00000000cb64a177 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 1 PID: 7098 Comm: syz-executor.2 Not tainted 4.19.198-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fffe4c29a70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 000000000041741b RDX: 0000000000000000 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000001b31720070 R10: 00007fffe4c29b40 R11: 0000000000000293 R12: 00000000000003e8 R13: 000000000053bf00 R14: 000000000053bf0c R15: 000000000053bf00 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready BUG: sleeping function called from invalid context at net/core/sock.c:2863 in_atomic(): 1, irqs_disabled(): 0, pid: 7267, name: syz-executor.1 1 lock held by syz-executor.1/7267: #0: 00000000cb64a177 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 1 PID: 7267 Comm: syz-executor.1 Tainted: G W 4.19.198-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff8b80fc70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 000000000041741b RDX: 0000000000000000 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000001b31320070 R10: 00007fff8b80fd40 R11: 0000000000000293 R12: 00000000000003e8 R13: 000000000053bf00 R14: 000000000053bf0c R15: 000000000053bf00 BUG: sleeping function called from invalid context at net/core/sock.c:2863 in_atomic(): 1, irqs_disabled(): 0, pid: 7863, name: syz-executor.2 1 lock held by syz-executor.2/7863: #0: 00000000cb64a177 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 1 PID: 7863 Comm: syz-executor.2 Tainted: G W 4.19.198-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192 __might_sleep+0x95/0x190 kernel/sched/core.c:6145 lock_sock_nested+0x24/0x100 net/core/sock.c:2863 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fffe4c29a70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000041741b RDX: 00000000000f4240 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000538070 R11: 0000000000000293 R12: 00000000005402a8 R13: 000000000053bf00 R14: 00007fffe4c29b70 R15: 000000000053bf00 BUG: scheduling while atomic: syz-executor.1/8398/0x00000002 1 lock held by syz-executor.1/8398: #0: 00000000cb64a177 (hci_sk_list.lock){++++}, at: hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 Modules linked in: Preemption disabled at: [] hci_sock_dev_event+0x33e/0x540 net/bluetooth/hci_sock.c:756 CPU: 0 PID: 8398 Comm: syz-executor.1 Tainted: G W 4.19.198-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x171 lib/dump_stack.c:118 __schedule_bug.cold.89+0x7c/0x8d kernel/sched/core.c:3319 schedule_debug kernel/sched/core.c:3334 [inline] __schedule+0x13e0/0x1d40 kernel/sched/core.c:3439 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __lock_sock+0x129/0x200 net/core/sock.c:2320 lock_sock_nested+0xda/0x100 net/core/sock.c:2866 lock_sock include/net/sock.h:1510 [inline] hci_sock_dev_event+0x3a3/0x540 net/bluetooth/hci_sock.c:758 hci_unregister_dev+0x207/0x7a0 net/bluetooth/hci_core.c:3292 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41741b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff8b80fc70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000041741b RDX: 00000000000f4240 RSI: 00000000005402a8 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000538070 R11: 0000000000000293 R12: 00000000005402a8 R13: 000000000053bf00 R14: 00007fff8b80fd70 R15: 000000000053bf00