bisecting fixing commit since 97a8651cadce7c2b7c4d8f108b392eff31fe2c08
building syzkaller on 77e2b66864e69c17416614228723a1ebd3581ddc
testing commit 97a8651cadce7c2b7c4d8f108b392eff31fe2c08 with gcc (GCC) 8.4.1 20210217
kernel signature: 00fa9651ea480a2c547cf260f8ecbefd872f5968490f61d9f79ee4496935c703
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b
testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217
kernel signature: db4dae1df12b32090d336f4d74dfa0166976f49778971efb445d1e10e7773cc3
all runs: OK
# git bisect start eb575cd5d7f60241d016fdd13a9e86d962093c9b 97a8651cadce7c2b7c4d8f108b392eff31fe2c08
Bisecting: 365 revisions left to test after this (roughly 9 steps)
[cd9e673501592f0bd8f5dfc5a1f90ffc5e38bf46] drm/radeon: Avoid power table parsing memory leaks

testing commit cd9e673501592f0bd8f5dfc5a1f90ffc5e38bf46 with gcc (GCC) 8.4.1 20210217
kernel signature: 7e88bf7f4030e5155260d1231de64dff661a764a623fb0ad20a5d06577c3bbe5
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip cd9e673501592f0bd8f5dfc5a1f90ffc5e38bf46
Bisecting: 365 revisions left to test after this (roughly 9 steps)
[691062feb4ed8303be75ab07c5c1e09311bd8c80] PCI: Release OF node in pci_scan_device()'s error path

testing commit 691062feb4ed8303be75ab07c5c1e09311bd8c80 with gcc (GCC) 8.4.1 20210217
kernel signature: b1336b533968b56e17e717dcbc14133d8e4f497d61eea2e91e84a103e3cde29e
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip 691062feb4ed8303be75ab07c5c1e09311bd8c80
Bisecting: 365 revisions left to test after this (roughly 9 steps)
[21bc01d55245654cecc85d8b11ad779ebaf0b90b] usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits()

testing commit 21bc01d55245654cecc85d8b11ad779ebaf0b90b with gcc (GCC) 8.4.1 20210217
kernel signature: 22302b2dd0b70509f9416917c55cf4f652cec5f5b2a62648ae45e9d750244b97
all runs: OK
# git bisect bad 21bc01d55245654cecc85d8b11ad779ebaf0b90b
Bisecting: 95 revisions left to test after this (roughly 7 steps)
[44149b3e106e4c632d4c5b80650580f823f72c45] arm64/vdso: Discard .note.gnu.property sections in vDSO

testing commit 44149b3e106e4c632d4c5b80650580f823f72c45 with gcc (GCC) 8.4.1 20210217
kernel signature: 43c534d21ff5a8be472cfd544c560cb820724498854a7bc651387f2aeb2c9065
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
# git bisect good 44149b3e106e4c632d4c5b80650580f823f72c45
Bisecting: 47 revisions left to test after this (roughly 6 steps)
[48fba458fe54cc2a980a05c13e6c19b8b2cfb610] net/nfc: fix use-after-free llcp_sock_bind/connect

testing commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610 with gcc (GCC) 8.4.1 20210217
kernel signature: ba77e3678f05b3937bd4b20f014d28f7ef6daa5ce1fb477e81fae9dc6ce49014
all runs: OK
# git bisect bad 48fba458fe54cc2a980a05c13e6c19b8b2cfb610
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[cd89f79be5d553c78202f686e8e4caa5fbe94e98] media: dvbdev: Fix memory leak in dvb_media_device_free()

testing commit cd89f79be5d553c78202f686e8e4caa5fbe94e98 with gcc (GCC) 8.4.1 20210217
kernel signature: 6ac7755dea0a8128c3b292652cbb9092735bdf3231a91ddd54787bdcc80ea010
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
# git bisect good cd89f79be5d553c78202f686e8e4caa5fbe94e98
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[772b9f59657665af3b68d24d12b9d172d31f0dfb] dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails

testing commit 772b9f59657665af3b68d24d12b9d172d31f0dfb with gcc (GCC) 8.4.1 20210217
kernel signature: 530927e5d2d95d2d485294325d4d0aebca7e25a8bc406017324338f9f753b273
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
# git bisect good 772b9f59657665af3b68d24d12b9d172d31f0dfb
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[04c85f758849657691dde9fce66d18eee7a9ae8f] modules: rename the licence field in struct symsearch to license

testing commit 04c85f758849657691dde9fce66d18eee7a9ae8f with gcc (GCC) 8.4.1 20210217
kernel signature: 589230720a3b1cfda6ae5578b42236ef6550875f9cad8d0e6d0ea42b0e2b2f77
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
# git bisect good 04c85f758849657691dde9fce66d18eee7a9ae8f
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[75e26178e26f910f7f26c79c2824b726eecf0dfb] Bluetooth: verify AMP hci_chan before amp_destroy

testing commit 75e26178e26f910f7f26c79c2824b726eecf0dfb with gcc (GCC) 8.4.1 20210217
kernel signature: 88408709f568f77dc2775b646f8b2e4bc10576772ed904ba15a27d6135a834de
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
# git bisect good 75e26178e26f910f7f26c79c2824b726eecf0dfb
Bisecting: 0 revisions left to test after this (roughly 1 step)
[35113c4c9fa7c970ff456982e381dc9e9594154a] bluetooth: eliminate the potential race condition when removing the HCI controller

testing commit 35113c4c9fa7c970ff456982e381dc9e9594154a with gcc (GCC) 8.4.1 20210217
kernel signature: 387195dff4d8f1298e471ec3a5fd256c4bcc06cab0d448bdb35c0118f862e6d3
all runs: crashed: KASAN: use-after-free Read in nfc_llcp_sock_unlink
# git bisect good 35113c4c9fa7c970ff456982e381dc9e9594154a
48fba458fe54cc2a980a05c13e6c19b8b2cfb610 is the first bad commit
commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610
Author: Or Cohen <orcohen@paloaltonetworks.com>
Date:   Tue May 4 10:16:46 2021 +0300

    net/nfc: fix use-after-free llcp_sock_bind/connect
    
    commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream.
    
    Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
    and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
    fixed a refcount leak bug in bind/connect but introduced a
    use-after-free if the same local is assigned to 2 different sockets.
    
    This can be triggered by the following simple program:
        int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
        int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
        memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
        addr.sa_family = AF_NFC;
        addr.nfc_protocol = NFC_PROTO_NFC_DEP;
        bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
        bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
        close(sock1);
        close(sock2);
    
    Fix this by assigning NULL to llcp_sock->local after calling
    nfc_llcp_local_put.
    
    This addresses CVE-2021-23134.
    
    Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
    Reported-by: Nadav Markus <nmarkus@paloaltonetworks.com>
    Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
    Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/nfc/llcp_sock.c | 4 ++++
 1 file changed, 4 insertions(+)

culprit signature: ba77e3678f05b3937bd4b20f014d28f7ef6daa5ce1fb477e81fae9dc6ce49014
parent  signature: 387195dff4d8f1298e471ec3a5fd256c4bcc06cab0d448bdb35c0118f862e6d3
revisions tested: 12, total time: 3h0m10.627834539s (build: 2h4m8.397397556s, test: 54m42.414450646s)
first good commit: 48fba458fe54cc2a980a05c13e6c19b8b2cfb610 net/nfc: fix use-after-free llcp_sock_bind/connect
recipients (to): ["davem@davemloft.net" "gregkh@linuxfoundation.org" "orcohen@paloaltonetworks.com"]
recipients (cc): []