bisecting fixing commit since 3207316b3beec7e38e5dbe2f463df0cec71e0b97 building syzkaller on 79264ae39c1ef4b4875ab67d6f0c8c3e75aa6a34 testing commit 3207316b3beec7e38e5dbe2f463df0cec71e0b97 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 43d034266a9a7393713c8e1b045d5dda9d64c7cac85381248c6d5cea47c242ca run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_conn_del run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_sock_timeout run #4: crashed: inconsistent lock state in sco_sock_timeout run #5: crashed: inconsistent lock state in sco_sock_timeout run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_sock_timeout run #9: crashed: inconsistent lock state in sco_conn_del run #10: crashed: inconsistent lock state in sco_sock_timeout run #11: crashed: inconsistent lock state in sco_sock_timeout run #12: crashed: inconsistent lock state in sco_conn_del run #13: crashed: inconsistent lock state in sco_conn_del run #14: crashed: inconsistent lock state in sco_conn_del run #15: crashed: inconsistent lock state in sco_conn_del run #16: crashed: inconsistent lock state in sco_conn_del run #17: crashed: inconsistent lock state in sco_conn_del run #18: crashed: inconsistent lock state in sco_conn_del run #19: OK testing current HEAD e34184f53363f6bb873c2fe0ce1a08ed7d16e94a testing commit e34184f53363f6bb873c2fe0ce1a08ed7d16e94a compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 8c36db103dfdd4c18ba9e6dd17005e4a9935664e70d7fe57f9997932f060fe51 all runs: OK # git bisect start e34184f53363f6bb873c2fe0ce1a08ed7d16e94a 3207316b3beec7e38e5dbe2f463df0cec71e0b97 Bisecting: 1696 revisions left to test after this (roughly 11 steps) [a3dd6095f1a66fd05fe79c96fb9f7a3a13d0ca03] nvme: do not try to reconfigure APST when the controller is not live testing commit a3dd6095f1a66fd05fe79c96fb9f7a3a13d0ca03 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 97407896bdc29193102332c32cd854a3f7d42c0a4a0d1bea0476855adc493cb4 all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free # git bisect skip a3dd6095f1a66fd05fe79c96fb9f7a3a13d0ca03 Bisecting: 1696 revisions left to test after this (roughly 11 steps) [adf3709eac4e6c8db6107620bc2542940d6e7a74] ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls testing commit adf3709eac4e6c8db6107620bc2542940d6e7a74 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: f94411a052b610a2e535a0d8ab3a462371071694697a8d6361b8c5bfb0ecfddd run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_conn_del run #2: crashed: inconsistent lock state in sco_conn_del run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_conn_del run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: OK # git bisect good adf3709eac4e6c8db6107620bc2542940d6e7a74 Bisecting: 1185 revisions left to test after this (roughly 10 steps) [651c8f620e140910fb204052bb0b886bcd8a04ee] rsi: fix AP mode with WPA failure due to encrypted EAPOL testing commit 651c8f620e140910fb204052bb0b886bcd8a04ee compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 0847896cc9c923b1aa5bd6320e106b55b4f1b5894cb11d8e1a5d46d20f5afc31 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_sock_timeout run #4: crashed: inconsistent lock state in sco_sock_timeout run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: crashed: inconsistent lock state in sco_conn_del # git bisect good 651c8f620e140910fb204052bb0b886bcd8a04ee Bisecting: 592 revisions left to test after this (roughly 9 steps) [1071804cc89e984e0d2c966e890fd37f77a8e951] usb: gadget: f_hid: fixed NULL pointer dereference testing commit 1071804cc89e984e0d2c966e890fd37f77a8e951 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 64329646252ef99231c0cf388f609c359611c9277192e607998d5a9ef2d59d09 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_conn_del run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: OK # git bisect good 1071804cc89e984e0d2c966e890fd37f77a8e951 Bisecting: 295 revisions left to test after this (roughly 8 steps) [79d15fc5646f79e769b90957370a84c0ba981c85] arm64: head: avoid over-mapping in map_memory testing commit 79d15fc5646f79e769b90957370a84c0ba981c85 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 9ea9e9dcd68bc47898a50e3736173969da4190642b6d28b45fdc4f5e293c15a8 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_sock_timeout run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: OK # git bisect good 79d15fc5646f79e769b90957370a84c0ba981c85 Bisecting: 147 revisions left to test after this (roughly 7 steps) [7c113506163a1ec6157927428eddd80038d2916e] fq_codel: reject silly quantum parameters testing commit 7c113506163a1ec6157927428eddd80038d2916e compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e03e13855118ecc0716df7699489d15ad1082b78c45773f4c71789768f6afb04 all runs: OK # git bisect bad 7c113506163a1ec6157927428eddd80038d2916e Bisecting: 73 revisions left to test after this (roughly 6 steps) [563db83b10ec3dbd66fdd44bcb3f80f0fc6689f2] gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() testing commit 563db83b10ec3dbd66fdd44bcb3f80f0fc6689f2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 75fe79d6b936b9461047228ffd591bda4425ef908af504fda8fa32c912b7d902 all runs: OK # git bisect bad 563db83b10ec3dbd66fdd44bcb3f80f0fc6689f2 Bisecting: 36 revisions left to test after this (roughly 5 steps) [51fae54d5ad9d8e9222580f2cdb04a8474f6520b] netlink: Deal with ESRCH error in nlmsg_notify() testing commit 51fae54d5ad9d8e9222580f2cdb04a8474f6520b compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: c85e454d4f9fb65aaf8433d2b070640d329bf16307cce8b0c8a024dbfff07682 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_conn_del run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_sock_timeout run #4: crashed: inconsistent lock state in sco_conn_del run #5: crashed: inconsistent lock state in sco_sock_timeout run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: OK # git bisect good 51fae54d5ad9d8e9222580f2cdb04a8474f6520b Bisecting: 17 revisions left to test after this (roughly 4 steps) [546c8bc6d0d509db71557df2f3dd04dee0973c26] hvsi: don't panic on tty_register_driver failure testing commit 546c8bc6d0d509db71557df2f3dd04dee0973c26 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 5a7aaa38787b5fdc20c55037bcf8d9ff589f437a21b2ec207dbb00d2fa0dfed1 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_sock_timeout run #4: crashed: inconsistent lock state in sco_sock_timeout run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: crashed: inconsistent lock state in sco_conn_del # git bisect good 546c8bc6d0d509db71557df2f3dd04dee0973c26 Bisecting: 8 revisions left to test after this (roughly 3 steps) [4c0307b0607e5af0a5c1525085d95069770fadcd] media: imx258: Limit the max analogue gain to 480 testing commit 4c0307b0607e5af0a5c1525085d95069770fadcd compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 23fea43cd34c6300040069b17fa49b419bd2ee7b02abe27d40da606aa77ac035 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_sock_timeout run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_sock_timeout run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: crashed: inconsistent lock state in sco_conn_del run #9: OK # git bisect good 4c0307b0607e5af0a5c1525085d95069770fadcd Bisecting: 4 revisions left to test after this (roughly 2 steps) [0214e26442be85a054a1af8bb66db094ba26bc00] ARM: dts: imx53-ppd: Fix ACHC entry testing commit 0214e26442be85a054a1af8bb66db094ba26bc00 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dda5bbbc72040875528f3a712aa01bfa8653e1d187b14eae7e5565f965178cd3 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_conn_del run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_conn_del run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_conn_del run #8: OK run #9: OK # git bisect good 0214e26442be85a054a1af8bb66db094ba26bc00 Bisecting: 1 revision left to test after this (roughly 1 step) [48669c81a65628ef234cbdd91b9395952c7c27fe] Bluetooth: schedule SCO timeouts with delayed_work testing commit 48669c81a65628ef234cbdd91b9395952c7c27fe compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 85c3d1f231dd3ce1eba643f4544d8c8ee872d21c537e5daa03d32f4347687040 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor339114963" "root@10.128.10.25:./syz-executor339114963"]: exit status 1 Connection timed out during banner exchange Connection to 10.128.10.25 port 22 timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 48669c81a65628ef234cbdd91b9395952c7c27fe Bisecting: 0 revisions left to test after this (roughly 1 step) [aca58859ee7254f195745d98f33192a008427835] net: ethernet: stmmac: Do not use unreachable() in ipq806x_gmac_probe() testing commit aca58859ee7254f195745d98f33192a008427835 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dda5bbbc72040875528f3a712aa01bfa8653e1d187b14eae7e5565f965178cd3 run #0: crashed: inconsistent lock state in sco_sock_timeout run #1: crashed: inconsistent lock state in sco_sock_timeout run #2: crashed: inconsistent lock state in sco_conn_del run #3: crashed: inconsistent lock state in sco_conn_del run #4: crashed: inconsistent lock state in sco_conn_del run #5: crashed: inconsistent lock state in sco_conn_del run #6: crashed: inconsistent lock state in sco_conn_del run #7: crashed: inconsistent lock state in sco_sock_timeout run #8: crashed: inconsistent lock state in sco_conn_del run #9: crashed: inconsistent lock state in sco_conn_del # git bisect good aca58859ee7254f195745d98f33192a008427835 48669c81a65628ef234cbdd91b9395952c7c27fe is the first bad commit commit 48669c81a65628ef234cbdd91b9395952c7c27fe Author: Desmond Cheong Zhi Xi Date: Tue Aug 10 12:14:05 2021 +0800 Bluetooth: schedule SCO timeouts with delayed_work [ Upstream commit ba316be1b6a00db7126ed9a39f9bee434a508043 ] struct sock.sk_timer should be used as a sock cleanup timer. However, SCO uses it to implement sock timeouts. This causes issues because struct sock.sk_timer's callback is run in an IRQ context, and the timer callback function sco_sock_timeout takes a spin lock on the socket. However, other functions such as sco_conn_del and sco_conn_ready take the spin lock with interrupts enabled. This inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} lock usage could lead to deadlocks as reported by Syzbot [1]: CPU0 ---- lock(slock-AF_BLUETOOTH-BTPROTO_SCO); lock(slock-AF_BLUETOOTH-BTPROTO_SCO); To fix this, we use delayed work to implement SCO sock timouts instead. This allows us to avoid taking the spin lock on the socket in an IRQ context, and corrects the misuse of struct sock.sk_timer. As a note, cancel_delayed_work is used instead of cancel_delayed_work_sync in sco_sock_set_timer and sco_sock_clear_timer to avoid a deadlock. In the future, the call to bh_lock_sock inside sco_sock_timeout should be changed to lock_sock to synchronize with other functions using lock_sock. However, since sco_sock_set_timer and sco_sock_clear_timer are sometimes called under the locked socket (in sco_connect and __sco_sock_close), cancel_delayed_work_sync might cause them to sleep until an sco_sock_timeout that has started finishes running. But sco_sock_timeout would also sleep until it can grab the lock_sock. Using cancel_delayed_work is fine because sco_sock_timeout does not change from run to run, hence there is no functional difference between: 1. waiting for a timeout to finish running before scheduling another timeout 2. scheduling another timeout while a timeout is running. Link: https://syzkaller.appspot.com/bug?id=9089d89de0502e120f234ca0fc8a703f7368b31e [1] Reported-by: syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com Tested-by: syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com Signed-off-by: Desmond Cheong Zhi Xi Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin net/bluetooth/sco.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) culprit signature: 85c3d1f231dd3ce1eba643f4544d8c8ee872d21c537e5daa03d32f4347687040 parent signature: dda5bbbc72040875528f3a712aa01bfa8653e1d187b14eae7e5565f965178cd3 revisions tested: 15, total time: 5h21m59.75032876s (build: 2h40m37.63694416s, test: 2h39m13.201141139s) first good commit: 48669c81a65628ef234cbdd91b9395952c7c27fe Bluetooth: schedule SCO timeouts with delayed_work recipients (to): ["desmondcheongzx@gmail.com" "luiz.von.dentz@intel.com" "sashal@kernel.org" "syzbot+2f6d7c28bb4bf7e82060@syzkaller.appspotmail.com"] recipients (cc): []