bisecting fixing commit since 5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7 building syzkaller on ff51e5229e0ee846d2fd687cb0dbca13de758c66 testing commit 5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7 with gcc (GCC) 8.4.1 20210217 kernel signature: 5caf404d0e3e1e3d795e3dd32c2dd6e7fc0be5be7d59f34197c41da40bcaa465 run #0: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: use-after-free Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: use-after-free Write in hci_conn_del run #7: crashed: KASAN: use-after-free Write in hci_conn_del run #8: crashed: KASAN: use-after-free Write in hci_conn_del run #9: crashed: WARNING: ODEBUG bug in hci_conn_del run #10: crashed: KASAN: use-after-free Write in hci_conn_del run #11: crashed: KASAN: use-after-free Read in __queue_work run #12: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #13: crashed: KASAN: use-after-free Read in __queue_work run #14: crashed: KASAN: use-after-free Write in hci_conn_del run #15: crashed: KASAN: use-after-free Read in __queue_work run #16: crashed: KASAN: use-after-free Write in hci_conn_del run #17: OK run #18: OK run #19: OK testing current HEAD d434405aaab7d0ebc516b68a8fc4100922d7f5ef testing commit d434405aaab7d0ebc516b68a8fc4100922d7f5ef with gcc (GCC) 10.2.1 20210217 kernel signature: 9daba37f8eacfa4f9a17ccd3a0e2ddc9dcb4b1df9ed759c831fbfcd2056ef379 run #0: crashed: KASAN: use-after-free Write in hci_conn_del run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: use-after-free Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: use-after-free Write in hci_conn_del run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Write in hci_conn_del run #9: OK revisions tested: 2, total time: 30m56.919898338s (build: 12m56.193121586s, test: 17m7.085841037s) the crash still happens on HEAD commit msg: Linux 5.12-rc7 crash: KASAN: use-after-free Write in hci_conn_del ================================================================== BUG: KASAN: use-after-free in hci_conn_del+0x578/0x5c0 net/bluetooth/hci_conn.c:663 Write of size 8 at addr ffff888118646928 by task syz-executor.5/5702 CPU: 0 PID: 5702 Comm: syz-executor.5 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x10c/0x14b lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 hci_conn_del+0x578/0x5c0 net/bluetooth/hci_conn.c:663 hci_conn_hash_flush+0x153/0x1e0 net/bluetooth/hci_conn.c:1599 hci_dev_do_close+0x4c8/0xe50 net/bluetooth/hci_core.c:1778 hci_unregister_dev+0x20d/0xe60 net/bluetooth/hci_core.c:3989 vhci_release+0x62/0xd0 drivers/bluetooth/hci_vhci.c:340 __fput+0x209/0x870 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xac8/0x25b0 kernel/exit.c:825 do_group_exit+0xe7/0x290 kernel/exit.c:922 __do_sys_exit_group kernel/exit.c:933 [inline] __se_sys_exit_group kernel/exit.c:931 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:931 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x464909 Code: Unable to access opcode bytes at RIP 0x4648df. RSP: 002b:00007ffea6578578 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 000000000000023b RCX: 0000000000464909 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1ea R08: 000000000000000b R09: 0000000000055d3c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000055da7 R14: 0000000000055d3c R15: 000000000000000e Allocated by task 9291: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] __kasan_kmalloc+0x78/0x90 mm/kasan/common.c:515 kasan_kmalloc include/linux/kasan.h:233 [inline] kmem_cache_alloc_trace+0x203/0x400 mm/slab.c:3570 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:684 [inline] kobject_uevent_env+0x1bd/0xf50 lib/kobject_uevent.c:523 netdev_queue_add_kobject net/core/net-sysfs.c:1652 [inline] netdev_queue_update_kobjects+0x28f/0x340 net/core/net-sysfs.c:1686 register_queue_kobjects net/core/net-sysfs.c:1747 [inline] netdev_register_kobject+0x2a0/0x350 net/core/net-sysfs.c:1990 register_netdevice+0xa77/0x1190 net/core/dev.c:10208 bond_newlink drivers/net/bonding/bond_netlink.c:458 [inline] bond_newlink+0x25/0x60 drivers/net/bonding/bond_netlink.c:448 __rtnl_newlink+0xcc8/0x1360 net/core/rtnetlink.c:3443 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3491 rtnetlink_rcv_msg+0x32f/0x860 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:674 __sys_sendto+0x1a4/0x270 net/socket.c:1977 __do_sys_sendto net/socket.c:1989 [inline] __se_sys_sendto net/socket.c:1985 [inline] __x64_sys_sendto+0xd8/0x1b0 net/socket.c:1985 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 9371: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xac/0xe0 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] __cache_free mm/slab.c:3440 [inline] kfree+0x10f/0x2d0 mm/slab.c:3796 call_usermodehelper_freeinfo kernel/umh.c:44 [inline] umh_complete+0x4c/0x60 kernel/umh.c:59 call_usermodehelper_exec_async+0x428/0x500 kernel/umh.c:120 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff888118646000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 2344 bytes inside of 4096-byte region [ffff888118646000, ffff888118647000) The buggy address belongs to the page: page:00000000d8c653f8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118646 head:00000000d8c653f8 order:1 compound_mapcount:0 flags: 0x17ffe0000010200(slab|head) raw: 017ffe0000010200 ffffea0004b70a08 ffffea0004636688 ffff888100040900 raw: 0000000000000000 ffff888118646000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888118646800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888118646880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888118646900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888118646980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888118646a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================