bisecting fixing commit since daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b
building syzkaller on 5050311712ecf43945d306df4653fc28da89fb43
testing commit daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 9cfa952b6729cd3c9f5f0c2c7de3cf5ebb64f7ec9c64ef0fb2bdfdb2135e4979
all runs: crashed: possible deadlock in __sock_release
testing current HEAD e23d55af0e1fca9be5c99f0c37d48b289f4d6489
testing commit e23d55af0e1fca9be5c99f0c37d48b289f4d6489
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: bb276b4ddb68f3e49fe182c5f9dd38f39d0d103dc7f8f44105381a3889704ca6
all runs: OK
# git bisect start e23d55af0e1fca9be5c99f0c37d48b289f4d6489 daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b
Bisecting: 1669 revisions left to test after this (roughly 11 steps)
[a7f1721684628b8ae6015bca9a176046ee6f30cc] mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN

testing commit a7f1721684628b8ae6015bca9a176046ee6f30cc
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: b13771ad1962c7edf06afa65ffe43b5d5bddb317780717b0179a610839f585ec
all runs: crashed: possible deadlock in __sock_release
# git bisect good a7f1721684628b8ae6015bca9a176046ee6f30cc
Bisecting: 834 revisions left to test after this (roughly 10 steps)
[0f359bbf2ed7f40871773cb92ea6f7b22f5c746c] PCI: Add ACS quirk for Broadcom BCM57414 NIC

testing commit 0f359bbf2ed7f40871773cb92ea6f7b22f5c746c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 5a912e08fe0f91ced39590b96e20a4a790436544d4d12ef6affb9294b2e3820b
all runs: crashed: possible deadlock in __sock_release
# git bisect good 0f359bbf2ed7f40871773cb92ea6f7b22f5c746c
Bisecting: 417 revisions left to test after this (roughly 9 steps)
[b2936c01a51cf344e2b17cbd66ded8b809976667] s390/sclp_vt220: fix console name to match device

testing commit b2936c01a51cf344e2b17cbd66ded8b809976667
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 6fd8781a7ddc489e53e17e1c76964375b252e4da87b33b6332d48182d01a2603
run #0: OK
run #1: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
# git bisect good b2936c01a51cf344e2b17cbd66ded8b809976667
Bisecting: 208 revisions left to test after this (roughly 8 steps)
[f9dd1e4e9d39e799fbe2be9ac7e6b43a9567ff8c] net/802/mrp: fix memleak in mrp_request_join()

testing commit f9dd1e4e9d39e799fbe2be9ac7e6b43a9567ff8c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: b2b3654ababc66cc09b00e93e5cc2b52e61116f59049df36608de999109e7d5b
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #12: OK
run #13: OK
run #14: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect good f9dd1e4e9d39e799fbe2be9ac7e6b43a9567ff8c
Bisecting: 104 revisions left to test after this (roughly 7 steps)
[683b47d0ebb10ba0d272604b09686e023d10d40c] spi: meson-spicc: fix memory leak in meson_spicc_remove

testing commit 683b47d0ebb10ba0d272604b09686e023d10d40c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: c9d4aee494db57c3e36c60efe8038d22a6b5d1301e35e81b6251f5e4c27e3374
all runs: OK
# git bisect bad 683b47d0ebb10ba0d272604b09686e023d10d40c
Bisecting: 51 revisions left to test after this (roughly 6 steps)
[608ba4af66a0b3c0bc15885ee14264abd099ae4e] Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"

testing commit 608ba4af66a0b3c0bc15885ee14264abd099ae4e
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: f469171ed0e70b3c52bb566a697fa0eb98681936ef1109bc3759ae4fea8b00cf
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #9: OK
run #10: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #11: OK
run #12: OK
run #13: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect good 608ba4af66a0b3c0bc15885ee14264abd099ae4e
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[76ab02d9b861da0785176f0228340f22023902fa] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit()

testing commit 76ab02d9b861da0785176f0228340f22023902fa
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 8fd7ff97aa7f07b9263a156ed9d3af552f7e293a8d3b8c16c92e5370e7e6d2b2
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect good 76ab02d9b861da0785176f0228340f22023902fa
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[2ee3c5f196b0f8144d213700879fec840a2576e2] scripts/tracing: fix the bug that can't parse raw_trace_func

testing commit 2ee3c5f196b0f8144d213700879fec840a2576e2
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 89ce722585abb70124330ada46f08e4af7e41cfbe5e4b9ab73534613f14af1b2
all runs: OK
# git bisect bad 2ee3c5f196b0f8144d213700879fec840a2576e2
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[ce699ac03ec0e41347363e1cf0924669f5449e34] firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback

testing commit ce699ac03ec0e41347363e1cf0924669f5449e34
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: c0e3039a40889c9ce0acdf683822a0751f65c389bfa0766b58d34234f5f4e09f
all runs: OK
# git bisect bad ce699ac03ec0e41347363e1cf0924669f5449e34
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[67a377163fea67e9140e0ac67fb3d85ab5ced613] USB: serial: option: add Telit FD980 composition 0x1056

testing commit 67a377163fea67e9140e0ac67fb3d85ab5ced613
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: c0ba1321682757525f02e672bc263d2e662412336c7e2895d19bfbd7e434856f
all runs: OK
# git bisect bad 67a377163fea67e9140e0ac67fb3d85ab5ced613
Bisecting: 0 revisions left to test after this (roughly 1 step)
[08433a2b5b0d3975feac4c6b50b02e8c47b74948] USB: usbtmc: Fix RCU stall warning

testing commit 08433a2b5b0d3975feac4c6b50b02e8c47b74948
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: a0fed10eca464c07ef1c036ce97f6046b68fb98faa6fc18496652205ea89c5bc
all runs: OK
# git bisect bad 08433a2b5b0d3975feac4c6b50b02e8c47b74948
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[3719acc161d5c1ce09912cc1c9eddc2c5faa3c66] Bluetooth: defer cleanup of resources in hci_unregister_dev()

testing commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 4d8fdbc893a9c00119ea5e5ce8b620e5289f16d53c5f89045a01f8fcc679e7e2
all runs: OK
# git bisect bad 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66
3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 is the first bad commit
commit 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66
Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date:   Wed Aug 4 19:26:56 2021 +0900

    Bluetooth: defer cleanup of resources in hci_unregister_dev()
    
    [ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]
    
    syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
    calling lock_sock() with rw spinlock held [1].
    
    It seems that history of this locking problem is a trial and error.
    
    Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
    hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
    lock_sock() as an attempt to fix lockdep warning.
    
    Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
    hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
    local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
    sleep in atomic context warning.
    
    Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
    hci_sock.c") in 3.3-rc1 removed local_bh_disable().
    
    Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
    of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
    lock_sock() as an attempt to fix CVE-2021-3573.
    
    This difficulty comes from current implementation that
    hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
    references from sockets because hci_unregister_dev() immediately
    reclaims resources as soon as returning from
    hci_sock_dev_event(HCI_DEV_UNREG).
    
    But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
    doing what it should do.
    
    Therefore, instead of trying to detach sockets from device, let's accept
    not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
    by moving actual cleanup of resources from hci_unregister_dev() to
    hci_cleanup_dev() which is called by bt_host_release() when all
    references to this unregistered device (which is a kobject) are gone.
    
    Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
    hci_pi(sk)->hdev, we need to check whether this device was unregistered
    and return an error based on HCI_UNREGISTER flag.  There might be subtle
    behavioral difference in "monitor the hdev" functionality; please report
    if you found something went wrong due to this patch.
    
    Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
    Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
    Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 include/net/bluetooth/hci_core.h |  1 +
 net/bluetooth/hci_core.c         | 16 ++++++-------
 net/bluetooth/hci_sock.c         | 49 +++++++++++++++++++++++++++-------------
 net/bluetooth/hci_sysfs.c        |  3 +++
 4 files changed, 45 insertions(+), 24 deletions(-)

culprit signature: 4d8fdbc893a9c00119ea5e5ce8b620e5289f16d53c5f89045a01f8fcc679e7e2
parent  signature: 8fd7ff97aa7f07b9263a156ed9d3af552f7e293a8d3b8c16c92e5370e7e6d2b2
Reproducer flagged being flaky
revisions tested: 14, total time: 4h7m22.023680278s (build: 2h15m4.313348873s, test: 1h50m50.756760111s)
first good commit: 3719acc161d5c1ce09912cc1c9eddc2c5faa3c66 Bluetooth: defer cleanup of resources in hci_unregister_dev()
recipients (to): ["luiz.von.dentz@intel.com" "penguin-kernel@i-love.sakura.ne.jp" "sashal@kernel.org" "torvalds@linux-foundation.org"]
recipients (cc): []