bisecting fixing commit since 5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7 building syzkaller on ff51e5229e0ee846d2fd687cb0dbca13de758c66 testing commit 5631c5e0eb9035d92ceb20fcd9cdb7779a3f5cc7 with gcc (GCC) 8.4.1 20210217 kernel signature: 5caf404d0e3e1e3d795e3dd32c2dd6e7fc0be5be7d59f34197c41da40bcaa465 run #0: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: use-after-free Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: use-after-free Write in hci_conn_del run #7: crashed: KASAN: use-after-free Write in hci_conn_del run #8: crashed: KASAN: use-after-free Write in hci_conn_del run #9: crashed: KASAN: use-after-free Write in hci_conn_del run #10: crashed: KASAN: use-after-free Write in hci_conn_del run #11: crashed: KASAN: use-after-free Write in hci_conn_del run #12: crashed: KASAN: use-after-free Write in hci_conn_del run #13: crashed: KASAN: use-after-free Write in hci_conn_del run #14: crashed: KASAN: use-after-free Write in hci_conn_del run #15: crashed: WARNING in __queue_work run #16: OK run #17: OK run #18: OK run #19: OK testing current HEAD ad347abe4a9876b1f65f408ab467137e88f77eb4 testing commit ad347abe4a9876b1f65f408ab467137e88f77eb4 with gcc (GCC) 10.2.1 20210217 kernel signature: 789cf6cbd7a9c17e10703cbf6f9335e8f2e7193b1663aa5d72aa68e3e56f88e9 run #0: crashed: KASAN: use-after-free Write in hci_conn_del run #1: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #2: crashed: KASAN: use-after-free Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: use-after-free Write in hci_conn_del run #7: crashed: KASAN: use-after-free Write in hci_conn_del run #8: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #9: OK revisions tested: 2, total time: 30m14.444167504s (build: 12m0.160621222s, test: 17m24.685561795s) the crash still happens on HEAD commit msg: Merge tag 'trace-v5.13-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace crash: KASAN: slab-out-of-bounds Write in hci_conn_del ================================================================== BUG: KASAN: slab-out-of-bounds in hci_conn_del+0x578/0x5c0 net/bluetooth/hci_conn.c:663 Write of size 8 at addr ffff88810a9da928 by task syz-executor.4/6122 CPU: 1 PID: 6122 Comm: syz-executor.4 Not tainted 5.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x10c/0x14b lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 hci_conn_del+0x578/0x5c0 net/bluetooth/hci_conn.c:663 hci_conn_hash_flush+0x153/0x1e0 net/bluetooth/hci_conn.c:1609 hci_dev_do_close+0x4c8/0xe50 net/bluetooth/hci_core.c:1785 hci_unregister_dev+0x20d/0xe60 net/bluetooth/hci_core.c:3999 vhci_release+0x62/0xd0 drivers/bluetooth/hci_vhci.c:340 __fput+0x209/0x870 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xac8/0x25b0 kernel/exit.c:826 do_group_exit+0xe7/0x290 kernel/exit.c:923 __do_sys_exit_group kernel/exit.c:934 [inline] __se_sys_exit_group kernel/exit.c:932 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:932 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x464909 Code: Unable to access opcode bytes at RIP 0x4648df. RSP: 002b:00007ffc45a62658 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000dbc RCX: 0000000000464909 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1ea R08: 000000000000000b R09: 000000000003bf8e R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000003bfc9 R14: 000000000003bf8e R15: 000000000000000e Allocated by task 11106: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] __kasan_slab_alloc+0x5f/0x80 mm/kasan/common.c:461 kasan_slab_alloc include/linux/kasan.h:236 [inline] slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc mm/slab.c:3323 [inline] kmem_cache_alloc+0x27f/0x500 mm/slab.c:3507 getname_flags.part.0+0x4a/0x440 fs/namei.c:138 do_sys_openat2+0xd2/0x360 fs/open.c:1181 do_sys_open fs/open.c:1203 [inline] __do_sys_openat fs/open.c:1219 [inline] __se_sys_openat fs/open.c:1214 [inline] __x64_sys_openat+0x11b/0x1d0 fs/open.c:1214 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 11106: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xb2/0xe0 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] __cache_free mm/slab.c:3445 [inline] kmem_cache_free.part.0+0x75/0x200 mm/slab.c:3740 do_sys_openat2+0x106/0x360 fs/open.c:1196 do_sys_open fs/open.c:1203 [inline] __do_sys_openat fs/open.c:1219 [inline] __se_sys_openat fs/open.c:1214 [inline] __x64_sys_openat+0x11b/0x1d0 fs/open.c:1214 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88810a9dac80 which belongs to the cache names_cache of size 4096 The buggy address is located 856 bytes to the left of 4096-byte region [ffff88810a9dac80, ffff88810a9dbc80) The buggy address belongs to the page: page:000000001ed1d91f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a9da head:000000001ed1d91f order:1 compound_mapcount:0 flags: 0x17ffe0000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff) raw: 017ffe0000010200 ffffea00045fa308 ffffea00046b7688 ffff8881002a8a00 raw: 0000000000000000 ffff88810a9dac80 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88810a9da800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88810a9da880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88810a9da900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88810a9da980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88810a9daa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================