bisecting fixing commit since c076c79e03c6094e578df5d210fde808b3ad32e6 building syzkaller on 4ca1c0ea446d2c09b1fb49a85ae645e3754f1058 testing commit c076c79e03c6094e578df5d210fde808b3ad32e6 with gcc (GCC) 8.1.0 kernel signature: c5a473f8ca50ff93a479a8766d751ce76026b013196f2eb70be7abe730d2d438 run #0: crashed: KASAN: use-after-free Read in l2cap_chan_close run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close run #2: crashed: KASAN: use-after-free Write in ex_handler_refcount run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close run #7: crashed: KASAN: use-after-free Write in ex_handler_refcount run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount testing current HEAD b09c34517e1ac4018e3bb75ed5c8610a8a1f486b testing commit b09c34517e1ac4018e3bb75ed5c8610a8a1f486b with gcc (GCC) 8.1.0 kernel signature: 7188c2dfb815b7908a4d5adb1a14b947414cc51ac3c58a4d34d9bfe88da637b2 all runs: OK # git bisect start b09c34517e1ac4018e3bb75ed5c8610a8a1f486b c076c79e03c6094e578df5d210fde808b3ad32e6 Bisecting: 511 revisions left to test after this (roughly 9 steps) [dc828b79feea72cfbc34fd6104a8386bade6fd78] tpm: Unify the mismatching TPM space buffer sizes testing commit dc828b79feea72cfbc34fd6104a8386bade6fd78 with gcc (GCC) 8.1.0 kernel signature: 5e4a03751259e8454422dd7858ec41209dfdf5515c809751135f55d05fdaed33 all runs: OK # git bisect bad dc828b79feea72cfbc34fd6104a8386bade6fd78 Bisecting: 255 revisions left to test after this (roughly 8 steps) [2a72c283319c2be9b4667630d8d0c98b59371930] bcache: fix overflow in offset_to_stripe() testing commit 2a72c283319c2be9b4667630d8d0c98b59371930 with gcc (GCC) 8.1.0 kernel signature: 88f512bdd4a94ba7ff06397b16221c09f505e600d7d96d288c60e6c1e57fba96 all runs: OK # git bisect bad 2a72c283319c2be9b4667630d8d0c98b59371930 Bisecting: 127 revisions left to test after this (roughly 7 steps) [fdac85326f40c7ba6ae2b9e4a2c710f26b708ab8] scsi: eesox: Fix different dev_id between request_irq() and free_irq() testing commit fdac85326f40c7ba6ae2b9e4a2c710f26b708ab8 with gcc (GCC) 8.1.0 kernel signature: f472672ba9ee7486898f87634ae033a3b4f454141910187bbc2d0b6ac065fc5d all runs: OK # git bisect bad fdac85326f40c7ba6ae2b9e4a2c710f26b708ab8 Bisecting: 63 revisions left to test after this (roughly 6 steps) [3fe4f18eebb473481371287ba202cefceaa9a3c9] arm64: dts: rockchip: fix rk3368-lion gmac reset gpio testing commit 3fe4f18eebb473481371287ba202cefceaa9a3c9 with gcc (GCC) 8.1.0 kernel signature: d5eaf556b44ecc8e2768ca6c07b3d33f0db0fdb258c6fce573a88fc225cb94f3 run #0: crashed: KASAN: use-after-free Read in l2cap_chan_close run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close run #2: crashed: KASAN: use-after-free Write in ex_handler_refcount run #3: crashed: KASAN: use-after-free Read in l2cap_chan_close run #4: crashed: KASAN: use-after-free Read in l2cap_chan_close run #5: crashed: KASAN: use-after-free Read in l2cap_chan_close run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close run #7: crashed: KASAN: use-after-free Write in ex_handler_refcount run #8: crashed: KASAN: use-after-free Write in ex_handler_refcount run #9: crashed: KASAN: use-after-free Read in l2cap_chan_close # git bisect good 3fe4f18eebb473481371287ba202cefceaa9a3c9 Bisecting: 31 revisions left to test after this (roughly 5 steps) [1bed3b87449484134f45f4c263a5e61aa5b9653d] drm/debugfs: fix plain echo to connector "force" attribute testing commit 1bed3b87449484134f45f4c263a5e61aa5b9653d with gcc (GCC) 8.1.0 kernel signature: f7b63122cf5be43392ba8d01979f4937eb787bc71998fa20260a91ee991cc63f all runs: OK # git bisect bad 1bed3b87449484134f45f4c263a5e61aa5b9653d Bisecting: 15 revisions left to test after this (roughly 4 steps) [3fcd97daf6e4606d9bc36fb420bcebcf9b38df49] spi: lantiq: fix: Rx overflow error in full duplex mode testing commit 3fcd97daf6e4606d9bc36fb420bcebcf9b38df49 with gcc (GCC) 8.1.0 kernel signature: 3d6446085ae80c591a6812c5ef381e8eda97e5946c0eac1411c74fbc7e87d788 run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount run #1: crashed: KASAN: use-after-free Write in ex_handler_refcount run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close run #3: crashed: KASAN: use-after-free Read in l2cap_chan_close run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount run #5: crashed: KASAN: use-after-free Read in l2cap_chan_close run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close run #9: crashed: KASAN: use-after-free Write in ex_handler_refcount # git bisect good 3fcd97daf6e4606d9bc36fb420bcebcf9b38df49 Bisecting: 7 revisions left to test after this (roughly 3 steps) [4a4776ef5b229f95848b774c46ce555405ff2d46] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync testing commit 4a4776ef5b229f95848b774c46ce555405ff2d46 with gcc (GCC) 8.1.0 kernel signature: b6c12ee02d59e810d59c7e023f7a6bfbc58abba9b0ca1dabfb56d3a9e91395e4 all runs: OK # git bisect bad 4a4776ef5b229f95848b774c46ce555405ff2d46 Bisecting: 3 revisions left to test after this (roughly 2 steps) [29e1dfcd5150097f32f34891c85a50d9ead19df3] Bluetooth: add a mutex lock to avoid UAF in do_enale_set testing commit 29e1dfcd5150097f32f34891c85a50d9ead19df3 with gcc (GCC) 8.1.0 kernel signature: 64b0e3854f07f1dbded0796cb58ef469dee44a1abdfac2ec1384a9dd8b6212a4 all runs: OK # git bisect bad 29e1dfcd5150097f32f34891c85a50d9ead19df3 Bisecting: 1 revision left to test after this (roughly 1 step) [1e3a04cb7f4efcdb2afe594217bb1a4ecebdd224] drm/tilcdc: fix leak & null ref in panel_connector_get_modes testing commit 1e3a04cb7f4efcdb2afe594217bb1a4ecebdd224 with gcc (GCC) 8.1.0 kernel signature: 7bab2358fa30e04954a0b82beb1118eea74949a8385f3219f9c7cd9f51099f63 run #0: crashed: KASAN: use-after-free Read in l2cap_chan_close run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close run #3: crashed: KASAN: use-after-free Write in ex_handler_refcount run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Read in l2cap_chan_close run #9: crashed: KASAN: use-after-free Read in l2cap_chan_close # git bisect good 1e3a04cb7f4efcdb2afe594217bb1a4ecebdd224 Bisecting: 0 revisions left to test after this (roughly 0 steps) [fe104ad82e51fc70636f060a6d805be75ce47004] soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag testing commit fe104ad82e51fc70636f060a6d805be75ce47004 with gcc (GCC) 8.1.0 kernel signature: dbc88cb6b1860028c4fd59284e466ba0259d73879e8a910199e6ccfc205b4957 run #0: crashed: KASAN: use-after-free Write in ex_handler_refcount run #1: crashed: KASAN: use-after-free Read in l2cap_chan_close run #2: crashed: KASAN: use-after-free Read in l2cap_chan_close run #3: crashed: KASAN: use-after-free Read in l2cap_chan_close run #4: crashed: KASAN: use-after-free Write in ex_handler_refcount run #5: crashed: KASAN: use-after-free Write in ex_handler_refcount run #6: crashed: KASAN: use-after-free Read in l2cap_chan_close run #7: crashed: KASAN: use-after-free Read in l2cap_chan_close run #8: crashed: KASAN: use-after-free Write in ex_handler_refcount run #9: crashed: KASAN: use-after-free Read in l2cap_chan_close # git bisect good fe104ad82e51fc70636f060a6d805be75ce47004 29e1dfcd5150097f32f34891c85a50d9ead19df3 is the first bad commit commit 29e1dfcd5150097f32f34891c85a50d9ead19df3 Author: Lihong Kou Date: Tue Jun 23 20:28:41 2020 +0800 Bluetooth: add a mutex lock to avoid UAF in do_enale_set [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug. BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events do_enable_set Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fb/0x318 lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:374 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 chan_create net/bluetooth/6lowpan.c:640 [inline] bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 2870: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10d/0x220 mm/slab.c:3757 l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888096950000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff888096950000, ffff888096950800) The buggy address belongs to the page: page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com Signed-off-by: Lihong Kou Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin net/bluetooth/6lowpan.c | 5 +++++ 1 file changed, 5 insertions(+) culprit signature: 64b0e3854f07f1dbded0796cb58ef469dee44a1abdfac2ec1384a9dd8b6212a4 parent signature: dbc88cb6b1860028c4fd59284e466ba0259d73879e8a910199e6ccfc205b4957 revisions tested: 12, total time: 3h22m1.917914599s (build: 1h49m49.978934515s, test: 1h30m43.076398101s) first good commit: 29e1dfcd5150097f32f34891c85a50d9ead19df3 Bluetooth: add a mutex lock to avoid UAF in do_enale_set recipients (to): ["koulihong@huawei.com" "marcel@holtmann.org" "sashal@kernel.org"] recipients (cc): []