bisecting cause commit starting from 5a4cee98ea757e1a2a1354b497afdf8fafc30a20 building syzkaller on 9a4781d43abfb86fe8521cb6fb084519e237454c testing commit 5a4cee98ea757e1a2a1354b497afdf8fafc30a20 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: de07cb9d3150272e50257f2386901e1402f9f283d0d02a9aef740735a69e1e8f all runs: crashed: general protection fault in hci_release_dev testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1cb5111c0f95c1fc7e3896d55db5b53fbce5858f143c657e735c92f7019c7d10 all runs: OK # git bisect start 5a4cee98ea757e1a2a1354b497afdf8fafc30a20 62fb9874f5da54fdb243003b386128037319b219 Bisecting: 9494 revisions left to test after this (roughly 13 steps) [f92a322a63517a798f2da57d56b483a6ae8f45a1] Merge branch 'work.d_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit f92a322a63517a798f2da57d56b483a6ae8f45a1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 584044267d22e036ffc71989df7dd3715c89a0d6b2e0e92537cb7c458bd05e4d run #0: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #1: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #2: boot failed: possible deadlock in get_page_from_freelist run #3: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #4: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #5: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #6: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #7: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #8: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #9: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) # git bisect skip f92a322a63517a798f2da57d56b483a6ae8f45a1 Bisecting: 9494 revisions left to test after this (roughly 13 steps) [56ad3aef5cdac0695944985f7f70209aec0efd4d] thunderbolt: Read router preferred credit allocation information testing commit 56ad3aef5cdac0695944985f7f70209aec0efd4d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 726e7303c510fe671cfa10c7f0ae3018a62ac69753f62c9c28e40cbf19698461 all runs: OK # git bisect good 56ad3aef5cdac0695944985f7f70209aec0efd4d Bisecting: 9499 revisions left to test after this (roughly 13 steps) [757fa80f4edca010769f3f8d116c19c85f27e817] Merge tag 'trace-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 757fa80f4edca010769f3f8d116c19c85f27e817 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1dfcfb62b49fb71dc18a8f18fe2ad898031817121f8a273731c77b214d61d8f3 run #0: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #1: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #2: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #3: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #4: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #5: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #6: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) run #7: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #8: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #9: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(0,0) # git bisect skip 757fa80f4edca010769f3f8d116c19c85f27e817 Bisecting: 9499 revisions left to test after this (roughly 13 steps) [69994ef3da660af4ff22c740f85dc291a50a6440] net/mlx5: Take TIR destruction out of the TIR list lock testing commit 69994ef3da660af4ff22c740f85dc291a50a6440 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: d4d0ae4b60c0900ab324d7586c66cb6cc0541c5e77f201f7754e5feea4fb74a2 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in stack_depot_save run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 69994ef3da660af4ff22c740f85dc291a50a6440 Bisecting: 2366 revisions left to test after this (roughly 11 steps) [803b1fe5ca0fb23516588bce51c9fe4abff92edd] Merge remote-tracking branch 'net-next/master' testing commit 803b1fe5ca0fb23516588bce51c9fe4abff92edd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 44cee38be1a7b0008ee8d39003511261ae8942b32375a8d5bc971770d11f39e9 all runs: OK # git bisect good 803b1fe5ca0fb23516588bce51c9fe4abff92edd Bisecting: 1207 revisions left to test after this (roughly 10 steps) [9faf08ecc988ad6cdbcf771f9530dc2f60e09635] Merge remote-tracking branch 'irqchip/irq/irqchip-next' testing commit 9faf08ecc988ad6cdbcf771f9530dc2f60e09635 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1370be462e329ee7fd302089608813da53ccac45c6cd8d7a0d240167edc37265 all runs: crashed: general protection fault in hci_release_dev # git bisect bad 9faf08ecc988ad6cdbcf771f9530dc2f60e09635 Bisecting: 536 revisions left to test after this (roughly 9 steps) [b781f1b658183e2e0d68c1bb2cbc4bb3f20c45c9] Merge commit 'f46ecc4bda8f' testing commit b781f1b658183e2e0d68c1bb2cbc4bb3f20c45c9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2919bd0fcee3530f43555e30ff309e8e30b5811838f6f006d0469d8591d15e04 all runs: crashed: general protection fault in hci_release_dev # git bisect bad b781f1b658183e2e0d68c1bb2cbc4bb3f20c45c9 Bisecting: 307 revisions left to test after this (roughly 8 steps) [8da49a33dda7294c1af508f8aa81cd638d0afd62] Merge tag 'drm-misc-next-2021-07-22' of git://anongit.freedesktop.org/drm/drm-misc into drm-next testing commit 8da49a33dda7294c1af508f8aa81cd638d0afd62 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ec985aaebb17cfd7ad74345ee44fa363b26b383410e5633fefe8890265a0a47a all runs: OK # git bisect good 8da49a33dda7294c1af508f8aa81cd638d0afd62 Bisecting: 153 revisions left to test after this (roughly 7 steps) [78ccea9ff2ad6fb5c73f146b46193ef15d6ede5f] drm/amdkfd: Set priv_queue to NULL after it is freed testing commit 78ccea9ff2ad6fb5c73f146b46193ef15d6ede5f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 53930e9b46214d3684dfca31c9847e3ce8c10ce0e2a88eb87190c4732e425497 all runs: OK # git bisect good 78ccea9ff2ad6fb5c73f146b46193ef15d6ede5f Bisecting: 77 revisions left to test after this (roughly 6 steps) [a1dcd3c2dc15f0e618c54e46b182886d0ea26d2c] Merge remote-tracking branch 'mtd/mtd/next' testing commit a1dcd3c2dc15f0e618c54e46b182886d0ea26d2c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a1c46b1e3e4030ad3338325fdaf50893741b7edf5b9ab3ae463b062bc0469929 all runs: crashed: general protection fault in hci_release_dev # git bisect bad a1dcd3c2dc15f0e618c54e46b182886d0ea26d2c Bisecting: 37 revisions left to test after this (roughly 5 steps) [e244d34d0ea1aebf60e83ee6d1701a81448f31c1] libbpf: Add bpf_map__pin_path function testing commit e244d34d0ea1aebf60e83ee6d1701a81448f31c1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 321cca76c0eb239ce16505cfd9b2d9eba040321850fcf4cfb04ce5cf04a287fa run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in stack_depot_save run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good e244d34d0ea1aebf60e83ee6d1701a81448f31c1 Bisecting: 19 revisions left to test after this (roughly 4 steps) [691565ab85402b31676f916f2e1a3dcb4543bfa3] Merge remote-tracking branch 'ipsec-next/master' testing commit 691565ab85402b31676f916f2e1a3dcb4543bfa3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: be464a2556ee486c65bd2b638ac08dad2a28480e0a30b16ec6f2c901c6b4af15 all runs: OK # git bisect good 691565ab85402b31676f916f2e1a3dcb4543bfa3 Bisecting: 9 revisions left to test after this (roughly 3 steps) [66f077dde74943e9dd84a9205b4951b19556c9ea] Bluetooth: hci_h5: add WAKEUP_DISABLE flag testing commit 66f077dde74943e9dd84a9205b4951b19556c9ea compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 47ffe7a5b1229439a93659042745019d32f0859b190403a4e7aebb5f014310fb all runs: OK # git bisect good 66f077dde74943e9dd84a9205b4951b19556c9ea Bisecting: 4 revisions left to test after this (roughly 2 steps) [a49b56f8771eced066f2a259d82f0368ee4020b2] Bluetooth: mgmt: Fix wrong opcode in the response for add_adv cmd testing commit a49b56f8771eced066f2a259d82f0368ee4020b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e3be4456bb93e8a7a2899e50ff162e8c8b0ed9b1a2060f1d9d368dbb51a687ad run #0: basic kernel testing failed: possible deadlock in fs_reclaim_acquire run #1: crashed: general protection fault in hci_release_dev run #2: crashed: general protection fault in hci_release_dev run #3: crashed: general protection fault in hci_release_dev run #4: crashed: general protection fault in hci_release_dev run #5: crashed: general protection fault in hci_release_dev run #6: crashed: general protection fault in hci_release_dev run #7: crashed: general protection fault in hci_release_dev run #8: crashed: general protection fault in hci_release_dev run #9: crashed: general protection fault in hci_release_dev # git bisect bad a49b56f8771eced066f2a259d82f0368ee4020b2 Bisecting: 1 revision left to test after this (roughly 1 step) [acd5aea400494ce960904cca4626dfbbe307dd47] Bluetooth: btusb: Add valid le states quirk testing commit acd5aea400494ce960904cca4626dfbbe307dd47 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e938d07580e7f413764d99d7683531549b3b8d437be3aca0c64b809fa1371a77 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in stack_depot_save run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good acd5aea400494ce960904cca4626dfbbe307dd47 Bisecting: 0 revisions left to test after this (roughly 0 steps) [73333364afebb5e45807139bc79e6a6574c1874b] Bluetooth: defer cleanup of resources in hci_unregister_dev() testing commit 73333364afebb5e45807139bc79e6a6574c1874b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 96276d2cba3508646c51b79f7ca3fc405daa1dc60e32cfbdec748d1ba974711c all runs: crashed: general protection fault in hci_release_dev # git bisect bad 73333364afebb5e45807139bc79e6a6574c1874b 73333364afebb5e45807139bc79e6a6574c1874b is the first bad commit commit 73333364afebb5e45807139bc79e6a6574c1874b Author: Tetsuo Handa Date: Tue Jul 27 06:12:04 2021 +0900 Bluetooth: defer cleanup of resources in hci_unregister_dev() syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to calling lock_sock() with rw spinlock held [1]. It seems that history of this locking problem is a trial and error. Commit b40df5743ee8aed8 ("[PATCH] bluetooth: fix socket locking in hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to lock_sock() as an attempt to fix lockdep warning. Then, commit 4ce61d1c7a8ef4c1 ("[BLUETOOTH]: Fix locking in hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to local_bh_disable() + bh_lock_sock_nested() as an attempt to fix sleep in atomic context warning. Then, commit 4b5dd696f81b210c ("Bluetooth: Remove local_bh_disable() from hci_sock.c") in 3.3-rc1 removed local_bh_disable(). Then, commit e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to lock_sock() as an attempt to fix CVE-2021-3573. This difficulty comes from current implementation that hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all references from sockets because hci_unregister_dev() immediately reclaims resources as soon as returning from hci_sock_dev_event(HCI_DEV_UNREG). But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not doing what it should do. Therefore, instead of trying to detach sockets from device, let's accept not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG), by moving actual cleanup of resources from hci_unregister_dev() to hci_release_dev() which is called by bt_host_release when all references to this unregistered device (which is a kobject) are gone. Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Tested-by: syzbot Fixes: e305509e678b3a4a ("Bluetooth: use correct lock to prevent UAF of hdev object") Signed-off-by: Luiz Augusto von Dentz include/net/bluetooth/hci_core.h | 1 + net/bluetooth/hci_core.c | 17 +++++++++-------- net/bluetooth/hci_sock.c | 20 +++++++++++++------- net/bluetooth/hci_sysfs.c | 2 +- 4 files changed, 24 insertions(+), 16 deletions(-) culprit signature: 96276d2cba3508646c51b79f7ca3fc405daa1dc60e32cfbdec748d1ba974711c parent signature: e938d07580e7f413764d99d7683531549b3b8d437be3aca0c64b809fa1371a77 revisions tested: 18, total time: 4h13m12.167540583s (build: 2h2m3.579753481s, test: 2h8m55.219416117s) first bad commit: 73333364afebb5e45807139bc79e6a6574c1874b Bluetooth: defer cleanup of resources in hci_unregister_dev() recipients (to): ["luiz.von.dentz@intel.com" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com"] recipients (cc): [] crash: general protection fault in hci_release_dev general protection fault, probably for non-canonical address 0xdffffc0000000023: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] CPU: 1 PID: 10958 Comm: syz-executor.2 Not tainted 5.14.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:5726 [inline] RIP: 0010:destroy_workqueue+0x29/0x720 kernel/workqueue.c:4380 Code: 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54 49 89 fc 48 81 c7 18 01 00 00 48 89 fa 55 48 c1 ea 03 53 48 83 ec 08 <80> 3c 02 00 0f 85 5f 06 00 00 49 8b 84 24 18 01 00 00 48 85 c0 74 RSP: 0018:ffffc9000d107bf8 EFLAGS: 00010292 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000023 RSI: ffffffff88cb2920 RDI: 0000000000000118 RBP: ffff88802aa8c000 R08: 0000000000000001 R09: ffff88802aa8d37b R10: ffffed1005551a6f R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff8b5f84e0 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000240c400(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000519970 CR3: 0000000034369000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hci_release_dev+0x11c/0xac0 net/bluetooth/hci_core.c:4048 bt_host_release+0xc/0x20 net/bluetooth/hci_sysfs.c:86 device_release+0x93/0x200 drivers/base/core.c:2190 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 hci_uart_tty_close+0x189/0x240 drivers/bluetooth/hci_ldisc.c:546 tty_ldisc_kill+0x73/0x110 drivers/tty/tty_ldisc.c:629 tty_ldisc_release+0xd7/0x1b0 drivers/tty/tty_ldisc.c:803 tty_release_struct+0x10/0xd0 drivers/tty/tty_io.c:1706 tty_release+0xa06/0xf80 drivers/tty/tty_io.c:1878 __fput+0x209/0x870 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4193fb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffc216423f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004193fb RDX: 00000000005701c0 RSI: 0000000000000001 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b33620054 R10: 00007ffc216424e0 R11: 0000000000000293 R12: 0000000000010280 R13: 00000000000003e8 R14: 000000000056bf80 R15: 000000000001027b Modules linked in: ---[ end trace 1290d5cf112a584e ]--- RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:5726 [inline] RIP: 0010:destroy_workqueue+0x29/0x720 kernel/workqueue.c:4380 Code: 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54 49 89 fc 48 81 c7 18 01 00 00 48 89 fa 55 48 c1 ea 03 53 48 83 ec 08 <80> 3c 02 00 0f 85 5f 06 00 00 49 8b 84 24 18 01 00 00 48 85 c0 74 RSP: 0018:ffffc9000d107bf8 EFLAGS: 00010292 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000023 RSI: ffffffff88cb2920 RDI: 0000000000000118 RBP: ffff88802aa8c000 R08: 0000000000000001 R09: ffff88802aa8d37b R10: ffffed1005551a6f R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff8b5f84e0 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000240c400(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000519970 CR3: 0000000034369000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400