bisecting fixing commit since c70672d8d316ebd46ea447effadfe57ab7a30a50 building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7 testing commit c70672d8d316ebd46ea447effadfe57ab7a30a50 compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 47d57663290040bfd76ce3b50a8cc77662709bcbb881cc2589b9c227ef90dee6 run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: WARNING: locking bug in l2cap_sock_teardown_cb run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #5: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #9: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #10: crashed: KASAN: use-after-free Read in lock_sock_nested run #11: crashed: KASAN: use-after-free Read in lock_sock_nested run #12: crashed: KASAN: use-after-free Read in lock_sock_nested run #13: crashed: KASAN: use-after-free Read in lock_sock_nested run #14: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #15: crashed: KASAN: use-after-free Read in lock_sock_nested run #16: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #17: crashed: KASAN: null-ptr-deref Write in l2cap_chan_put run #18: crashed: KASAN: use-after-free Read in lock_sock_nested run #19: crashed: KASAN: use-after-free Read in lock_sock_nested testing current HEAD d25f27432f80a800a3592db128254c8140bd71bf testing commit d25f27432f80a800a3592db128254c8140bd71bf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 713ce1d2a67742b4eef6d895f68cb06f2942217afa3652b5fc8b413b90240da3 run #0: crashed: KASAN: use-after-free Read in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in lock_sock_nested run #3: crashed: KASAN: use-after-free Read in lock_sock_nested run #4: crashed: KASAN: use-after-free Read in lock_sock_nested run #5: crashed: KASAN: use-after-free Read in lock_sock_nested run #6: crashed: KASAN: use-after-free Read in lock_sock_nested run #7: crashed: KASAN: use-after-free Read in lock_sock_nested run #8: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested run #9: crashed: KASAN: use-after-free Read in lock_sock_nested revisions tested: 2, total time: 20m22.227800268s (build: 11m33.430530785s, test: 8m0.224358477s) the crash still happens on HEAD commit msg: Merge tag 'arm-soc-fixes-5.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc crash: KASAN: use-after-free Read in lock_sock_nested ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3c3c/0x52b0 kernel/locking/lockdep.c:4885 Read of size 8 at addr ffff8881630d7120 by task kworker/1:4/6656 CPU: 1 PID: 6656 Comm: kworker/1:4 Not tainted 5.15.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xbd/0xe2 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x2d6 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __lock_acquire+0x3c3c/0x52b0 kernel/locking/lockdep.c:4885 lock_acquire kernel/locking/lockdep.c:5625 [inline] lock_acquire+0x212/0x5d0 kernel/locking/lockdep.c:5590 lock_sock_nested+0x2b/0xd0 net/core/sock.c:3203 l2cap_sock_teardown_cb+0x83/0x3a0 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0x96/0x1010 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xe2/0x9d0 net/bluetooth/l2cap_core.c:825 l2cap_chan_timeout+0x122/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 8189: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0x7a/0x90 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] __do_kmalloc mm/slab.c:3702 [inline] __kmalloc+0x213/0x470 mm/slab.c:3711 kmalloc include/linux/slab.h:596 [inline] sk_prot_alloc+0xee/0x200 net/core/sock.c:1839 sk_alloc+0x27/0x810 net/core/sock.c:1892 sco_sock_alloc.constprop.0+0x22/0x200 net/bluetooth/sco.c:491 sco_sock_create+0x9b/0x150 net/bluetooth/sco.c:526 bt_sock_create+0x11a/0x250 net/bluetooth/af_bluetooth.c:130 __sock_create+0x22a/0x550 net/socket.c:1464 sock_create net/socket.c:1515 [inline] __sys_socket+0xd6/0x1a0 net/socket.c:1557 __do_sys_socket net/socket.c:1566 [inline] __se_sys_socket net/socket.c:1564 [inline] __x64_sys_socket+0x6a/0xb0 net/socket.c:1564 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 8188: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xb2/0xe0 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] __cache_free mm/slab.c:3445 [inline] kfree+0x111/0x2d0 mm/slab.c:3803 sk_prot_free net/core/sock.c:1875 [inline] __sk_destruct+0x55b/0x6c0 net/core/sock.c:1961 sco_sock_release+0x151/0x270 net/bluetooth/sco.c:1090 __sock_release+0xbb/0x270 net/socket.c:649 sock_close+0xf/0x20 net/socket.c:1314 __fput+0x206/0x8d0 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x278/0x280 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x40/0x70 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8881630d7000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 288 bytes inside of 2048-byte region [ffff8881630d7000, ffff8881630d7800) The buggy address belongs to the page: page:000000005af32dfc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1630d7 flags: 0x17ffe0000000200(slab|node=0|zone=2|lastcpupid=0x3fff) raw: 017ffe0000000200 ffffea00058c3448 ffffea00058c3608 ffff888100040800 raw: 0000000000000000 ffff8881630d7000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881630d7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881630d7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881630d7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881630d7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881630d7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 163423067 P4D 163423067 PUD 164793067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 1 PID: 6656 Comm: kworker/1:4 Tainted: G B 5.15.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:l2cap_chan_put+0x21/0x1c0 net/bluetooth/l2cap_core.c:504 Code: 55 ac f9 fa eb ad 0f 1f 00 41 56 be 04 00 00 00 41 55 41 54 4c 8d 67 18 55 48 89 fd 4c 89 e7 53 e8 b4 af f9 fa b8 ff ff ff ff 0f c1 45 18 83 f8 01 74 11 85 c0 0f 8e 2b 01 00 00 5b 5d 41 5c RSP: 0018:ffffc9000815fca0 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ffff8881630c5110 RCX: ffffffff86af525c RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000018 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000001c R10: ffffed102c61ae0c R11: 6e696c6261736944 R12: 0000000000000018 R13: ffff8881630c54b8 R14: ffffffff88ad1bc0 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 0000000163598000 CR4: 0000000000350ee0 Call Trace: l2cap_sock_kill+0x95/0x110 net/bluetooth/l2cap_sock.c:1225 l2cap_chan_timeout+0x171/0x3a0 net/bluetooth/l2cap_core.c:438 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Modules linked in: CR2: 0000000000000018 ---[ end trace 7c21e299d966b1f0 ]--- RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:l2cap_chan_put+0x21/0x1c0 net/bluetooth/l2cap_core.c:504 Code: 55 ac f9 fa eb ad 0f 1f 00 41 56 be 04 00 00 00 41 55 41 54 4c 8d 67 18 55 48 89 fd 4c 89 e7 53 e8 b4 af f9 fa b8 ff ff ff ff 0f c1 45 18 83 f8 01 74 11 85 c0 0f 8e 2b 01 00 00 5b 5d 41 5c RSP: 0018:ffffc9000815fca0 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ffff8881630c5110 RCX: ffffffff86af525c RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000018 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000001c R10: ffffed102c61ae0c R11: 6e696c6261736944 R12: 0000000000000018 R13: ffff8881630c54b8 R14: ffffffff88ad1bc0 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 0000000163598000 CR4: 0000000000350ee0 ---------------- Code disassembly (best guess): 0: 55 push %rbp 1: ac lods %ds:(%rsi),%al 2: f9 stc 3: fa cli 4: eb ad jmp 0xffffffb3 6: 0f 1f 00 nopl (%rax) 9: 41 56 push %r14 b: be 04 00 00 00 mov $0x4,%esi 10: 41 55 push %r13 12: 41 54 push %r12 14: 4c 8d 67 18 lea 0x18(%rdi),%r12 18: 55 push %rbp 19: 48 89 fd mov %rdi,%rbp 1c: 4c 89 e7 mov %r12,%rdi 1f: 53 push %rbx 20: e8 b4 af f9 fa callq 0xfaf9afd9 25: b8 ff ff ff ff mov $0xffffffff,%eax * 2a: f0 0f c1 45 18 lock xadd %eax,0x18(%rbp) <-- trapping instruction 2f: 83 f8 01 cmp $0x1,%eax 32: 74 11 je 0x45 34: 85 c0 test %eax,%eax 36: 0f 8e 2b 01 00 00 jle 0x167 3c: 5b pop %rbx 3d: 5d pop %rbp 3e: 41 5c pop %r12