syzbot


WARNING in kernfs_put

Status: closed as dup on 2018/10/31 16:05
Reported-by: syzbot+f078bc04000fe75f5923@syzkaller.appspotmail.com
First crash: 1333d, last: 1211d
Duplicate of (1):
Title Repro Cause bisect Fix bisect Count Last Reported
WARNING in kernfs_get C done 316 1056d 1385d
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 WARNING in kernfs_put C done 2 1091d 1158d 1/1 fixed on 2019/12/01 20:17
linux-4.19 WARNING in kernfs_put C done 1 1095d 1095d 1/1 fixed on 2019/12/01 20:17

Sample crash report:
kernfs_put: bluetooth/hci2: released with incorrect active_ref 0
kobject_add_internal failed for hci1 (error: -2 parent: bluetooth)
Bluetooth: Can't register HCI device
Bluetooth: Can't register HCI device
Bluetooth: Can't register HCI device
WARNING: CPU: 0 PID: 7930 at fs/kernfs/dir.c:525 kernfs_put fs/kernfs/dir.c:525 [inline]
WARNING: CPU: 0 PID: 7930 at fs/kernfs/dir.c:525 kernfs_put+0x4c6/0x5d0 fs/kernfs/dir.c:506
kobject: 'hci3' (00000000280ef2e9): kobject_cleanup, parent           (null)
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7930 Comm: syz-executor881 Not tainted 5.0.0-rc8+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 panic+0x2cb/0x65c kernel/panic.c:214
 __warn.cold+0x20/0x45 kernel/panic.c:571
kobject: 'hci3' (00000000280ef2e9): calling ktype release
 report_bug+0x263/0x2b0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 fixup_bug arch/x86/kernel/traps.c:173 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
kobject: 'hci3': free name
RIP: 0010:kernfs_put fs/kernfs/dir.c:525 [inline]
RIP: 0010:kernfs_put+0x4c6/0x5d0 fs/kernfs/dir.c:506
Code: 0f 85 1d 01 00 00 49 8b 75 30 48 89 75 c8 e8 41 c7 9d ff 48 8b 55 d0 44 89 f1 48 c7 c7 80 14 78 87 48 8b 75 c8 e8 a8 12 71 ff <0f> 0b e9 61 fc ff ff e8 3e c8 d4 ff e9 ba fd ff ff 48 8b 7d d0 e8
RSP: 0018:ffff888091a67c20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815a9066 RDI: ffffed101234cf76
RBP: ffff888091a67c78 R08: ffff88808fe3c3c0 R09: ffffed1015d03ef9
R10: ffffed1015d03ef8 R11: ffff8880ae81f7c7 R12: ffff88809956b000
R13: ffff888094113620 R14: 0000000000000000 R15: ffff88809956b030
 sysfs_put include/linux/sysfs.h:547 [inline]
 kobject_del.part.0+0x42/0xf0 lib/kobject.c:593
 kobject_del+0x20/0x30 lib/kobject.c:588
 device_del+0x6f4/0xb60 drivers/base/core.c:2125
kobject: 'bluetooth' (000000004409637d): kobject_add_internal: parent: 'virtual', set: '(null)'
 hci_unregister_dev+0x2c6/0x820 net/bluetooth/hci_core.c:3355
kobject: 'hci4' (0000000072553a15): kobject_add_internal: parent: 'bluetooth', set: 'devices'
 vhci_release+0x76/0xf0 drivers/bluetooth/hci_vhci.c:354
 __fput+0x2df/0x8d0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x14a/0x1c0 kernel/task_work.c:113
kobject: 'hci5' (00000000358a175b): kobject_add_internal: parent: 'bluetooth', set: 'devices'
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
kobject: 'hci6' (000000000772d196): kobject_add_internal: parent: 'bluetooth', set: 'devices'
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x400dd0
Code: 01 f0 ff ff 0f 83 b0 0a 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d fd 18 2d 00 00 75 14 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 84 0a 00 00 c3 48 83 ec 08 e8 3a 01 00 00
RSP: 002b:00007ffe66ccc778 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000400dd0
RDX: 0000000000000002 RSI: 00000000200000c0 RDI: 0000000000000003
kobject: 'hci1' (00000000f6b681ce): kobject_add_internal: parent: 'bluetooth', set: 'devices'
RBP: 000000000000b30b R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000016d8880 R11: 0000000000000246 R12: 0000000000401ce0
R13: 0000000000401d70 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (4):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2019/03/02 12:08 upstream a215ce8f0e00 1c0e457a .config log report syz C
ci-upstream-kasan-gce-root 2019/01/04 07:02 upstream 645ff1e8e704 7da23925 .config log report syz C
ci-upstream-kasan-gce-smack-root 2018/12/08 17:09 upstream 5f179793f0a7 60562a1d .config log report syz C
ci-upstream-kasan-gce-root 2018/10/31 14:38 upstream 310c7585e830 89781090 .config log report