bisecting fixing commit since e3c1b27308ae0472f27e07903181d6abfe0cb1d7 building syzkaller on 429efa16d6ca7fd282a93c614ef97612f9c9bf62 testing commit e3c1b27308ae0472f27e07903181d6abfe0cb1d7 with gcc (GCC) 8.1.0 kernel signature: 7ec1e652134347c0c979fc676dd70562eaf03348 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev testing current HEAD fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: 13b10f5b4a8c0933046d3fcdf3ee835dfdaac102 all runs: OK # git bisect start fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f e3c1b27308ae0472f27e07903181d6abfe0cb1d7 Bisecting: 1180 revisions left to test after this (roughly 10 steps) [c96b058de5d9ef0323656e2a0593527480628954] clk: zx296718: Don't reference clk_init_data after registration testing commit c96b058de5d9ef0323656e2a0593527480628954 with gcc (GCC) 8.1.0 kernel signature: d4a3f6477e51c5072209e262ceb42459b833a119 all runs: OK # git bisect bad c96b058de5d9ef0323656e2a0593527480628954 Bisecting: 590 revisions left to test after this (roughly 9 steps) [0040395471e606f209365ed642c9def0200de88c] perf tools: Fix proper buffer size for feature processing testing commit 0040395471e606f209365ed642c9def0200de88c with gcc (GCC) 8.1.0 kernel signature: 9025f8040e5b9efee50adabb5f5d2a996ee61408 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING: refcount bug in kobj_kset_leave run #9: crashed: WARNING in kernfs_get # git bisect good 0040395471e606f209365ed642c9def0200de88c Bisecting: 295 revisions left to test after this (roughly 8 steps) [e90daafad0dc80374bd204a404f030a5efa0b3ac] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' testing commit e90daafad0dc80374bd204a404f030a5efa0b3ac with gcc (GCC) 8.1.0 kernel signature: 04fe8d5eb3650106c7b26d62a2c2630ba7b77555 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING in kernfs_get # git bisect good e90daafad0dc80374bd204a404f030a5efa0b3ac Bisecting: 147 revisions left to test after this (roughly 7 steps) [70f80cb205649c7350617ca79515b98419e90475] ieee802154: enforce CAP_NET_RAW for raw sockets testing commit 70f80cb205649c7350617ca79515b98419e90475 with gcc (GCC) 8.1.0 kernel signature: 0cf201f824ab773bc971e04b4e6c5cfacafc4293 all runs: OK # git bisect bad 70f80cb205649c7350617ca79515b98419e90475 Bisecting: 73 revisions left to test after this (roughly 6 steps) [ae0bec785df67a13a8740379b8b21768c6775caa] ARM: 8901/1: add a criteria for pfn_valid of arm testing commit ae0bec785df67a13a8740379b8b21768c6775caa with gcc (GCC) 8.1.0 kernel signature: f737ed5ad107597b8ad0d44dc9f0dcd28d91c27a all runs: OK # git bisect bad ae0bec785df67a13a8740379b8b21768c6775caa Bisecting: 36 revisions left to test after this (roughly 5 steps) [b10ab5e2c476b69689bc0c46d309471b597c880c] Linux 4.14.145 testing commit b10ab5e2c476b69689bc0c46d309471b597c880c with gcc (GCC) 8.1.0 kernel signature: 1e8d45c513a9c190a5a87d21baf366d09a8ae5d6 all runs: OK # git bisect bad b10ab5e2c476b69689bc0c46d309471b597c880c Bisecting: 18 revisions left to test after this (roughly 4 steps) [219daed86530a0f5def0405c7d01551873de708b] powerpc: Add barrier_nospec to raw_copy_in_user() testing commit 219daed86530a0f5def0405c7d01551873de708b with gcc (GCC) 8.1.0 kernel signature: c25c5c1247b4f6a9b4c9efb8345a36cb1fca93e9 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good 219daed86530a0f5def0405c7d01551873de708b Bisecting: 9 revisions left to test after this (roughly 3 steps) [dcd29f7a35ad77bee6ef1a192d18c56ec1f4e49b] crypto: talitos - check data blocksize in ablkcipher. testing commit dcd29f7a35ad77bee6ef1a192d18c56ec1f4e49b with gcc (GCC) 8.1.0 kernel signature: d932e73a4e7607d523e2897788d99fe07f189f4d all runs: OK # git bisect bad dcd29f7a35ad77bee6ef1a192d18c56ec1f4e49b Bisecting: 4 revisions left to test after this (roughly 2 steps) [75183476fea19b831e5814e5144d3136f3ee09c4] PCI: Always allow probing with driver_override testing commit 75183476fea19b831e5814e5144d3136f3ee09c4 with gcc (GCC) 8.1.0 kernel signature: 5a29fa85dfeb1b1a2d87e9fe9c369e7b2c2001c5 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 75183476fea19b831e5814e5144d3136f3ee09c4 Bisecting: 2 revisions left to test after this (roughly 1 step) [5432923a6b208b253d95d95cee72d0508c803421] driver core: Fix use-after-free and double free on glue directory testing commit 5432923a6b208b253d95d95cee72d0508c803421 with gcc (GCC) 8.1.0 kernel signature: e8ca2f5ea4eaa1476ce943529907ccc0e0a872e3 all runs: OK # git bisect bad 5432923a6b208b253d95d95cee72d0508c803421 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0369bbfe7ad21c1aea7b6379542eae810c8da278] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 0369bbfe7ad21c1aea7b6379542eae810c8da278 with gcc (GCC) 8.1.0 kernel signature: 47cb16b5e5c409477f34576d957f3fdf9f62fb5e run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING: refcount bug in hci_register_dev run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in kobj_kset_leave run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 0369bbfe7ad21c1aea7b6379542eae810c8da278 5432923a6b208b253d95d95cee72d0508c803421 is the first bad commit commit 5432923a6b208b253d95d95cee72d0508c803421 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: e8ca2f5ea4eaa1476ce943529907ccc0e0a872e3 previous signature: 47cb16b5e5c409477f34576d957f3fdf9f62fb5e revisions tested: 13, total time: 3h28m5.694892652s (build: 1h44m20.467994186s, test: 1h39m34.937387189s) first good commit: 5432923a6b208b253d95d95cee72d0508c803421 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]