bisecting fixing commit since 97ab07e11fbf55c86c3758e07ab295028bf17f94 building syzkaller on bad3cce26cf7f426903060995fd9fde0532ff2af testing commit 97ab07e11fbf55c86c3758e07ab295028bf17f94 with gcc (GCC) 8.1.0 kernel signature: 3b6fc526df6b6e58bff657db4e92a3dcd35046b3 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in rfkill_unregister testing current HEAD fb683b5e3f53a73e761952735736180939a313df testing commit fb683b5e3f53a73e761952735736180939a313df with gcc (GCC) 8.1.0 kernel signature: 6b99d8f17bf5c29d73515a53d38965a05ed8088c all runs: OK # git bisect start fb683b5e3f53a73e761952735736180939a313df 97ab07e11fbf55c86c3758e07ab295028bf17f94 Bisecting: 1404 revisions left to test after this (roughly 11 steps) [a81a4637456b75e6e2b2a81911c4ea960c7f8cae] HID: wacom: generic: Treat serial number and related fields as unsigned testing commit a81a4637456b75e6e2b2a81911c4ea960c7f8cae with gcc (GCC) 8.1.0 kernel signature: 7e76ee3329a0640140ab095c8250da6144b8f610 all runs: OK # git bisect bad a81a4637456b75e6e2b2a81911c4ea960c7f8cae Bisecting: 702 revisions left to test after this (roughly 10 steps) [8225db4a70b2425f21d8108c30d78bbbca9d275c] parisc: Disable HP HSC-PCI Cards to prevent kernel crash testing commit 8225db4a70b2425f21d8108c30d78bbbca9d275c with gcc (GCC) 8.1.0 kernel signature: 870dd1f966c92930fcfe5245904914d3f22a9e13 all runs: OK # git bisect bad 8225db4a70b2425f21d8108c30d78bbbca9d275c Bisecting: 350 revisions left to test after this (roughly 9 steps) [821302dd0c51d29269ef73a595bdff294419e2cd] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list testing commit 821302dd0c51d29269ef73a595bdff294419e2cd with gcc (GCC) 8.1.0 kernel signature: 521bbb9a5b884f46a0d62d5158695abeed28f2dc run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in rfkill_unregister run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good 821302dd0c51d29269ef73a595bdff294419e2cd Bisecting: 175 revisions left to test after this (roughly 8 steps) [303f6d6bbc0ca5411d1d699742b1ad2770597a71] f2fs: fix to do sanity check on segment bitmap of LFS curseg testing commit 303f6d6bbc0ca5411d1d699742b1ad2770597a71 with gcc (GCC) 8.1.0 kernel signature: 36a5cf9d27d63961ded2e45b0a8119ed2c3e8607 all runs: OK # git bisect bad 303f6d6bbc0ca5411d1d699742b1ad2770597a71 Bisecting: 87 revisions left to test after this (roughly 7 steps) [7d4201ff9f7302a7a91a6171b47362b5b0003661] batman-adv: Only read OGM2 tvlv_len after buffer len check testing commit 7d4201ff9f7302a7a91a6171b47362b5b0003661 with gcc (GCC) 8.1.0 kernel signature: 48a50d4c1eda83801605357163c6fabf48b53e61 all runs: OK # git bisect bad 7d4201ff9f7302a7a91a6171b47362b5b0003661 Bisecting: 43 revisions left to test after this (roughly 6 steps) [9d587fe2cd70f9fe10de6f82aab3498683b73bb6] x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning testing commit 9d587fe2cd70f9fe10de6f82aab3498683b73bb6 with gcc (GCC) 8.1.0 kernel signature: fc56aa5f437f98493f7c14b1d1af4d37064feaf5 all runs: OK # git bisect bad 9d587fe2cd70f9fe10de6f82aab3498683b73bb6 Bisecting: 21 revisions left to test after this (roughly 5 steps) [6da56f8982bbe7821f1c41bce0963fa896af7d96] clk: rockchip: Don't yell about bad mmc phases when getting testing commit 6da56f8982bbe7821f1c41bce0963fa896af7d96 with gcc (GCC) 8.1.0 kernel signature: 40809dff09ea0fc2a39fe27b3818d0994b9daf5d run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in rfkill_unregister # git bisect good 6da56f8982bbe7821f1c41bce0963fa896af7d96 Bisecting: 10 revisions left to test after this (roughly 4 steps) [3dfc787f2f50e153f6f36beeee6e1a68dac0b585] crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking. testing commit 3dfc787f2f50e153f6f36beeee6e1a68dac0b585 with gcc (GCC) 8.1.0 kernel signature: 360a39cb3f3dfb4dfb148d1403c82e2ce0d593fc all runs: OK # git bisect bad 3dfc787f2f50e153f6f36beeee6e1a68dac0b585 Bisecting: 5 revisions left to test after this (roughly 3 steps) [e1666bcbae0c5edb6d7a752b31a8f28c59b54546] driver core: Fix use-after-free and double free on glue directory testing commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 with gcc (GCC) 8.1.0 kernel signature: b2e449ae23bbe817334bb3726dcbf7c5fa3c5082 all runs: OK # git bisect bad e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Bisecting: 2 revisions left to test after this (roughly 1 step) [0f4095f335578f0e32f71a7b95985d82f34fe7f6] PCI: Always allow probing with driver_override testing commit 0f4095f335578f0e32f71a7b95985d82f34fe7f6 with gcc (GCC) 8.1.0 kernel signature: 31d18b2e27c590d0cf37afd20f37a956306b19e9 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in hci_register_dev run #8: crashed: general protection fault in corrupted run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 0f4095f335578f0e32f71a7b95985d82f34fe7f6 Bisecting: 0 revisions left to test after this (roughly 1 step) [72cd230b3231ec1ad4facf90a98f20c30e5f57cb] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 72cd230b3231ec1ad4facf90a98f20c30e5f57cb with gcc (GCC) 8.1.0 kernel signature: 147b1cf58fad5e571e19369071a097527a7a916f run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in rfkill_unregister run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 72cd230b3231ec1ad4facf90a98f20c30e5f57cb e1666bcbae0c5edb6d7a752b31a8f28c59b54546 is the first bad commit commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: b2e449ae23bbe817334bb3726dcbf7c5fa3c5082 previous signature: 147b1cf58fad5e571e19369071a097527a7a916f revisions tested: 13, total time: 3h40m9.333240461s (build: 1h50m7.453025084s, test: 1h48m19.447756169s) first good commit: e1666bcbae0c5edb6d7a752b31a8f28c59b54546 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]