bisecting fixing commit since 81b6b96475ac7a4ebfceae9f16fb3758327adbfe building syzkaller on 3a75be00f50996031dd301d44b009d56db3485f0 testing commit 81b6b96475ac7a4ebfceae9f16fb3758327adbfe with gcc (GCC) 8.1.0 kernel signature: f28d9013176b03f36b53a32884de9c1ec0db15b6 all runs: crashed: WARNING: refcount bug in cdev_get testing current HEAD b3a987b0264d3ddbb24293ebff10eddfc472f653 testing commit b3a987b0264d3ddbb24293ebff10eddfc472f653 with gcc (GCC) 8.1.0 kernel signature: 6b1cb39b9805507c2bd795f668d26d0bba55504b all runs: OK # git bisect start b3a987b0264d3ddbb24293ebff10eddfc472f653 81b6b96475ac7a4ebfceae9f16fb3758327adbfe Bisecting: 3034 revisions left to test after this (roughly 12 steps) [d9e48dc2a71a836f17d1febbedb31470f957edb4] Merge tag 'pwm/for-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit d9e48dc2a71a836f17d1febbedb31470f957edb4 with gcc (GCC) 8.1.0 kernel signature: 74302b7bdae74a3f0dcd40d3b797de6418c0ac1c all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good d9e48dc2a71a836f17d1febbedb31470f957edb4 Bisecting: 1555 revisions left to test after this (roughly 11 steps) [138f371ddf4ff50207dbe33ebfc237e756cd6222] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 138f371ddf4ff50207dbe33ebfc237e756cd6222 with gcc (GCC) 8.1.0 kernel signature: 4cd034277e9c98697c64ddd4d730094aa391a0e0 all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good 138f371ddf4ff50207dbe33ebfc237e756cd6222 Bisecting: 780 revisions left to test after this (roughly 10 steps) [fd7a6d2b8f1d67df76d0e863f003162b931074a1] Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit fd7a6d2b8f1d67df76d0e863f003162b931074a1 with gcc (GCC) 8.1.0 kernel signature: 4b5ee8c26237dda743e2a379da104db9e30fbe6f all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good fd7a6d2b8f1d67df76d0e863f003162b931074a1 Bisecting: 389 revisions left to test after this (roughly 9 steps) [738d2902773e30939a982c8df7a7f94293659810] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 738d2902773e30939a982c8df7a7f94293659810 with gcc (GCC) 8.1.0 kernel signature: cf11cf8c7dcc771be14a0117a1103ef6d8175f3e all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good 738d2902773e30939a982c8df7a7f94293659810 Bisecting: 161 revisions left to test after this (roughly 8 steps) [a5f48c7878d2365f6ff7008e9317abbc16f68847] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit a5f48c7878d2365f6ff7008e9317abbc16f68847 with gcc (GCC) 8.1.0 kernel signature: 7a8b7af7828d2cfdaa40683326914024f7e7b1a3 all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good a5f48c7878d2365f6ff7008e9317abbc16f68847 Bisecting: 79 revisions left to test after this (roughly 6 steps) [b1d198c08ccc8fc794384a50c5202dbdf8eba8c6] Merge tag 'sound-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit b1d198c08ccc8fc794384a50c5202dbdf8eba8c6 with gcc (GCC) 8.1.0 kernel signature: 9e13990bbc2f00d3ba0dd913e5c30d6601d1c96c all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good b1d198c08ccc8fc794384a50c5202dbdf8eba8c6 Bisecting: 51 revisions left to test after this (roughly 5 steps) [9fb7007de8a2a80e4b55a850311fca10de62f1b5] Merge tag 'char-misc-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 9fb7007de8a2a80e4b55a850311fca10de62f1b5 with gcc (GCC) 8.1.0 kernel signature: d5854abccd1b36f5f6402fd4c0239f867c3b999d all runs: OK # git bisect bad 9fb7007de8a2a80e4b55a850311fca10de62f1b5 Bisecting: 12 revisions left to test after this (roughly 4 steps) [4e4cd21c64dadc608e569a15b56e86eb85137fc9] Merge tag 'block-5.5-2020-01-10' of git://git.kernel.dk/linux-block testing commit 4e4cd21c64dadc608e569a15b56e86eb85137fc9 with gcc (GCC) 8.1.0 kernel signature: 52b347fe5db1fb0a322c116586bfb86e06230a75 all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good 4e4cd21c64dadc608e569a15b56e86eb85137fc9 Bisecting: 6 revisions left to test after this (roughly 3 steps) [a9d3a9cedc1330c720e0ddde1978a8e7771da5ab] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 testing commit a9d3a9cedc1330c720e0ddde1978a8e7771da5ab with gcc (GCC) 8.1.0 kernel signature: 1ce9e3928f8eaaeb487dc6b427d4d91c8d90e8d6 all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good a9d3a9cedc1330c720e0ddde1978a8e7771da5ab Bisecting: 3 revisions left to test after this (roughly 2 steps) [5a96c0bbff8690afb3a2fcfc80208cd6590f6e88] Merge tag 'tty-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 5a96c0bbff8690afb3a2fcfc80208cd6590f6e88 with gcc (GCC) 8.1.0 kernel signature: 834e0ec7719b189b1786c64deea4119e8c8c9924 all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good 5a96c0bbff8690afb3a2fcfc80208cd6590f6e88 Bisecting: 1 revision left to test after this (roughly 1 step) [7da37cd0520e71707a1190022377941b9cec3b0b] Merge tag 'staging-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 7da37cd0520e71707a1190022377941b9cec3b0b with gcc (GCC) 8.1.0 kernel signature: 24b9a9811a5bab8b07f9a206fdfafcaa9edd81ef all runs: crashed: WARNING: refcount bug in cdev_get # git bisect good 7da37cd0520e71707a1190022377941b9cec3b0b Bisecting: 0 revisions left to test after this (roughly 0 steps) [68faa679b8be1a74e6663c21c3a9d25d32f1c079] chardev: Avoid potential use-after-free in 'chrdev_open()' testing commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 with gcc (GCC) 8.1.0 kernel signature: 18444dcdccfb95354c934e7b97e0fe2e6a6c65a2 all runs: OK # git bisect bad 68faa679b8be1a74e6663c21c3a9d25d32f1c079 68faa679b8be1a74e6663c21c3a9d25d32f1c079 is the first bad commit commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 Author: Will Deacon Date: Thu Dec 19 12:02:03 2019 +0000 chardev: Avoid potential use-after-free in 'chrdev_open()' 'chrdev_open()' calls 'cdev_get()' to obtain a reference to the 'struct cdev *' stashed in the 'i_cdev' field of the target inode structure. If the pointer is NULL, then it is initialised lazily by looking up the kobject in the 'cdev_map' and so the whole procedure is protected by the 'cdev_lock' spinlock to serialise initialisation of the shared pointer. Unfortunately, it is possible for the initialising thread to fail *after* installing the new pointer, for example if the subsequent '->open()' call on the file fails. In this case, 'cdev_put()' is called, the reference count on the kobject is dropped and, if nobody else has taken a reference, the release function is called which finally clears 'inode->i_cdev' from 'cdev_purge()' before potentially freeing the object. The problem here is that a racing thread can happily take the 'cdev_lock' and see the non-NULL pointer in the inode, which can result in a refcount increment from zero and a warning: | ------------[ cut here ]------------ | refcount_t: addition on 0; use-after-free. | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0 | Modules linked in: | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 | RIP: 0010:refcount_warn_saturate+0x6d/0xf0 | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08 | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282 | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000 | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798 | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039 | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700 | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700 | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0 | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 | Call Trace: | kobject_get+0x5c/0x60 | cdev_get+0x2b/0x60 | chrdev_open+0x55/0x220 | ? cdev_put.part.3+0x20/0x20 | do_dentry_open+0x13a/0x390 | path_openat+0x2c8/0x1470 | do_filp_open+0x93/0x100 | ? selinux_file_ioctl+0x17f/0x220 | do_sys_open+0x186/0x220 | do_syscall_64+0x48/0x150 | entry_SYSCALL_64_after_hwframe+0x44/0xa9 | RIP: 0033:0x7f3b87efcd0e | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4 | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000 | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000 | ---[ end trace 24f53ca58db8180a ]--- Since 'cdev_get()' can already fail to obtain a reference, simply move it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()', which will cause the racing thread to return -ENXIO if the initialising thread fails unexpectedly. Cc: Hillf Danton Cc: Andrew Morton Cc: Al Viro Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com Signed-off-by: Will Deacon Cc: stable Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org Signed-off-by: Greg Kroah-Hartman fs/char_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) parent commit c79f46a282390e0f5b306007bf7b11a46d529538 wasn't tested testing commit c79f46a282390e0f5b306007bf7b11a46d529538 with gcc (GCC) 8.1.0 kernel signature: c64d7b4c21508aba93a0ca5d93aa410c34da3ca6 culprit signature: 18444dcdccfb95354c934e7b97e0fe2e6a6c65a2 parent signature: c64d7b4c21508aba93a0ca5d93aa410c34da3ca6 revisions tested: 14, total time: 2h55m30.239250467s (build: 1h35m57.912478422s, test: 1h18m33.212197496s) first good commit: 68faa679b8be1a74e6663c21c3a9d25d32f1c079 chardev: Avoid potential use-after-free in 'chrdev_open()' cc: ["gregkh@linuxfoundation.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk" "will@kernel.org"]