bisecting fixing commit since aec3002d07fd2564cd32e56f126fa6db14a168bb building syzkaller on 7509bf360eba1461ac6059e4cacfbc29c9d2d4c7 testing commit aec3002d07fd2564cd32e56f126fa6db14a168bb with gcc (GCC) 8.1.0 kernel signature: 3f706e4cd0c1ced2670a925dd62e5a9007accdd7 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in hci_register_dev run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev testing current HEAD 174651bdf802a2139065e8e31ce950e2f3fc4a94 testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0 kernel signature: 2f04918524e9c8e00af9a981fd4ed179bd57e513 all runs: OK # git bisect start 174651bdf802a2139065e8e31ce950e2f3fc4a94 aec3002d07fd2564cd32e56f126fa6db14a168bb Bisecting: 1835 revisions left to test after this (roughly 11 steps) [ad58ce6cacd1b7447054f35fa6bb39f6b655a941] nvme-multipath: fix ana log nsid lookup when nsid is not found testing commit ad58ce6cacd1b7447054f35fa6bb39f6b655a941 with gcc (GCC) 8.1.0 kernel signature: 18e65603d27d2ec818f902da70729536df764d14 all runs: OK # git bisect bad ad58ce6cacd1b7447054f35fa6bb39f6b655a941 Bisecting: 917 revisions left to test after this (roughly 10 steps) [c9a1c10487b988d664f318a69962ac71dba0db90] loop: set PF_MEMALLOC_NOIO for the worker thread testing commit c9a1c10487b988d664f318a69962ac71dba0db90 with gcc (GCC) 8.1.0 kernel signature: 4d5a9cecc02ef58fdd0a4574c8470f8d25ddc0b7 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING: refcount bug in hci_register_dev run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good c9a1c10487b988d664f318a69962ac71dba0db90 Bisecting: 458 revisions left to test after this (roughly 9 steps) [8e91cc7f7f916d5ce310026591d549aa5bf5952d] drm/amdgpu: Update gc_9_0 golden settings. testing commit 8e91cc7f7f916d5ce310026591d549aa5bf5952d with gcc (GCC) 8.1.0 kernel signature: a73c6f7725a4c7a9508e72b7247958e32a08b36a run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING: refcount bug in kobj_kset_leave run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 8e91cc7f7f916d5ce310026591d549aa5bf5952d Bisecting: 229 revisions left to test after this (roughly 8 steps) [1a85d5819adeb09114379d87e1b8edc6a7f151bd] ARM: OMAP1: ams-delta-fiq: Fix missing irq_ack testing commit 1a85d5819adeb09114379d87e1b8edc6a7f151bd with gcc (GCC) 8.1.0 kernel signature: 95e6c99d5a2a7d2cd36988d4b02b97beeb2ef196 all runs: OK # git bisect bad 1a85d5819adeb09114379d87e1b8edc6a7f151bd Bisecting: 114 revisions left to test after this (roughly 7 steps) [74ce13331db90a855f61d65daa56908c8733c128] KVM: VMX: Always signal #GP on WRMSR to MSR_IA32_CR_PAT with bad value testing commit 74ce13331db90a855f61d65daa56908c8733c128 with gcc (GCC) 8.1.0 kernel signature: cb751f8a2ee36b803c4005e01cb024de47fdac26 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in hci_unregister_dev run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in hci_unregister_dev run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 74ce13331db90a855f61d65daa56908c8733c128 Bisecting: 57 revisions left to test after this (roughly 6 steps) [991b3458da5642a395149a72a058c2112ab46c28] genirq: Prevent NULL pointer dereference in resend_irqs() testing commit 991b3458da5642a395149a72a058c2112ab46c28 with gcc (GCC) 8.1.0 kernel signature: d815a89063e33bcc3c1efa39122c914c10f7cfb8 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in hci_unregister_dev run #9: crashed: WARNING in kernfs_get # git bisect good 991b3458da5642a395149a72a058c2112ab46c28 Bisecting: 28 revisions left to test after this (roughly 5 steps) [96c08711fc666d3d2b03dd9c6b9fbe6a4d6aea59] nvmem: Use the same permissions for eeprom as for nvmem testing commit 96c08711fc666d3d2b03dd9c6b9fbe6a4d6aea59 with gcc (GCC) 8.1.0 kernel signature: 04086fc1beeb34b5363107dabe8693a3ed22b0e3 all runs: OK # git bisect bad 96c08711fc666d3d2b03dd9c6b9fbe6a4d6aea59 Bisecting: 14 revisions left to test after this (roughly 4 steps) [39fa02a36bb37075670c0962b1f1b8cbd296de55] crypto: talitos - check AES key size testing commit 39fa02a36bb37075670c0962b1f1b8cbd296de55 with gcc (GCC) 8.1.0 kernel signature: be046e7f249eb326c4b792c76acc46c50bfc7a14 all runs: OK # git bisect bad 39fa02a36bb37075670c0962b1f1b8cbd296de55 Bisecting: 6 revisions left to test after this (roughly 3 steps) [a63416f39aaff117590665e485f0905d406c3fce] drm/meson: Add support for XBGR8888 & ABGR8888 formats testing commit a63416f39aaff117590665e485f0905d406c3fce with gcc (GCC) 8.1.0 kernel signature: 2ff805670bd668298f182b4b13caae530a158cbb run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in rfkill_unregister run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING: refcount bug in kobj_kset_leave run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good a63416f39aaff117590665e485f0905d406c3fce Bisecting: 3 revisions left to test after this (roughly 2 steps) [0f4095f335578f0e32f71a7b95985d82f34fe7f6] PCI: Always allow probing with driver_override testing commit 0f4095f335578f0e32f71a7b95985d82f34fe7f6 with gcc (GCC) 8.1.0 kernel signature: f81ac3e2cead4196db36590feb2aa6bf48c60fd1 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 0f4095f335578f0e32f71a7b95985d82f34fe7f6 Bisecting: 1 revision left to test after this (roughly 1 step) [72cd230b3231ec1ad4facf90a98f20c30e5f57cb] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 72cd230b3231ec1ad4facf90a98f20c30e5f57cb with gcc (GCC) 8.1.0 kernel signature: 8eafdfee34d95d18d50a344bb2b5bd2bd6ea1a27 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 72cd230b3231ec1ad4facf90a98f20c30e5f57cb Bisecting: 0 revisions left to test after this (roughly 0 steps) [e1666bcbae0c5edb6d7a752b31a8f28c59b54546] driver core: Fix use-after-free and double free on glue directory testing commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 with gcc (GCC) 8.1.0 kernel signature: 0517fdb190a5eb8f31f338a40bb942de461b24a0 all runs: OK # git bisect bad e1666bcbae0c5edb6d7a752b31a8f28c59b54546 e1666bcbae0c5edb6d7a752b31a8f28c59b54546 is the first bad commit commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: 0517fdb190a5eb8f31f338a40bb942de461b24a0 previous signature: 8eafdfee34d95d18d50a344bb2b5bd2bd6ea1a27 revisions tested: 14, total time: 3h35m57.863249423s (build: 1h55m49.273828646s, test: 1h35m27.305183557s) first good commit: e1666bcbae0c5edb6d7a752b31a8f28c59b54546 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]