bisecting fixing commit since c98875d930e915d01e8c40c7d3c16f00b3c8abe1 building syzkaller on f46aabc8c612c04f848f319670af5fb64e7fbcc9 testing commit c98875d930e915d01e8c40c7d3c16f00b3c8abe1 with gcc (GCC) 8.1.0 kernel signature: b53de6c29115e858e477295637a2478574093992 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get testing current HEAD fb683b5e3f53a73e761952735736180939a313df testing commit fb683b5e3f53a73e761952735736180939a313df with gcc (GCC) 8.1.0 kernel signature: 720d914a660cf5940fabf36027a187f05a989f00 all runs: OK # git bisect start fb683b5e3f53a73e761952735736180939a313df c98875d930e915d01e8c40c7d3c16f00b3c8abe1 Bisecting: 2807 revisions left to test after this (roughly 12 steps) [7436dc2adeff1c7f018e8b48d049c81a7f4099d6] nvme-multipath: revalidate nvme_ns_head gendisk in nvme_validate_ns testing commit 7436dc2adeff1c7f018e8b48d049c81a7f4099d6 with gcc (GCC) 8.1.0 kernel signature: 963cc393123786b457ca917052ff5431835b6405 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_put run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING: refcount bug in kobj_kset_leave # git bisect good 7436dc2adeff1c7f018e8b48d049c81a7f4099d6 Bisecting: 1403 revisions left to test after this (roughly 11 steps) [9a06efc745c37e62888142671e23624f136c3117] soundwire: depend on ACPI testing commit 9a06efc745c37e62888142671e23624f136c3117 with gcc (GCC) 8.1.0 kernel signature: e1924ed9bbd5556daa308ac98e28f68e03a85986 all runs: OK # git bisect bad 9a06efc745c37e62888142671e23624f136c3117 Bisecting: 701 revisions left to test after this (roughly 10 steps) [933e3e2b5070058097089d77281ce2704d031070] KVM: x86: set ctxt->have_exception in x86_decode_insn() testing commit 933e3e2b5070058097089d77281ce2704d031070 with gcc (GCC) 8.1.0 kernel signature: 75a3d119f598fb0de3c0d9b98dbcdeb411918a7b all runs: OK # git bisect bad 933e3e2b5070058097089d77281ce2704d031070 Bisecting: 350 revisions left to test after this (roughly 9 steps) [a7f46e18ecfe7e169e9f5f6e4afeceb26527769a] net: sched: fix reordering issues testing commit a7f46e18ecfe7e169e9f5f6e4afeceb26527769a with gcc (GCC) 8.1.0 kernel signature: 1f19f37bb78f469c0173b363d06d4db029db2271 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in rfkill_unregister # git bisect good a7f46e18ecfe7e169e9f5f6e4afeceb26527769a Bisecting: 175 revisions left to test after this (roughly 8 steps) [8ffd7ba9ffb1e332c092a7523dc76de9d0958bd1] net: don't warn in inet diag when IPV6 is disabled testing commit 8ffd7ba9ffb1e332c092a7523dc76de9d0958bd1 with gcc (GCC) 8.1.0 kernel signature: c1418ea13b54b80a9cd1f94dec749bfd95538c07 all runs: OK # git bisect bad 8ffd7ba9ffb1e332c092a7523dc76de9d0958bd1 Bisecting: 87 revisions left to test after this (roughly 7 steps) [688fdaa54a3e985d83de83bdf98433b5ae2e358f] r8152: Set memory to all 0xFFs on failed reg reads testing commit 688fdaa54a3e985d83de83bdf98433b5ae2e358f with gcc (GCC) 8.1.0 kernel signature: 21ad23cd649e4531a5a4fc5d7e3395824404caee all runs: OK # git bisect bad 688fdaa54a3e985d83de83bdf98433b5ae2e358f Bisecting: 43 revisions left to test after this (roughly 6 steps) [2a0aa8a06aea258fdfba248a3af052ee83a8d45b] netfilter: nf_flow_table: set default timeout after successful insertion testing commit 2a0aa8a06aea258fdfba248a3af052ee83a8d45b with gcc (GCC) 8.1.0 kernel signature: 9f6aa5009a02a3df6f5e3718c2b1f2e69c1dba99 all runs: OK # git bisect bad 2a0aa8a06aea258fdfba248a3af052ee83a8d45b Bisecting: 21 revisions left to test after this (roughly 5 steps) [0f4095f335578f0e32f71a7b95985d82f34fe7f6] PCI: Always allow probing with driver_override testing commit 0f4095f335578f0e32f71a7b95985d82f34fe7f6 with gcc (GCC) 8.1.0 kernel signature: 8dd8496912298859b7273c92f1e5a50d78215587 run #0: crashed: WARNING in kernfs_put run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in rfkill_unregister run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING in kernfs_get # git bisect good 0f4095f335578f0e32f71a7b95985d82f34fe7f6 Bisecting: 10 revisions left to test after this (roughly 4 steps) [d13a836d787d79571e51d23e0cf2e6d569047135] drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC testing commit d13a836d787d79571e51d23e0cf2e6d569047135 with gcc (GCC) 8.1.0 kernel signature: 3c2fae3f60ffe8cb3a51c6955d83b51fe2736821 all runs: OK # git bisect bad d13a836d787d79571e51d23e0cf2e6d569047135 Bisecting: 5 revisions left to test after this (roughly 3 steps) [02ebbb4f8df823d58309256dfaaa7aa948b85a16] crypto: talitos - fix CTR alg blocksize testing commit 02ebbb4f8df823d58309256dfaaa7aa948b85a16 with gcc (GCC) 8.1.0 kernel signature: 59a53d6d3aa1800987a63d5051e40a52bd217788 all runs: OK # git bisect bad 02ebbb4f8df823d58309256dfaaa7aa948b85a16 Bisecting: 2 revisions left to test after this (roughly 1 step) [72cd230b3231ec1ad4facf90a98f20c30e5f57cb] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 72cd230b3231ec1ad4facf90a98f20c30e5f57cb with gcc (GCC) 8.1.0 kernel signature: 8981254c133dbfa6f8a38eaad37ec1a27174cefd run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: general protection fault in kernfs_add_one # git bisect good 72cd230b3231ec1ad4facf90a98f20c30e5f57cb Bisecting: 0 revisions left to test after this (roughly 1 step) [39fa02a36bb37075670c0962b1f1b8cbd296de55] crypto: talitos - check AES key size testing commit 39fa02a36bb37075670c0962b1f1b8cbd296de55 with gcc (GCC) 8.1.0 kernel signature: 118518aaba32b94ee56603922e14d6be94b6749a all runs: OK # git bisect bad 39fa02a36bb37075670c0962b1f1b8cbd296de55 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e1666bcbae0c5edb6d7a752b31a8f28c59b54546] driver core: Fix use-after-free and double free on glue directory testing commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 with gcc (GCC) 8.1.0 kernel signature: 208066d39725126fb38383d93187156732591e24 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor098725991" "root@10.128.1.24:./syz-executor098725991"]: exit status 1 ssh: connect to host 10.128.1.24 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad e1666bcbae0c5edb6d7a752b31a8f28c59b54546 e1666bcbae0c5edb6d7a752b31a8f28c59b54546 is the first bad commit commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: 208066d39725126fb38383d93187156732591e24 previous signature: 8981254c133dbfa6f8a38eaad37ec1a27174cefd revisions tested: 15, total time: 4h19m12.46463712s (build: 2h6m33.412196227s, test: 2h11m20.64663099s) first good commit: e1666bcbae0c5edb6d7a752b31a8f28c59b54546 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]