bisecting fixing commit since aea8526edf59da3ff5306ca408e13d8f6ab89b34 building syzkaller on 4ec4ea48904fe8b1ddfe85e84ea117b9dfdc90f2 testing commit aea8526edf59da3ff5306ca408e13d8f6ab89b34 with gcc (GCC) 8.1.0 kernel signature: fb12600af6b8c7ab7228f2355f18689eb5b13ba4 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING: refcount bug in kobj_kset_leave run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING: refcount bug in hci_register_dev testing current HEAD fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: 99f6a426f5214aa9a0c2ab11cd2dac28ad13c10d all runs: OK # git bisect start fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f aea8526edf59da3ff5306ca408e13d8f6ab89b34 Bisecting: 1152 revisions left to test after this (roughly 10 steps) [3554b8a172a24278ba00193be0268f3095dbed22] fat: work around race with userspace's read via blockdev while mounting testing commit 3554b8a172a24278ba00193be0268f3095dbed22 with gcc (GCC) 8.1.0 kernel signature: 976b22537b3f82bd530d50d9aed192cead29f944 all runs: OK # git bisect bad 3554b8a172a24278ba00193be0268f3095dbed22 Bisecting: 576 revisions left to test after this (roughly 9 steps) [0412f12fe287331b116cd5f5d13e54921a070649] ALSA: hda - Add a generic reboot_notify testing commit 0412f12fe287331b116cd5f5d13e54921a070649 with gcc (GCC) 8.1.0 kernel signature: 810f0111d3522877e8f6b6b8155087398331ae85 run #0: crashed: WARNING in hci_unregister_dev run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: KASAN: slab-out-of-bounds Write in kernfs_iop_get_link run #9: crashed: general protection fault in kernfs_add_one # git bisect good 0412f12fe287331b116cd5f5d13e54921a070649 Bisecting: 288 revisions left to test after this (roughly 8 steps) [b0fc60701db5231f390a2565995ad9a758bbf119] nvmem: Use the same permissions for eeprom as for nvmem testing commit b0fc60701db5231f390a2565995ad9a758bbf119 with gcc (GCC) 8.1.0 kernel signature: eb1d3c3e265558d9ec29537afc0d6342e28fda65 all runs: OK # git bisect bad b0fc60701db5231f390a2565995ad9a758bbf119 Bisecting: 143 revisions left to test after this (roughly 7 steps) [564e2b87491c615a95d9a200fb4ad267e403db4d] tcp: make sure EPOLLOUT wont be missed testing commit 564e2b87491c615a95d9a200fb4ad267e403db4d with gcc (GCC) 8.1.0 kernel signature: e8acd8ebe304406b14b9d23ffccd18651e031d98 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: general protection fault in kernfs_add_one # git bisect good 564e2b87491c615a95d9a200fb4ad267e403db4d Bisecting: 71 revisions left to test after this (roughly 6 steps) [9fa2ddc1b7b3507b0e23f0943dd06b59ef7ad499] net_sched: fix a NULL pointer deref in ipt action testing commit 9fa2ddc1b7b3507b0e23f0943dd06b59ef7ad499 with gcc (GCC) 8.1.0 kernel signature: 6d9abea4ba3e246ffd439f8ad8061b8382f5f637 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 9fa2ddc1b7b3507b0e23f0943dd06b59ef7ad499 Bisecting: 35 revisions left to test after this (roughly 5 steps) [cc243e2427cef2a5dd7367cb0e0b846503350ffe] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero testing commit cc243e2427cef2a5dd7367cb0e0b846503350ffe with gcc (GCC) 8.1.0 kernel signature: df2bf78f67b35ae4dcd7b05fd4a43aa0f97a4861 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: general protection fault in kernfs_add_one # git bisect good cc243e2427cef2a5dd7367cb0e0b846503350ffe Bisecting: 17 revisions left to test after this (roughly 4 steps) [263c71d2d440ed6a9d36e822970c9b5cce98811b] MIPS: VDSO: Use same -m%-float cflag as the kernel proper testing commit 263c71d2d440ed6a9d36e822970c9b5cce98811b with gcc (GCC) 8.1.0 kernel signature: 34a9ab1939c1991778bce9a3957933084619552d run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 263c71d2d440ed6a9d36e822970c9b5cce98811b Bisecting: 8 revisions left to test after this (roughly 3 steps) [de12345c4bf686d9b9552773b4c03f96e4e68750] crypto: talitos - fix CTR alg blocksize testing commit de12345c4bf686d9b9552773b4c03f96e4e68750 with gcc (GCC) 8.1.0 kernel signature: 7483e47148b0bd78c5ee106cc21ecc7b679b3014 all runs: OK # git bisect bad de12345c4bf686d9b9552773b4c03f96e4e68750 Bisecting: 4 revisions left to test after this (roughly 2 steps) [fd7674f398043f34afa70723a874c15c8e9033a2] mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue testing commit fd7674f398043f34afa70723a874c15c8e9033a2 with gcc (GCC) 8.1.0 kernel signature: eb6a26abd423c3ce58ee9e711006c2094390351e run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING: refcount bug in hci_register_dev run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good fd7674f398043f34afa70723a874c15c8e9033a2 Bisecting: 2 revisions left to test after this (roughly 1 step) [0369bbfe7ad21c1aea7b6379542eae810c8da278] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 0369bbfe7ad21c1aea7b6379542eae810c8da278 with gcc (GCC) 8.1.0 kernel signature: b9ebde8125cd4c5bfc1a8eb3e0d48590da3167c9 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 0369bbfe7ad21c1aea7b6379542eae810c8da278 Bisecting: 0 revisions left to test after this (roughly 1 step) [3dbb17c438ad0705b9b6b2de7a082342f93ed32b] crypto: talitos - check AES key size testing commit 3dbb17c438ad0705b9b6b2de7a082342f93ed32b with gcc (GCC) 8.1.0 kernel signature: 93003795a8b4bfe57895f78bc4c07c6b73dfe581 all runs: OK # git bisect bad 3dbb17c438ad0705b9b6b2de7a082342f93ed32b Bisecting: 0 revisions left to test after this (roughly 0 steps) [5432923a6b208b253d95d95cee72d0508c803421] driver core: Fix use-after-free and double free on glue directory testing commit 5432923a6b208b253d95d95cee72d0508c803421 with gcc (GCC) 8.1.0 kernel signature: 8b6723b03ae0d7834b0a81add3139384f435a43e all runs: OK # git bisect bad 5432923a6b208b253d95d95cee72d0508c803421 5432923a6b208b253d95d95cee72d0508c803421 is the first bad commit commit 5432923a6b208b253d95d95cee72d0508c803421 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: 8b6723b03ae0d7834b0a81add3139384f435a43e previous signature: b9ebde8125cd4c5bfc1a8eb3e0d48590da3167c9 revisions tested: 14, total time: 3h31m20.462853263s (build: 1h50m31.875068622s, test: 1h36m5.179558773s) first good commit: 5432923a6b208b253d95d95cee72d0508c803421 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]