bisecting cause commit starting from 5e335542de83558e46d28de1008a1c37d5d6679a building syzkaller on 3c88136c8a2afbcdb1be19786c0b66837f5f7cd6 testing commit 5e335542de83558e46d28de1008a1c37d5d6679a with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING: refcount bug in hci_register_dev testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 5e335542de83558e46d28de1008a1c37d5d6679a 94710cac0ef4ee177a63b5227664b38c95bbf703 Bisecting: 6710 revisions left to test after this (roughly 13 steps) [54dbe75bbf1e189982516de179147208e90b5e45] Merge tag 'drm-next-2018-08-15' of git://anongit.freedesktop.org/drm/drm testing commit 54dbe75bbf1e189982516de179147208e90b5e45 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 54dbe75bbf1e189982516de179147208e90b5e45 Bisecting: 3368 revisions left to test after this (roughly 12 steps) [307797159ac25fe5a2048bf5c6a5718298edca57] pcmcia: remove long deprecated pcmcia_request_exclusive_irq() function testing commit 307797159ac25fe5a2048bf5c6a5718298edca57 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_activate run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect bad 307797159ac25fe5a2048bf5c6a5718298edca57 Bisecting: 1575 revisions left to test after this (roughly 11 steps) [9bd553929f68921be0f2014dd06561e0c8249a0d] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 9bd553929f68921be0f2014dd06561e0c8249a0d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9bd553929f68921be0f2014dd06561e0c8249a0d Bisecting: 787 revisions left to test after this (roughly 10 steps) [c3e39b07f64d56992080f8f634632dcfa7dfc85d] staging: fsl-dpaa2/eth: Merge header files testing commit c3e39b07f64d56992080f8f634632dcfa7dfc85d with gcc (GCC) 8.1.0 all runs: OK # git bisect good c3e39b07f64d56992080f8f634632dcfa7dfc85d Bisecting: 411 revisions left to test after this (roughly 9 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 202 revisions left to test after this (roughly 8 steps) [670d198b61ebfb4c9b13e50dccbd904a62ae593c] Merge tag 'fsi-updates-2018-07-24' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/linux-fsi into char-misc-testing testing commit 670d198b61ebfb4c9b13e50dccbd904a62ae593c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 670d198b61ebfb4c9b13e50dccbd904a62ae593c Bisecting: 101 revisions left to test after this (roughly 7 steps) [532f14d973949948bf1a3f33e17a8548a30b33d5] staging: mt7621-dts: add pcie controller port registers testing commit 532f14d973949948bf1a3f33e17a8548a30b33d5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 532f14d973949948bf1a3f33e17a8548a30b33d5 Bisecting: 51 revisions left to test after this (roughly 6 steps) [a39284ae9d2ad09975c8ae33f1bd0f05fbfbf6ee] misc: mic: SCIF Fix scif_get_new_port() error handling testing commit a39284ae9d2ad09975c8ae33f1bd0f05fbfbf6ee with gcc (GCC) 8.1.0 all runs: OK # git bisect good a39284ae9d2ad09975c8ae33f1bd0f05fbfbf6ee Bisecting: 24 revisions left to test after this (roughly 5 steps) [d5acba26bfa097a618be425522b1ec4269d3edaf] Merge tag 'char-misc-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit d5acba26bfa097a618be425522b1ec4269d3edaf with gcc (GCC) 8.1.0 all runs: OK # git bisect good d5acba26bfa097a618be425522b1ec4269d3edaf Bisecting: 12 revisions left to test after this (roughly 4 steps) [7930eb919feb59b8c799cb3085d0e9f7b5ae34d1] dt-bindings: pinctrl: add a 'pinctrl-use-default' property testing commit 7930eb919feb59b8c799cb3085d0e9f7b5ae34d1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7930eb919feb59b8c799cb3085d0e9f7b5ae34d1 Bisecting: 6 revisions left to test after this (roughly 3 steps) [46d3a03781ea70e25360660ac53bbb838de11c97] driver core: remove unnecessary function extern declare testing commit 46d3a03781ea70e25360660ac53bbb838de11c97 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 46d3a03781ea70e25360660ac53bbb838de11c97 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e16f4f3e0b7daecd48d4f944ab4147c1a6cb16a8] base: core: Remove WARN_ON from link dependencies check testing commit e16f4f3e0b7daecd48d4f944ab4147c1a6cb16a8 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING: refcount bug in hci_register_dev run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in kobj_kset_leave run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect bad e16f4f3e0b7daecd48d4f944ab4147c1a6cb16a8 Bisecting: 0 revisions left to test after this (roughly 1 step) [3297c8fc65af5d40501ea7cddff1b195cae57e4e] drivers/base: stop new probing during shutdown testing commit 3297c8fc65af5d40501ea7cddff1b195cae57e4e with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in hci_register_dev run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect bad 3297c8fc65af5d40501ea7cddff1b195cae57e4e Bisecting: 0 revisions left to test after this (roughly 0 steps) [726e41097920a73e4c7c33385dcc0debb1281e18] drivers: core: Remove glue dirs from sysfs earlier testing commit 726e41097920a73e4c7c33385dcc0debb1281e18 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect bad 726e41097920a73e4c7c33385dcc0debb1281e18 726e41097920a73e4c7c33385dcc0debb1281e18 is the first bad commit commit 726e41097920a73e4c7c33385dcc0debb1281e18 Author: Benjamin Herrenschmidt Date: Tue Jul 10 10:29:10 2018 +1000 drivers: core: Remove glue dirs from sysfs earlier For devices with a class, we create a "glue" directory between the parent device and the new device with the class name. This directory is never "explicitely" removed when empty however, this is left to the implicit sysfs removal done by kobject_release() when the object loses its last reference via kobject_put(). This is problematic because as long as it's not been removed from sysfs, it is still present in the class kset and in sysfs directory structure. The presence in the class kset exposes a use after free bug fixed by the previous patch, but the presence in sysfs means that until the kobject is released, which can take a while (especially with kobject debugging), any attempt at re-creating such as binding a new device for that class/parent pair, will result in a sysfs duplicate file name error. This fixes it by instead doing an explicit kobject_del() when the glue dir is empty, by keeping track of the number of child devices of the gluedir. This is made easy by the fact that all glue dir operations are done with a global mutex, and there's already a function (cleanup_glue_dir) called in all the right places taking that mutex that can be enhanced for this. It appears that this was in fact the intent of the function, but the implementation was wrong. Signed-off-by: Benjamin Herrenschmidt Acked-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman :040000 040000 4eb2ce7f81f9c00236910c8f49f5a9615f5d71dc 9823d5021b081ecd739974551162378512c51552 M drivers :040000 040000 6df90282a2e9a8c74a35e17b27dc3af152a222f2 fb90ae5b106aca876252a4d162a6bfb37492cbbc M include revisions tested: 16, total time: 4h8m2.872550497s (build: 1h32m14.479258006s, test: 2h30m58.660575615s) first bad commit: 726e41097920a73e4c7c33385dcc0debb1281e18 drivers: core: Remove glue dirs from sysfs earlier cc: ["benh@kernel.crashing.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "rafael@kernel.org" "torvalds@linux-foundation.org"] crash: WARNING: refcount bug in hci_register_dev kobject_add_internal failed for hci0 (error: -2 parent: bluetooth) kobject_add_internal failed for hci1 (error: -2 parent: bluetooth) ------------[ cut here ]------------ refcount_t: increment on 0; use-after-free. Bluetooth: Can't register HCI device WARNING: CPU: 1 PID: 17630 at lib/refcount.c:153 refcount_inc+0x2b/0x30 lib/refcount.c:153 kobject: 'hci0' ((____ptrval____)): kobject_cleanup, parent (null) Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 17630 Comm: syz-executor5 Not tainted 4.18.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16e/0x22a lib/dump_stack.c:113 panic+0x1c6/0x37d kernel/panic.c:184 __warn.cold.8+0x120/0x16c kernel/panic.c:536 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:refcount_inc+0x2b/0x30 lib/refcount.c:153 Code: 48 89 e5 e8 77 f8 ff ff 84 c0 74 02 5d c3 80 kobject: 'hci0' ((____ptrval____)): calling ktype release 3d 62 18 2d 06 00 75 f5 48 c7 c7 a0 63 e1 87 c6 05 52 18 2d 06 01 e8 f5 0a db fd <0f> 0b 5d c3 90 55 48 89 fe kobject: 'hci0': free name bf 01 00 00 00 48 89 e5 e8 7f fa ff ff RSP: 0018:ffff8801c61ef6a8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8801d715ebc0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff8aaafea0 RBP: ffff8801c61ef6a8 R08: ffffed003b5a3edb R09: ffffed003b5a3eda R10: ffffed003b5a3eda R11: ffff8801dad1f6d7 R12: ffff8801d9bbb300 R13: ffff8801bd4f4b20 R14: ffff8801bd4f4b18 R15: ffff8801bd4f4b00 kref_get include/linux/kref.h:47 [inline] kobject_get+0x43/0x90 lib/kobject.c:594 kset_get include/linux/kobject.h:209 [inline] kobj_kset_join lib/kobject.c:167 [inline] kobject_add_internal+0x13c/0xb60 lib/kobject.c:219 Bluetooth: Can't register HCI device kobject: 'hci1' ((____ptrval____)): kobject_cleanup, parent (null) kobject_add_varg lib/kobject.c:363 [inline] kobject_add+0x10f/0x170 lib/kobject.c:407 kobject: 'hci1' ((____ptrval____)): calling ktype release class_dir_create_and_add drivers/base/core.c:1504 [inline] get_device_parent.isra.27+0x311/0x560 drivers/base/core.c:1559 device_add+0x2c4/0x1640 drivers/base/core.c:1815 kobject: 'loop4' ((____ptrval____)): kobject_uevent_env hci_register_dev+0x351/0xa20 net/bluetooth/hci_core.c:3108 __vhci_create_device+0x272/0x500 drivers/bluetooth/hci_vhci.c:139 vhci_create_device drivers/bluetooth/hci_vhci.c:163 [inline] vhci_get_user drivers/bluetooth/hci_vhci.c:219 [inline] vhci_write+0x28a/0x3f0 drivers/bluetooth/hci_vhci.c:299 call_write_iter include/linux/fs.h:1795 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x59a/0xc20 fs/read_write.c:487 kobject: 'loop4' ((____ptrval____)): fill_kobj_path: path = '/devices/virtual/block/loop4' vfs_write+0x150/0x4f0 fs/read_write.c:549 ksys_write+0xf5/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 kobject: 'hci1': free name do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457429 Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9066887c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f90668886d4 RCX: 0000000000457429 RDX: 0000000000000002 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004d8100 R14: 00000000004caddc R15: 0000000000000000 Kernel Offset: disabled Rebooting in 86400 seconds..