bisecting fixing commit since aec3002d07fd2564cd32e56f126fa6db14a168bb building syzkaller on 907bf74686129436f81aa40336ee89f7cc01b0b4 testing commit aec3002d07fd2564cd32e56f126fa6db14a168bb with gcc (GCC) 8.1.0 kernel signature: acb0e2f1ca9effba88bf34ec19b82cd2e486d1ba run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in dpm_sysfs_add run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in hci_register_dev run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get testing current HEAD c7ecf3e3a71c216327980f26b1e895ce9b07ad31 testing commit c7ecf3e3a71c216327980f26b1e895ce9b07ad31 with gcc (GCC) 8.1.0 kernel signature: a5fa36c2f36fbb6769c9c67b3ac999d2053ff629 all runs: OK # git bisect start c7ecf3e3a71c216327980f26b1e895ce9b07ad31 aec3002d07fd2564cd32e56f126fa6db14a168bb Bisecting: 2336 revisions left to test after this (roughly 11 steps) [6bcbe35027e22b38a4628e25e6f42b5bf8dbf86e] btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() testing commit 6bcbe35027e22b38a4628e25e6f42b5bf8dbf86e with gcc (GCC) 8.1.0 kernel signature: cd9dcf4906e887dcdf5a23c12b6a6d8c7ecd2dbe all runs: OK # git bisect bad 6bcbe35027e22b38a4628e25e6f42b5bf8dbf86e Bisecting: 1167 revisions left to test after this (roughly 10 steps) [b30a2f608e942321efb6b26e5a152555e6bb68c4] mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely testing commit b30a2f608e942321efb6b26e5a152555e6bb68c4 with gcc (GCC) 8.1.0 kernel signature: e515a2db0bf500e8b20f3af2d7bdd2d9609343f6 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in hci_unregister_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in hci_unregister_dev run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good b30a2f608e942321efb6b26e5a152555e6bb68c4 Bisecting: 583 revisions left to test after this (roughly 9 steps) [fdcf06a35bc60748fe430c9a878cee36f051071c] dmaengine: bcm2835: Print error in case setting DMA mask fails testing commit fdcf06a35bc60748fe430c9a878cee36f051071c with gcc (GCC) 8.1.0 kernel signature: 93344f0a1207dd8e5029610cae55395b1e0c7819 all runs: OK # git bisect bad fdcf06a35bc60748fe430c9a878cee36f051071c Bisecting: 291 revisions left to test after this (roughly 8 steps) [e4ba157877db4a441dc50cce8028ad25c78bdecd] dt-bindings: mmc: Add disable-cqe-dcmd property. testing commit e4ba157877db4a441dc50cce8028ad25c78bdecd with gcc (GCC) 8.1.0 kernel signature: 00520df8498d057317b506cb21657e1502f3e7ab run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: general protection fault in kernfs_add_one # git bisect good e4ba157877db4a441dc50cce8028ad25c78bdecd Bisecting: 145 revisions left to test after this (roughly 7 steps) [999f33c2438c27895e9798a783d3a2ac5156d78f] bus: ti-sysc: Simplify cleanup upon failures in sysc_probe() testing commit 999f33c2438c27895e9798a783d3a2ac5156d78f with gcc (GCC) 8.1.0 kernel signature: 4d25f58f724b2bbf4f5e0c1e999e4bcf6f0c0636 all runs: OK # git bisect bad 999f33c2438c27895e9798a783d3a2ac5156d78f Bisecting: 72 revisions left to test after this (roughly 6 steps) [88a46756f016552581fc07e0a5d5c23b5a26737f] net: Fix null de-reference of device refcount testing commit 88a46756f016552581fc07e0a5d5c23b5a26737f with gcc (GCC) 8.1.0 kernel signature: 90628048678d3955594454a80a1fd586cab3bb24 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: general protection fault in kernfs_add_one # git bisect good 88a46756f016552581fc07e0a5d5c23b5a26737f Bisecting: 36 revisions left to test after this (roughly 5 steps) [a03ed2891cdbe0a975647d5dabd923c1beaba9f7] drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto testing commit a03ed2891cdbe0a975647d5dabd923c1beaba9f7 with gcc (GCC) 8.1.0 kernel signature: 46bb167dd43d2933a87d023a602a332037a20057 all runs: OK # git bisect bad a03ed2891cdbe0a975647d5dabd923c1beaba9f7 Bisecting: 17 revisions left to test after this (roughly 4 steps) [73c31bd920393be70bb30a0b7c6e9c47990c3d3a] KVM: nVMX: handle page fault in vmread testing commit 73c31bd920393be70bb30a0b7c6e9c47990c3d3a with gcc (GCC) 8.1.0 kernel signature: 6c73c0c75447f690cc30514473f21ec7c321b360 run #0: crashed: WARNING in kernfs_get run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in rfkill_unregister run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING in kernfs_get # git bisect good 73c31bd920393be70bb30a0b7c6e9c47990c3d3a Bisecting: 8 revisions left to test after this (roughly 3 steps) [e1666bcbae0c5edb6d7a752b31a8f28c59b54546] driver core: Fix use-after-free and double free on glue directory testing commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 with gcc (GCC) 8.1.0 kernel signature: f2321e1dbe477979ee5bdc3a0c54d94828eb5dbc all runs: OK # git bisect bad e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Bisecting: 4 revisions left to test after this (roughly 2 steps) [6da56f8982bbe7821f1c41bce0963fa896af7d96] clk: rockchip: Don't yell about bad mmc phases when getting testing commit 6da56f8982bbe7821f1c41bce0963fa896af7d96 with gcc (GCC) 8.1.0 kernel signature: 2f5712f629d6ca514e97c4a3ee7e4aa82be925ea run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING: refcount bug in hci_register_dev run #3: crashed: WARNING in kernfs_activate run #4: crashed: WARNING in rfkill_unregister run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good 6da56f8982bbe7821f1c41bce0963fa896af7d96 Bisecting: 2 revisions left to test after this (roughly 1 step) [0f4095f335578f0e32f71a7b95985d82f34fe7f6] PCI: Always allow probing with driver_override testing commit 0f4095f335578f0e32f71a7b95985d82f34fe7f6 with gcc (GCC) 8.1.0 kernel signature: d8a7018247053b75e42453802a1a4be170fede15 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_activate run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in rfkill_unregister run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in hci_unregister_dev run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: general protection fault in kernfs_add_one # git bisect good 0f4095f335578f0e32f71a7b95985d82f34fe7f6 Bisecting: 0 revisions left to test after this (roughly 1 step) [72cd230b3231ec1ad4facf90a98f20c30e5f57cb] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 72cd230b3231ec1ad4facf90a98f20c30e5f57cb with gcc (GCC) 8.1.0 kernel signature: 4045dca3cc6b211ebe828d46b99b7024500be6c9 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good 72cd230b3231ec1ad4facf90a98f20c30e5f57cb e1666bcbae0c5edb6d7a752b31a8f28c59b54546 is the first bad commit commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) culprit signature: f2321e1dbe477979ee5bdc3a0c54d94828eb5dbc parent signature: 4045dca3cc6b211ebe828d46b99b7024500be6c9 revisions tested: 14, total time: 3h37m53.407072892s (build: 1h59m9.381304556s, test: 1h37m13.248737837s) first good commit: e1666bcbae0c5edb6d7a752b31a8f28c59b54546 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]