bisecting fixing commit since 4b0e041c9dada60197efc1697928cd32c2c70cd2 building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba testing commit 4b0e041c9dada60197efc1697928cd32c2c70cd2 with gcc (GCC) 8.1.0 kernel signature: c9bed5e86b73436ca2131ded15e50600306f5407 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get testing current HEAD 174651bdf802a2139065e8e31ce950e2f3fc4a94 testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0 kernel signature: 8ceb398e0604c231c7bb1d9985f8996ccac4e96e all runs: OK # git bisect start 174651bdf802a2139065e8e31ce950e2f3fc4a94 4b0e041c9dada60197efc1697928cd32c2c70cd2 Bisecting: 2701 revisions left to test after this (roughly 11 steps) [cdd92ebe29c2e36c6b76d0e404ffb6d3d191ec5b] scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG testing commit cdd92ebe29c2e36c6b76d0e404ffb6d3d191ec5b with gcc (GCC) 8.1.0 kernel signature: cad50c0e14838341dc603d0d488501941c4b6671 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in rfkill_unregister run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good cdd92ebe29c2e36c6b76d0e404ffb6d3d191ec5b Bisecting: 1350 revisions left to test after this (roughly 10 steps) [6cd5be9832eb2e556bf3023113e4a5d5fc58891f] btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() testing commit 6cd5be9832eb2e556bf3023113e4a5d5fc58891f with gcc (GCC) 8.1.0 kernel signature: 09d74b41750e7a4b546670896e3bf1211726afcf all runs: OK # git bisect bad 6cd5be9832eb2e556bf3023113e4a5d5fc58891f Bisecting: 675 revisions left to test after this (roughly 9 steps) [6bc421d5a04a0e830912a1f8f2c5c42e06405fd1] net: seeq: Fix the function used to release some memory in an error handling path testing commit 6bc421d5a04a0e830912a1f8f2c5c42e06405fd1 with gcc (GCC) 8.1.0 kernel signature: bf73a8a3de3e03adb1170ab4b14990a3bb473fc8 all runs: OK # git bisect bad 6bc421d5a04a0e830912a1f8f2c5c42e06405fd1 Bisecting: 337 revisions left to test after this (roughly 8 steps) [2c3dd20f852ab092e7be9e063f6d5298a6567e4a] cxgb4: fix a memory leak bug testing commit 2c3dd20f852ab092e7be9e063f6d5298a6567e4a with gcc (GCC) 8.1.0 kernel signature: 32109777527ba146d6abe99edee9e9bf1d9937e6 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in rfkill_unregister run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 2c3dd20f852ab092e7be9e063f6d5298a6567e4a Bisecting: 168 revisions left to test after this (roughly 7 steps) [f276beb324cc1c60dc3495dc03a927a70c1aa5c7] drm/amdgpu/{uvd,vcn}: fetch ring's read_ptr after alloc testing commit f276beb324cc1c60dc3495dc03a927a70c1aa5c7 with gcc (GCC) 8.1.0 kernel signature: faeafb6aecc7c364687eda912808f12155a7ca64 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in kernfs_get run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: general protection fault in kernfs_add_one # git bisect good f276beb324cc1c60dc3495dc03a927a70c1aa5c7 Bisecting: 84 revisions left to test after this (roughly 6 steps) [72cd230b3231ec1ad4facf90a98f20c30e5f57cb] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 72cd230b3231ec1ad4facf90a98f20c30e5f57cb with gcc (GCC) 8.1.0 kernel signature: 376e0e1408b7848b2d9e9d4ccbb138f4283f2362 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING: refcount bug in hci_register_dev run #7: crashed: WARNING: refcount bug in hci_register_dev run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 72cd230b3231ec1ad4facf90a98f20c30e5f57cb Bisecting: 42 revisions left to test after this (roughly 5 steps) [c1e0937ef4d5b7babeb966848f58375705d4244c] bus: ti-sysc: Fix using configured sysc mask value testing commit c1e0937ef4d5b7babeb966848f58375705d4244c with gcc (GCC) 8.1.0 kernel signature: fba14b5a46ade6eb2770a295c93f618f076dcb6e all runs: OK # git bisect bad c1e0937ef4d5b7babeb966848f58375705d4244c Bisecting: 20 revisions left to test after this (roughly 4 steps) [8993c673d6c418d565c47f88201e201759e00ecf] HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report testing commit 8993c673d6c418d565c47f88201e201759e00ecf with gcc (GCC) 8.1.0 kernel signature: 12d6e657d537c0c4baa251be7d8b0ccd88a61af7 all runs: OK # git bisect bad 8993c673d6c418d565c47f88201e201759e00ecf Bisecting: 10 revisions left to test after this (roughly 3 steps) [a03ed2891cdbe0a975647d5dabd923c1beaba9f7] drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto testing commit a03ed2891cdbe0a975647d5dabd923c1beaba9f7 with gcc (GCC) 8.1.0 kernel signature: 66e54f2762d58bc9393a4275d8800e12efa82592 all runs: OK # git bisect bad a03ed2891cdbe0a975647d5dabd923c1beaba9f7 Bisecting: 4 revisions left to test after this (roughly 2 steps) [9aff4077304ba053021872cfa00b6d5427cb42b7] crypto: talitos - fix ECB algs ivsize testing commit 9aff4077304ba053021872cfa00b6d5427cb42b7 with gcc (GCC) 8.1.0 kernel signature: 41481a01b867bb2957124e9814ba2cd29e9faf56 all runs: OK # git bisect bad 9aff4077304ba053021872cfa00b6d5427cb42b7 Bisecting: 2 revisions left to test after this (roughly 1 step) [39fa02a36bb37075670c0962b1f1b8cbd296de55] crypto: talitos - check AES key size testing commit 39fa02a36bb37075670c0962b1f1b8cbd296de55 with gcc (GCC) 8.1.0 kernel signature: 8e612e4209f3259f4d93c9bb328cea537a14ac3e all runs: OK # git bisect bad 39fa02a36bb37075670c0962b1f1b8cbd296de55 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e1666bcbae0c5edb6d7a752b31a8f28c59b54546] driver core: Fix use-after-free and double free on glue directory testing commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 with gcc (GCC) 8.1.0 kernel signature: 761aec0cb74bb2ab03df47938155c61cea36c7b1 all runs: OK # git bisect bad e1666bcbae0c5edb6d7a752b31a8f28c59b54546 e1666bcbae0c5edb6d7a752b31a8f28c59b54546 is the first bad commit commit e1666bcbae0c5edb6d7a752b31a8f28c59b54546 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: 761aec0cb74bb2ab03df47938155c61cea36c7b1 previous signature: 376e0e1408b7848b2d9e9d4ccbb138f4283f2362 revisions tested: 14, total time: 4h3m25.355191117s (build: 1h58m18.472544804s, test: 2h0m38.147978314s) first good commit: e1666bcbae0c5edb6d7a752b31a8f28c59b54546 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]