bisecting cause commit starting from c11d28ab4a691736e30b49813fb801847bd44e83
building syzkaller on 9682898d6f14dd27f95c419d059fd867bb91b22b
testing commit c11d28ab4a691736e30b49813fb801847bd44e83 with gcc (GCC) 8.1.0
kernel signature: 7f945893e7aa7a3484d9ef3a316cfb7476a29b05876e7c6d1da89b635e83ab1f
all runs: crashed: KASAN: use-after-free Read in mousedev_cleanup
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 7654b9a82370d932b9a4ab73adb12e6d5c1a15f3e7837c38200c2aee03d260a7
all runs: OK
# git bisect start c11d28ab4a691736e30b49813fb801847bd44e83 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 13326 revisions left to test after this (roughly 14 steps)
[74cd3984f13381049627cfa260fd87e6fcd31add] media: imx: utils: Split find|enum_format into fourcc and mbus functions
testing commit 74cd3984f13381049627cfa260fd87e6fcd31add with gcc (GCC) 8.1.0
kernel signature: 8806deec2f3bbb21ce4708f630575fae8555f3e595d3dcf84c95a7047e59e312
all runs: OK
# git bisect good 74cd3984f13381049627cfa260fd87e6fcd31add
Bisecting: 6630 revisions left to test after this (roughly 13 steps)
[8bf9e28a25c6bbff58513b8175620e096368ede4] Merge remote-tracking branch 'net-next/master'
testing commit 8bf9e28a25c6bbff58513b8175620e096368ede4 with gcc (GCC) 8.1.0
kernel signature: 8f071d088b9d03ec37f84453f06178d2d96eb11c3c490b7d5f1c02334f96f522
all runs: crashed: KASAN: use-after-free Read in mousedev_cleanup
# git bisect bad 8bf9e28a25c6bbff58513b8175620e096368ede4
Bisecting: 3347 revisions left to test after this (roughly 12 steps)
[e0b0f9fd6d0a1f228f3c09958e25def4865454db] Merge remote-tracking branch 'sh/sh-next'
testing commit e0b0f9fd6d0a1f228f3c09958e25def4865454db with gcc (GCC) 8.1.0
kernel signature: d7918220303f043762e355a0da5daeb49eb880bba1cc00f15d8a5122a083262f
all runs: crashed: KASAN: use-after-free Read in mousedev_cleanup
# git bisect bad e0b0f9fd6d0a1f228f3c09958e25def4865454db
Bisecting: 1671 revisions left to test after this (roughly 11 steps)
[7e71515c910d8a1ce0a780982f41f921616a97d6] Merge remote-tracking branch 'drm-fixes/drm-fixes'
testing commit 7e71515c910d8a1ce0a780982f41f921616a97d6 with gcc (GCC) 8.1.0
kernel signature: 5943b6a2cd565fd50e06eabbf96be647dc9d7bc5a57d3d7711bdbd3306d0adef
all runs: crashed: KASAN: use-after-free Read in mousedev_cleanup
# git bisect bad 7e71515c910d8a1ce0a780982f41f921616a97d6
Bisecting: 837 revisions left to test after this (roughly 10 steps)
[17e34526f0a8f81a214d1ee6f7d8ad2a9c9bae33] mm/vmscan: remove unnecessary argument description of isolate_lru_pages()
testing commit 17e34526f0a8f81a214d1ee6f7d8ad2a9c9bae33 with gcc (GCC) 8.1.0
kernel signature: 9a3b8628fcababf62246a29567f581f5b867ce4015d251a02472ec4c026c7317
all runs: OK
# git bisect good 17e34526f0a8f81a214d1ee6f7d8ad2a9c9bae33
Bisecting: 419 revisions left to test after this (roughly 9 steps)
[d69100b8eee27c2d60ee52df76e0b80a8d492d34] net: nlmsg_cancel() if put fails for nhmsg
testing commit d69100b8eee27c2d60ee52df76e0b80a8d492d34 with gcc (GCC) 8.1.0
kernel signature: ff5fb8e670fd1cb2937f55434d6588116ccbb5049d772b54a05d603c57daa050
all runs: OK
# git bisect good d69100b8eee27c2d60ee52df76e0b80a8d492d34
Bisecting: 213 revisions left to test after this (roughly 8 steps)
[03fb3acae4be8a6b680ffedb220a8b6c07260b40] Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
testing commit 03fb3acae4be8a6b680ffedb220a8b6c07260b40 with gcc (GCC) 8.1.0
kernel signature: bb9ca33fb464979f667f968fc27302848ba9bd4e7fbad00255686620b98335b5
all runs: OK
# git bisect good 03fb3acae4be8a6b680ffedb220a8b6c07260b40
Bisecting: 105 revisions left to test after this (roughly 7 steps)
[4aada7791fa2bd3e927502bc67ba604b95bb21bf] Merge remote-tracking branch 'sound-current/for-linus'
testing commit 4aada7791fa2bd3e927502bc67ba604b95bb21bf with gcc (GCC) 8.1.0
kernel signature: 4701d0279d2b3d085f58a95c3a3756e19ad72ea380155267b948d6f90f5bad04
all runs: OK
# git bisect good 4aada7791fa2bd3e927502bc67ba604b95bb21bf
Bisecting: 53 revisions left to test after this (roughly 6 steps)
[078c7b0d185f6c1065afa4e4ac3389beece7d503] Merge remote-tracking branch 'tty.current/tty-linus'
testing commit 078c7b0d185f6c1065afa4e4ac3389beece7d503 with gcc (GCC) 8.1.0
kernel signature: c19fdb26551c8f7ad93ec984c1fce1c67e502b0c5b84569b8985b0cb6b6fa2f3
all runs: crashed: KASAN: use-after-free Read in mousedev_cleanup
# git bisect bad 078c7b0d185f6c1065afa4e4ac3389beece7d503
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[e881587896db7a10902579c44350a01f7557a6d8] Merge remote-tracking branch 'asoc/for-5.7' into asoc-linus
testing commit e881587896db7a10902579c44350a01f7557a6d8 with gcc (GCC) 8.1.0
kernel signature: ab080f13fa1e58714b31d1b600079ed7883faa36934834203e09e4644da32fd2
all runs: OK
# git bisect good e881587896db7a10902579c44350a01f7557a6d8
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[83c813e237b8edf0fe8184ccdf3dc9622202084c] Merge remote-tracking branch 'spi/for-5.7' into spi-linus
testing commit 83c813e237b8edf0fe8184ccdf3dc9622202084c with gcc (GCC) 8.1.0
kernel signature: e411cc258a65fda40a78f4c323ed4237c2d9925943c3baa6b7214b32ba1f5aa0
all runs: OK
# git bisect good 83c813e237b8edf0fe8184ccdf3dc9622202084c
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[66ac4422fa22def9ce0886d3a032c5c288799c87] Merge remote-tracking branch 'regulator-fixes/for-linus'
testing commit 66ac4422fa22def9ce0886d3a032c5c288799c87 with gcc (GCC) 8.1.0
kernel signature: 04ab1d3add8257b58ad9ffde74e893ea3648517ebdfe20f44204a8cbbd6a1e3d
all runs: OK
# git bisect good 66ac4422fa22def9ce0886d3a032c5c288799c87
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[4ef12f7198023c09ad6d25b652bd8748c965c7fa] kobject: Make sure the parent does not get released before its children
testing commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa with gcc (GCC) 8.1.0
kernel signature: 6556247c1a7de26ed5cd66de9c5cadcfa789e9aca4dbc51121922c366bb3e137
all runs: crashed: KASAN: use-after-free Read in mousedev_cleanup
# git bisect bad 4ef12f7198023c09ad6d25b652bd8748c965c7fa
Bisecting: 0 revisions left to test after this (roughly 1 step)
[44e960490ddf868fc9135151c4a658936e771dc2] driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links
testing commit 44e960490ddf868fc9135151c4a658936e771dc2 with gcc (GCC) 8.1.0
kernel signature: dd866e57f5315e6e8daa836475629cb23cb5ca62b14eec902ad719439af1055a
all runs: OK
# git bisect good 44e960490ddf868fc9135151c4a658936e771dc2
4ef12f7198023c09ad6d25b652bd8748c965c7fa is the first bad commit
commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa
Author: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Date: Wed May 13 18:18:40 2020 +0300
kobject: Make sure the parent does not get released before its children
In the function kobject_cleanup(), kobject_del(kobj) is
called before the kobj->release(). That makes it possible to
release the parent of the kobject before the kobject itself.
To fix that, adding function __kboject_del() that does
everything that kobject_del() does except release the parent
reference. kobject_cleanup() then calls __kobject_del()
instead of kobject_del(), and separately decrements the
reference count of the parent kobject after kobj->release()
has been called.
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Reported-by: kernel test robot <rong.a.chen@intel.com>
Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"")
Suggested-by: "Rafael J. Wysocki" <rafael@kernel.org>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
Tested-by: Brendan Higgins <brendanhiggins@google.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://lore.kernel.org/r/20200513151840.36400-1-heikki.krogerus@linux.intel.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
lib/kobject.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
culprit signature: 6556247c1a7de26ed5cd66de9c5cadcfa789e9aca4dbc51121922c366bb3e137
parent signature: dd866e57f5315e6e8daa836475629cb23cb5ca62b14eec902ad719439af1055a
revisions tested: 16, total time: 3h35m11.711359123s (build: 1h33m12.070661138s, test: 2h0m52.758026733s)
first bad commit: 4ef12f7198023c09ad6d25b652bd8748c965c7fa kobject: Make sure the parent does not get released before its children
cc: ["brendanhiggins@google.com" "gregkh@linuxfoundation.org" "heikki.krogerus@linux.intel.com" "rafael.j.wysocki@intel.com" "rdunlap@infradead.org"]
crash: KASAN: use-after-free Read in mousedev_cleanup
kye 0003:0458:5013.0001: input,hiddev96,hidraw0: USB HID v0.00 Device [HID 0458:5013] on usb-dummy_hcd.5-1/input0
usb 6-1: USB disconnect, device number 2
==================================================================
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:938 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x105d/0x13e0 kernel/locking/mutex.c:1103
Read of size 8 at addr ffff88809e821150 by task kworker/0:2/2693
CPU: 0 PID: 2693 Comm: kworker/0:2 Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x128/0x182 lib/dump_stack.c:118
print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382
__kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511
kasan_report+0x32/0x50 mm/kasan/common.c:625
__mutex_lock_common kernel/locking/mutex.c:938 [inline]
__mutex_lock+0x105d/0x13e0 kernel/locking/mutex.c:1103
mousedev_mark_dead drivers/input/mousedev.c:791 [inline]
mousedev_cleanup+0x1c/0x160 drivers/input/mousedev.c:816
mousedev_destroy+0x23/0x90 drivers/input/mousedev.c:928
__input_unregister_device+0x199/0x3f0 drivers/input/input.c:2091
input_unregister_device+0x7f/0xb0 drivers/input/input.c:2273
hidinput_disconnect+0x13f/0x3b0 drivers/hid/hid-input.c:1968
hid_disconnect+0xda/0x150 drivers/hid/hid-core.c:2008
hid_hw_stop drivers/hid/hid-core.c:2055 [inline]
hid_device_remove+0x135/0x1f0 drivers/hid/hid-core.c:2298
__device_release_driver drivers/base/dd.c:1110 [inline]
device_release_driver_internal+0x1d2/0x470 drivers/base/dd.c:1141
bus_remove_device+0x293/0x460 drivers/base/bus.c:533
device_del+0x421/0xc00 drivers/base/core.c:2734
hid_remove_device drivers/hid/hid-core.c:2467 [inline]
hid_destroy_device+0xba/0x120 drivers/hid/hid-core.c:2486
usbhid_disconnect+0x8e/0xc0 drivers/hid/usbhid/hid-core.c:1434
usb_unbind_interface+0x15c/0x870 drivers/usb/core/driver.c:436
__device_release_driver drivers/base/dd.c:1110 [inline]
device_release_driver_internal+0x1d2/0x470 drivers/base/dd.c:1141
bus_remove_device+0x293/0x460 drivers/base/bus.c:533
device_del+0x421/0xc00 drivers/base/core.c:2734
usb_disable_device+0x1ae/0x580 drivers/usb/core/message.c:1245
usb_disconnect+0x227/0x850 drivers/usb/core/hub.c:2216
hub_port_connect drivers/usb/core/hub.c:5058 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5347 [inline]
port_event drivers/usb/core/hub.c:5493 [inline]
hub_event+0x1048/0x2d60 drivers/usb/core/hub.c:5575
process_one_work+0x908/0x15d0 kernel/workqueue.c:2268
process_scheduled_works kernel/workqueue.c:2330 [inline]
worker_thread+0x5aa/0xb50 kernel/workqueue.c:2416
kthread+0x340/0x410 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Allocated by task 2693:
save_stack+0x19/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:495
kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
mousedev_create+0x72/0x9e0 drivers/input/mousedev.c:856
mousedev_connect+0x16/0x1e0 drivers/input/mousedev.c:981
input_attach_handler+0xfc/0x170 drivers/input/input.c:1031
input_register_device.cold.21+0xb4/0x1ea drivers/input/input.c:2229
hidinput_connect+0x4498/0xd620 drivers/hid/hid-input.c:1935
hid_connect+0x66c/0x950 drivers/hid/hid-core.c:1931
hid_hw_start+0x75/0x100 drivers/hid/hid-core.c:2035
kye_probe+0x2a/0x569 drivers/hid/hid-kye.c:713
hid_device_probe+0x260/0x350 drivers/hid/hid-core.c:2263
really_probe+0x1f9/0x5e0 drivers/base/dd.c:520
driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:697
bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431
__device_attach+0x1be/0x2c0 drivers/base/dd.c:870
bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
device_add+0x1089/0x1a00 drivers/base/core.c:2557
hid_add_device+0x2da/0x8b0 drivers/hid/hid-core.c:2419
usbhid_probe+0x9da/0xe70 drivers/hid/usbhid/hid-core.c:1407
usb_probe_interface+0x268/0x6c0 drivers/usb/core/driver.c:374
really_probe+0x1f9/0x5e0 drivers/base/dd.c:520
driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:697
bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431
__device_attach+0x1be/0x2c0 drivers/base/dd.c:870
bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
device_add+0x1089/0x1a00 drivers/base/core.c:2557
usb_set_configuration+0xcc8/0x1640 drivers/usb/core/message.c:2032
usb_generic_driver_probe+0x61/0x90 drivers/usb/core/generic.c:241
usb_probe_device+0x91/0x160 drivers/usb/core/driver.c:272
really_probe+0x1f9/0x5e0 drivers/base/dd.c:520
driver_probe_device+0xc9/0x1b0 drivers/base/dd.c:697
bus_for_each_drv+0x117/0x1a0 drivers/base/bus.c:431
__device_attach+0x1be/0x2c0 drivers/base/dd.c:870
bus_probe_device+0x19e/0x250 drivers/base/bus.c:491
device_add+0x1089/0x1a00 drivers/base/core.c:2557
usb_new_device.cold.66+0x679/0xe85 drivers/usb/core/hub.c:2553
hub_port_connect drivers/usb/core/hub.c:5207 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5347 [inline]
port_event drivers/usb/core/hub.c:5493 [inline]
hub_event+0x15fe/0x2d60 drivers/usb/core/hub.c:5575
process_one_work+0x908/0x15d0 kernel/workqueue.c:2268
worker_thread+0x82/0xb50 kernel/workqueue.c:2414
kthread+0x340/0x410 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Freed by task 2693:
save_stack+0x19/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:317 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
__cache_free mm/slab.c:3426 [inline]
kfree+0x107/0x2b0 mm/slab.c:3757
device_release+0x65/0x1c0 drivers/base/core.c:1394
kobject_cleanup lib/kobject.c:701 [inline]
kobject_release lib/kobject.c:732 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x12e/0x230 lib/kobject.c:749
mousedev_destroy+0x1b/0x90 drivers/input/mousedev.c:927
__input_unregister_device+0x199/0x3f0 drivers/input/input.c:2091
input_unregister_device+0x7f/0xb0 drivers/input/input.c:2273
hidinput_disconnect+0x13f/0x3b0 drivers/hid/hid-input.c:1968
hid_disconnect+0xda/0x150 drivers/hid/hid-core.c:2008
hid_hw_stop drivers/hid/hid-core.c:2055 [inline]
hid_device_remove+0x135/0x1f0 drivers/hid/hid-core.c:2298
__device_release_driver drivers/base/dd.c:1110 [inline]
device_release_driver_internal+0x1d2/0x470 drivers/base/dd.c:1141
bus_remove_device+0x293/0x460 drivers/base/bus.c:533
device_del+0x421/0xc00 drivers/base/core.c:2734
hid_remove_device drivers/hid/hid-core.c:2467 [inline]
hid_destroy_device+0xba/0x120 drivers/hid/hid-core.c:2486
usbhid_disconnect+0x8e/0xc0 drivers/hid/usbhid/hid-core.c:1434
usb_unbind_interface+0x15c/0x870 drivers/usb/core/driver.c:436
__device_release_driver drivers/base/dd.c:1110 [inline]
device_release_driver_internal+0x1d2/0x470 drivers/base/dd.c:1141
bus_remove_device+0x293/0x460 drivers/base/bus.c:533
device_del+0x421/0xc00 drivers/base/core.c:2734
usb_disable_device+0x1ae/0x580 drivers/usb/core/message.c:1245
usb_disconnect+0x227/0x850 drivers/usb/core/hub.c:2216
hub_port_connect drivers/usb/core/hub.c:5058 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5347 [inline]
port_event drivers/usb/core/hub.c:5493 [inline]
hub_event+0x1048/0x2d60 drivers/usb/core/hub.c:5575
process_one_work+0x908/0x15d0 kernel/workqueue.c:2268
process_scheduled_works kernel/workqueue.c:2330 [inline]
worker_thread+0x5aa/0xb50 kernel/workqueue.c:2416
kthread+0x340/0x410 kernel/kthread.c:268
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
The buggy address belongs to the object at ffff88809e821000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 336 bytes inside of
2048-byte region [ffff88809e821000, ffff88809e821800)
The buggy address belongs to the page:
page:ffffea00027a0840 refcount:1 mapcount:0 mapping:00000000996c10aa index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000258a4c8 ffffea00027bb708 ffff8880aa400e00
raw: 0000000000000000 ffff88809e821000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809e821000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809e821080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809e821100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809e821180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809e821200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================