bisecting cause commit starting from 771acc7e4a6e5dba779cb1a7fd851a164bc81033 building syzkaller on e955ac5009431b0201f2e3cf548472bb8acea696 testing commit 771acc7e4a6e5dba779cb1a7fd851a164bc81033 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in kobject_get run #1: crashed: WARNING: refcount bug in kobject_get run #2: crashed: WARNING: refcount bug in kobject_get run #3: crashed: WARNING: refcount bug in kobject_put run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING: refcount bug in kobject_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in kobject_get run #8: crashed: general protection fault in idr_remove run #9: crashed: WARNING: refcount bug in kobject_get testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING: refcount bug in kobject_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in sysfs_remove_group run #9: crashed: WARNING in kernfs_get testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in kobject_get run #1: crashed: WARNING: refcount bug in kobject_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in sysfs_remove_group run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in kobject_get run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING: refcount bug in kobject_get run #9: crashed: WARNING in kernfs_get testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in kobject_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in kobject_get run #8: crashed: WARNING: refcount bug in kobject_get run #9: crashed: WARNING in kernfs_get testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.19 v4.18 Bisecting: 7596 revisions left to test after this (roughly 13 steps) [db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 Bisecting: 3768 revisions left to test after this (roughly 12 steps) [cd9b44f90763c3367e8dd0601849ffb028e8ba52] Merge branch 'akpm' (patches from Andrew) testing commit cd9b44f90763c3367e8dd0601849ffb028e8ba52 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in kobject_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING: refcount bug in kobject_get run #7: crashed: WARNING: refcount bug in kobject_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in kobject_get # git bisect bad cd9b44f90763c3367e8dd0601849ffb028e8ba52 Bisecting: 2297 revisions left to test after this (roughly 11 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 1122 revisions left to test after this (roughly 10 steps) [d5acba26bfa097a618be425522b1ec4269d3edaf] Merge tag 'char-misc-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit d5acba26bfa097a618be425522b1ec4269d3edaf with gcc (GCC) 8.1.0 all runs: OK # git bisect good d5acba26bfa097a618be425522b1ec4269d3edaf Bisecting: 547 revisions left to test after this (roughly 9 steps) [bfebeb16722d93caf7870b63aa7d094b6843479a] Merge tag 'rtc-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit bfebeb16722d93caf7870b63aa7d094b6843479a with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in kobject_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in kobject_get run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING in sysfs_remove_group run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in kobject_get run #9: crashed: WARNING: refcount bug in kobject_put # git bisect bad bfebeb16722d93caf7870b63aa7d094b6843479a Bisecting: 300 revisions left to test after this (roughly 8 steps) [1009aa1205c2c5e9101437dcadfa195708d863bf] Merge tag 'riscv-for-linus-4.19-mw0' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux testing commit 1009aa1205c2c5e9101437dcadfa195708d863bf with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: general protection fault in kernfs_add_one # git bisect bad 1009aa1205c2c5e9101437dcadfa195708d863bf Bisecting: 130 revisions left to test after this (roughly 7 steps) [13bf2cf9e2d1e0e56088ec6342c2726704100647] Merge tag 'dmaengine-4.19-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 13bf2cf9e2d1e0e56088ec6342c2726704100647 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in kobject_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect bad 13bf2cf9e2d1e0e56088ec6342c2726704100647 Bisecting: 83 revisions left to test after this (roughly 6 steps) [7f38abf220e2c800a2c451372e9f07ed5fd0ea49] mmc: core: improve reasonableness of bus width setting for HS400es testing commit 7f38abf220e2c800a2c451372e9f07ed5fd0ea49 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7f38abf220e2c800a2c451372e9f07ed5fd0ea49 Bisecting: 43 revisions left to test after this (roughly 5 steps) [4d44248239510de89d48f22a4f52bd6f2883ad2f] Merge branch 'topic/xilinx' into for-linus testing commit 4d44248239510de89d48f22a4f52bd6f2883ad2f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4d44248239510de89d48f22a4f52bd6f2883ad2f Bisecting: 21 revisions left to test after this (roughly 5 steps) [d2fc88a61b4ea99f574bde16e92718e22f312136] Merge 4.18-rc7 into driver-core-next testing commit d2fc88a61b4ea99f574bde16e92718e22f312136 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in kobject_get run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING: refcount bug in kobject_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING: refcount bug in kobject_get run #8: crashed: WARNING: refcount bug in kobject_get run #9: crashed: WARNING in kernfs_get # git bisect bad d2fc88a61b4ea99f574bde16e92718e22f312136 Bisecting: 10 revisions left to test after this (roughly 4 steps) [25b4e70dcce92168eab4d8113817bb4dd130ebd2] driver core: allow stopping deferred probe after init testing commit 25b4e70dcce92168eab4d8113817bb4dd130ebd2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 25b4e70dcce92168eab4d8113817bb4dd130ebd2 Bisecting: 5 revisions left to test after this (roughly 3 steps) [e01afc32502555beb2057ddd74401be38475d851] PM / Domains: Stop deferring probe at the end of initcall testing commit e01afc32502555beb2057ddd74401be38475d851 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e01afc32502555beb2057ddd74401be38475d851 Bisecting: 2 revisions left to test after this (roughly 2 steps) [726e41097920a73e4c7c33385dcc0debb1281e18] drivers: core: Remove glue dirs from sysfs earlier testing commit 726e41097920a73e4c7c33385dcc0debb1281e18 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in sysfs_remove_group run #1: crashed: WARNING: refcount bug in kobject_get run #2: crashed: WARNING: refcount bug in kobject_put run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in kobject_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect bad 726e41097920a73e4c7c33385dcc0debb1281e18 Bisecting: 0 revisions left to test after this (roughly 1 step) [46d3a03781ea70e25360660ac53bbb838de11c97] driver core: remove unnecessary function extern declare testing commit 46d3a03781ea70e25360660ac53bbb838de11c97 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 46d3a03781ea70e25360660ac53bbb838de11c97 726e41097920a73e4c7c33385dcc0debb1281e18 is the first bad commit commit 726e41097920a73e4c7c33385dcc0debb1281e18 Author: Benjamin Herrenschmidt Date: Tue Jul 10 10:29:10 2018 +1000 drivers: core: Remove glue dirs from sysfs earlier For devices with a class, we create a "glue" directory between the parent device and the new device with the class name. This directory is never "explicitely" removed when empty however, this is left to the implicit sysfs removal done by kobject_release() when the object loses its last reference via kobject_put(). This is problematic because as long as it's not been removed from sysfs, it is still present in the class kset and in sysfs directory structure. The presence in the class kset exposes a use after free bug fixed by the previous patch, but the presence in sysfs means that until the kobject is released, which can take a while (especially with kobject debugging), any attempt at re-creating such as binding a new device for that class/parent pair, will result in a sysfs duplicate file name error. This fixes it by instead doing an explicit kobject_del() when the glue dir is empty, by keeping track of the number of child devices of the gluedir. This is made easy by the fact that all glue dir operations are done with a global mutex, and there's already a function (cleanup_glue_dir) called in all the right places taking that mutex that can be enhanced for this. It appears that this was in fact the intent of the function, but the implementation was wrong. Signed-off-by: Benjamin Herrenschmidt Acked-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman :040000 040000 4eb2ce7f81f9c00236910c8f49f5a9615f5d71dc 9823d5021b081ecd739974551162378512c51552 M drivers :040000 040000 6df90282a2e9a8c74a35e17b27dc3af152a222f2 fb90ae5b106aca876252a4d162a6bfb37492cbbc M include revisions tested: 19, total time: 4h25m32.555467641s (build: 1h45m7.701922034s, test: 2h33m45.167789883s) first bad commit: 726e41097920a73e4c7c33385dcc0debb1281e18 drivers: core: Remove glue dirs from sysfs earlier cc: ["benh@kernel.crashing.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "rafael@kernel.org" "torvalds@linux-foundation.org"] crash: WARNING in kernfs_get kobject_add_internal failed for hci1 (error: -2 parent: bluetooth) Bluetooth: Can't register HCI device Bluetooth: Can't register HCI device kobject_add_internal failed for hci1 (error: -2 parent: bluetooth) Bluetooth: Can't register HCI device WARNING: CPU: 1 PID: 12137 at fs/kernfs/dir.c:494 kernfs_get.part.8+0x51/0x60 fs/kernfs/dir.c:497 kobject: 'hci2' ((____ptrval____)): kobject_add_internal: parent: 'bluetooth', set: 'devices' Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 12137 Comm: syz-executor.1 Not tainted 4.18.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x15a lib/dump_stack.c:113 panic+0x1c6/0x37d kernel/panic.c:184 __warn.cold.8+0x120/0x166 kernel/panic.c:536 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:kernfs_get.part.8+0x51/0x60 fs/kernfs/dir.c:494 Code: 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 kobject: 'hci3' ((____ptrval____)): kobject_add_internal: parent: 'bluetooth', set: 'devices' d2 75 1d 8b 03 85 c0 74 13 be 04 00 00 00 48 89 df e8 45 cb da kobject: 'hci5' ((____ptrval____)): kobject_add_internal: parent: 'bluetooth', set: 'devices' ff f0 ff 03 5b 5d c3 <0f> 0b eb e9 48 89 df e8 c3 db da ff eb d9 kobject: 'hci5' ((____ptrval____)): kobject_uevent_env 90 48 85 ff 74 0b 55 48 RSP: 0018:ffff880096e6f910 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff880098f38700 RCX: ffffffff81b3a322 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff880098f38700 RBP: ffff880096e6f918 R08: ffffed00131e70e1 R09: ffffed00131e70e0 R10: ffffed00131e70e0 R11: ffff880098f38703 R12: ffff880098f38700 R13: 0000000000000000 R14: ffff880098f38700 R15: ffff88021b2a0200 kernfs_get fs/kernfs/dir.c:493 [inline] kernfs_new_node+0x78/0xf0 fs/kernfs/dir.c:681 kobject: 'hci2' ((____ptrval____)): kobject_uevent_env kernfs_create_dir_ns+0x2b/0x120 fs/kernfs/dir.c:1000 kobject: 'hci3' ((____ptrval____)): kobject_uevent_env sysfs_create_dir_ns+0xa2/0x1b0 fs/sysfs/dir.c:54 create_dir lib/kobject.c:69 [inline] kobject_add_internal.cold.11+0xd1/0x4c2 lib/kobject.c:228 kobject_add_varg lib/kobject.c:363 [inline] kobject_add+0x10f/0x170 lib/kobject.c:407 device_add+0x33e/0x1630 drivers/base/core.c:1829 hci_register_dev+0x29b/0x750 net/bluetooth/hci_core.c:3108 __vhci_create_device+0x272/0x500 drivers/bluetooth/hci_vhci.c:139 kobject: 'hci5' ((____ptrval____)): fill_kobj_path: path = '/devices/virtual/bluetooth/hci5' vhci_create_device drivers/bluetooth/hci_vhci.c:163 [inline] vhci_get_user drivers/bluetooth/hci_vhci.c:219 [inline] vhci_write+0x28a/0x3f0 drivers/bluetooth/hci_vhci.c:299 call_write_iter include/linux/fs.h:1795 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x44e/0x880 fs/read_write.c:487 vfs_write+0x150/0x4f0 fs/read_write.c:549 ksys_write+0xcd/0x1b0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4582f9 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 kobject: 'loop5' ((____ptrval____)): kobject_uevent_env c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd6b8a73c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004582f9 RDX: 0000000000000002 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6b8a746d4 R13: 00000000004c7636 R14: 00000000004dd428 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds..