bisecting fixing commit since 45f092f9e9cb31486db546e39bfe7cc0b3f57099 building syzkaller on 8fd428a197f1ff27bdb6d3d359745e2756133d01 testing commit 45f092f9e9cb31486db546e39bfe7cc0b3f57099 with gcc (GCC) 8.1.0 kernel signature: c6cb9bf5e535e5cf52eaa441b6329bffc6e625ab run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING: refcount bug in kobj_kset_leave testing current HEAD fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: 0e771e0d0e9e3453c5d65ff4bdd43e531a9b6655 all runs: OK # git bisect start fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f 45f092f9e9cb31486db546e39bfe7cc0b3f57099 Bisecting: 870 revisions left to test after this (roughly 10 steps) [290acb8c92b543a969111220c6b3c1322ac9e39d] x86/cpu: Add Atom Tremont (Jacobsville) testing commit 290acb8c92b543a969111220c6b3c1322ac9e39d with gcc (GCC) 8.1.0 kernel signature: 75e4fae40b8152b8007c4fdc6b9754a9aa0ad7a9 all runs: OK # git bisect bad 290acb8c92b543a969111220c6b3c1322ac9e39d Bisecting: 435 revisions left to test after this (roughly 9 steps) [06e87c95045cd1a26c405a387ee4ccce45c7a8db] ia64:unwind: fix double free for mod->arch.init_unw_table testing commit 06e87c95045cd1a26c405a387ee4ccce45c7a8db with gcc (GCC) 8.1.0 kernel signature: ed89c6bc6f3e71f22ebc915ab0abe4dfab50e6e6 all runs: OK # git bisect bad 06e87c95045cd1a26c405a387ee4ccce45c7a8db Bisecting: 217 revisions left to test after this (roughly 8 steps) [2481742320ddff94be4ebf93545f11952c9e5e77] IB/mlx4: Fix memory leaks testing commit 2481742320ddff94be4ebf93545f11952c9e5e77 with gcc (GCC) 8.1.0 kernel signature: 6f101c170b45ad4d02c059f92eab9770dff644d5 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING in kernfs_get run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good 2481742320ddff94be4ebf93545f11952c9e5e77 Bisecting: 108 revisions left to test after this (roughly 7 steps) [39204487dbc30efbc049633ccd83eb6337ee072e] NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup testing commit 39204487dbc30efbc049633ccd83eb6337ee072e with gcc (GCC) 8.1.0 kernel signature: 2235079c6bb4cb0a1d72463cb0d0bf23fa5cb3bf all runs: OK # git bisect bad 39204487dbc30efbc049633ccd83eb6337ee072e Bisecting: 54 revisions left to test after this (roughly 6 steps) [72fed359692bc1fa6727d52327c4ed940cad7b1d] btrfs: correctly validate compression type testing commit 72fed359692bc1fa6727d52327c4ed940cad7b1d with gcc (GCC) 8.1.0 kernel signature: e0e40e24d9eca7dd3666cc071eafe356eb60bc17 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING in kernfs_get # git bisect good 72fed359692bc1fa6727d52327c4ed940cad7b1d Bisecting: 27 revisions left to test after this (roughly 5 steps) [d83ad53cbc8a3d4fa313d3bac8dd072c2aa14b37] Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" testing commit d83ad53cbc8a3d4fa313d3bac8dd072c2aa14b37 with gcc (GCC) 8.1.0 kernel signature: 8e5cdd825a4ce7a74e5374e920713f190547e544 all runs: OK # git bisect bad d83ad53cbc8a3d4fa313d3bac8dd072c2aa14b37 Bisecting: 13 revisions left to test after this (roughly 4 steps) [73cacb9bb9ed76ff1bf10688adea5dfc19849d37] drm/meson: Add support for XBGR8888 & ABGR8888 formats testing commit 73cacb9bb9ed76ff1bf10688adea5dfc19849d37 with gcc (GCC) 8.1.0 kernel signature: 8be57e367c9aaed56b8b18ab9cbbab9a0a728e90 run #0: crashed: WARNING in kernfs_get run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 73cacb9bb9ed76ff1bf10688adea5dfc19849d37 Bisecting: 6 revisions left to test after this (roughly 3 steps) [de12345c4bf686d9b9552773b4c03f96e4e68750] crypto: talitos - fix CTR alg blocksize testing commit de12345c4bf686d9b9552773b4c03f96e4e68750 with gcc (GCC) 8.1.0 kernel signature: 7295571e0d8b6d7d7452927a0b1a23a5890a3a1e all runs: OK # git bisect bad de12345c4bf686d9b9552773b4c03f96e4e68750 Bisecting: 3 revisions left to test after this (roughly 2 steps) [75183476fea19b831e5814e5144d3136f3ee09c4] PCI: Always allow probing with driver_override testing commit 75183476fea19b831e5814e5144d3136f3ee09c4 with gcc (GCC) 8.1.0 kernel signature: 996fe2fa603b40a4e164fa0aa13597516aa512e9 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING in kernfs_get run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 75183476fea19b831e5814e5144d3136f3ee09c4 Bisecting: 1 revision left to test after this (roughly 1 step) [5432923a6b208b253d95d95cee72d0508c803421] driver core: Fix use-after-free and double free on glue directory testing commit 5432923a6b208b253d95d95cee72d0508c803421 with gcc (GCC) 8.1.0 kernel signature: bba438006bc88b5e2d50c56e2f3332780c08a2d7 all runs: OK # git bisect bad 5432923a6b208b253d95d95cee72d0508c803421 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0369bbfe7ad21c1aea7b6379542eae810c8da278] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 0369bbfe7ad21c1aea7b6379542eae810c8da278 with gcc (GCC) 8.1.0 kernel signature: e183d43af79ae8a5b7ed0acaf042428a3a47dc10 run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good 0369bbfe7ad21c1aea7b6379542eae810c8da278 5432923a6b208b253d95d95cee72d0508c803421 is the first bad commit commit 5432923a6b208b253d95d95cee72d0508c803421 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: bba438006bc88b5e2d50c56e2f3332780c08a2d7 previous signature: e183d43af79ae8a5b7ed0acaf042428a3a47dc10 revisions tested: 13, total time: 3h28m31.392894696s (build: 1h42m52.813027918s, test: 1h41m20.525175719s) first good commit: 5432923a6b208b253d95d95cee72d0508c803421 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]