bisecting fixing commit since 68d7a45eec101bc1550294c0e675a490c047b2e5 building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba testing commit 68d7a45eec101bc1550294c0e675a490c047b2e5 with gcc (GCC) 8.1.0 kernel signature: 0ae0e61218527d821ae8c970b9a6b4985e870312 run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_put run #7: crashed: WARNING: refcount bug in hci_register_dev run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: e481b5742a33198d99f820d5526af69d8fb86e5c all runs: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 68d7a45eec101bc1550294c0e675a490c047b2e5 Bisecting: 1874 revisions left to test after this (roughly 11 steps) [e2a74958ee0d27f05c016cfcc821b0d3d11b9f45] bonding: Force slave speed check after link state recovery for 802.3ad testing commit e2a74958ee0d27f05c016cfcc821b0d3d11b9f45 with gcc (GCC) 8.1.0 kernel signature: 0960631b10415d058c7675bb2ca89fdd66a1f09a run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING: refcount bug in hci_register_dev run #3: crashed: general protection fault in kernfs_add_one run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: WARNING: refcount bug in kobj_kset_leave run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING in kernfs_get # git bisect good e2a74958ee0d27f05c016cfcc821b0d3d11b9f45 Bisecting: 937 revisions left to test after this (roughly 10 steps) [169795c893f424cd889aa106e971628c780b81a3] powerpc/book3s64/mm: Don't do tlbie fixup for some hardware revisions testing commit 169795c893f424cd889aa106e971628c780b81a3 with gcc (GCC) 8.1.0 kernel signature: 7164de01cae9df8188c233f3fc3bf7efb3695653 all runs: OK # git bisect bad 169795c893f424cd889aa106e971628c780b81a3 Bisecting: 468 revisions left to test after this (roughly 9 steps) [9aa376a13f4340a2483184a3634f74051524094f] Btrfs: fix race setting up and completing qgroup rescan workers testing commit 9aa376a13f4340a2483184a3634f74051524094f with gcc (GCC) 8.1.0 kernel signature: 0b4b588d419d14411b953139d8e745a1c4d8110a all runs: OK # git bisect bad 9aa376a13f4340a2483184a3634f74051524094f Bisecting: 233 revisions left to test after this (roughly 8 steps) [e28c683440a64c0a1451d54aeb41301f588a004a] firmware: google: check if size is valid when decoding VPD data testing commit e28c683440a64c0a1451d54aeb41301f588a004a with gcc (GCC) 8.1.0 kernel signature: 4204af210ed98d2ad81ce38a629cf3049f5c0270 all runs: OK # git bisect bad e28c683440a64c0a1451d54aeb41301f588a004a Bisecting: 116 revisions left to test after this (roughly 7 steps) [414510bc00a5fc954d8340c170083f518d09aa55] Linux 4.14.142 testing commit 414510bc00a5fc954d8340c170083f518d09aa55 with gcc (GCC) 8.1.0 kernel signature: bb434185e8e69378194b1e61772d10b1449e7aa2 run #0: crashed: WARNING in rfkill_unregister run #1: crashed: WARNING: refcount bug in hci_register_dev run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING: refcount bug in hci_register_dev run #9: crashed: WARNING in kernfs_get # git bisect good 414510bc00a5fc954d8340c170083f518d09aa55 Bisecting: 58 revisions left to test after this (roughly 6 steps) [2eff0ac931699b8d6b5eff7779da6ccad83812eb] clk: s2mps11: Add used attribute to s2mps11_dt_match testing commit 2eff0ac931699b8d6b5eff7779da6ccad83812eb with gcc (GCC) 8.1.0 kernel signature: ba367e6b14d6594a91aaad923fc49a5f3643ab2d run #0: crashed: general protection fault in kernfs_add_one run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING: refcount bug in hci_register_dev run #4: crashed: general protection fault in kernfs_add_one run #5: crashed: WARNING: refcount bug in hci_register_dev run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 2eff0ac931699b8d6b5eff7779da6ccad83812eb Bisecting: 29 revisions left to test after this (roughly 5 steps) [263c71d2d440ed6a9d36e822970c9b5cce98811b] MIPS: VDSO: Use same -m%-float cflag as the kernel proper testing commit 263c71d2d440ed6a9d36e822970c9b5cce98811b with gcc (GCC) 8.1.0 kernel signature: a6ef7660cd2e3ddeed47a80d12b1df5b7eea4f48 run #0: crashed: WARNING in kernfs_get run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING in kernfs_get # git bisect good 263c71d2d440ed6a9d36e822970c9b5cce98811b Bisecting: 14 revisions left to test after this (roughly 4 steps) [9251e586a1dffd9f964a2a770f6dc82d175ddcb5] drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto testing commit 9251e586a1dffd9f964a2a770f6dc82d175ddcb5 with gcc (GCC) 8.1.0 kernel signature: 3aa0e9b481320a9d5f389c91c84b0fc548c21e40 all runs: OK # git bisect bad 9251e586a1dffd9f964a2a770f6dc82d175ddcb5 Bisecting: 7 revisions left to test after this (roughly 3 steps) [5432923a6b208b253d95d95cee72d0508c803421] driver core: Fix use-after-free and double free on glue directory testing commit 5432923a6b208b253d95d95cee72d0508c803421 with gcc (GCC) 8.1.0 kernel signature: cda13e74abbfdddc05b99e5e577407ae1e91123f all runs: OK # git bisect bad 5432923a6b208b253d95d95cee72d0508c803421 Bisecting: 3 revisions left to test after this (roughly 2 steps) [f15b4d221f45904bd70b66b82be9bde62808068d] clk: rockchip: Don't yell about bad mmc phases when getting testing commit f15b4d221f45904bd70b66b82be9bde62808068d with gcc (GCC) 8.1.0 kernel signature: 728da3fbf1bb8ed592dc6bc00e29316a0200b04a run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: general protection fault in kernfs_add_one run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: WARNING in kernfs_get run #7: crashed: WARNING in kernfs_get run #8: crashed: general protection fault in kernfs_add_one run #9: crashed: WARNING in kernfs_get # git bisect good f15b4d221f45904bd70b66b82be9bde62808068d Bisecting: 1 revision left to test after this (roughly 1 step) [75183476fea19b831e5814e5144d3136f3ee09c4] PCI: Always allow probing with driver_override testing commit 75183476fea19b831e5814e5144d3136f3ee09c4 with gcc (GCC) 8.1.0 kernel signature: 60e5ea283e33985ca20e34c830c051f41f0f237b run #0: crashed: WARNING in kernfs_get run #1: crashed: WARNING in kernfs_get run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING in kernfs_get run #5: crashed: WARNING in kernfs_get run #6: crashed: general protection fault in kernfs_add_one run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: general protection fault in kernfs_add_one # git bisect good 75183476fea19b831e5814e5144d3136f3ee09c4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0369bbfe7ad21c1aea7b6379542eae810c8da278] ubifs: Correctly use tnc_next() in search_dh_cookie() testing commit 0369bbfe7ad21c1aea7b6379542eae810c8da278 with gcc (GCC) 8.1.0 kernel signature: 341fb171f68197685919f79e5c8c20c18f6e7e11 run #0: crashed: WARNING: refcount bug in hci_register_dev run #1: crashed: general protection fault in kernfs_add_one run #2: crashed: WARNING in kernfs_get run #3: crashed: WARNING in kernfs_get run #4: crashed: WARNING: refcount bug in hci_register_dev run #5: crashed: general protection fault in kernfs_add_one run #6: crashed: WARNING in kernfs_get run #7: crashed: general protection fault in kernfs_add_one run #8: crashed: WARNING in kernfs_get run #9: crashed: WARNING: refcount bug in hci_register_dev # git bisect good 0369bbfe7ad21c1aea7b6379542eae810c8da278 5432923a6b208b253d95d95cee72d0508c803421 is the first bad commit commit 5432923a6b208b253d95d95cee72d0508c803421 Author: Muchun Song Date: Sat Jul 27 11:21:22 2019 +0800 driver core: Fix use-after-free and double free on glue directory commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. There is a race condition between removing glue directory and adding a new device under the glue dir. It can be reproduced in following test: CPU1: CPU2: device_add() get_device_parent() class_dir_create_and_add() kobject_add_internal() create_dir() // create glue_dir device_add() get_device_parent() kobject_get() // get glue_dir device_del() cleanup_glue_dir() kobject_del(glue_dir) kobject_add() kobject_add_internal() create_dir() // in glue_dir sysfs_create_dir_ns() kernfs_create_dir_ns(sd) sysfs_remove_dir() // glue_dir->sd=NULL sysfs_put() // free glue_dir->sd // sd is freed kernfs_new_node(sd) kernfs_get(glue_dir) kernfs_add_one() kernfs_put() Before CPU1 remove last child device under glue dir, if CPU2 add a new device under glue dir, the glue_dir kobject reference count will be increase to 2 via kobject_get() in get_device_parent(). And CPU2 has been called kernfs_create_dir_ns(), but not call kernfs_new_node(). Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next call kernfs_add_one() by CPU2 will fail(This is also use-after-free) and call kernfs_put() to decrease reference count. Because the reference count is decremented to 0, it will also call kmem_cache_free() to free the glue_dir->sd again. This will result in double free. In order to avoid this happening, we also should make sure that kernfs_node for glue_dir is released in CPU1 only when refcount for glue_dir kobj is 1 to fix this race. The following calltrace is captured in kernel 4.14 with the following patch applied: commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") -------------------------------------------------------------------------- [ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). .... [ 3.633986] Call trace: [ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 [ 3.633994] sysfs_create_dir_ns+0x54/0xe8 [ 3.634001] kobject_add_internal+0x22c/0x3f0 [ 3.634005] kobject_add+0xe4/0x118 [ 3.634011] device_add+0x200/0x870 [ 3.634017] _request_firmware+0x958/0xc38 [ 3.634020] request_firmware_into_buf+0x4c/0x70 .... [ 3.634064] kernel BUG at .../mm/slub.c:294! Here is BUG_ON(object == fp) in set_freepointer(). .... [ 3.634346] Call trace: [ 3.634351] kmem_cache_free+0x504/0x6b8 [ 3.634355] kernfs_put+0x14c/0x1d8 [ 3.634359] kernfs_create_dir_ns+0x88/0xb0 [ 3.634362] sysfs_create_dir_ns+0x54/0xe8 [ 3.634366] kobject_add_internal+0x22c/0x3f0 [ 3.634370] kobject_add+0xe4/0x118 [ 3.634374] device_add+0x200/0x870 [ 3.634378] _request_firmware+0x958/0xc38 [ 3.634381] request_firmware_into_buf+0x4c/0x70 -------------------------------------------------------------------------- Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") Signed-off-by: Muchun Song Reviewed-by: Mukesh Ojha Signed-off-by: Prateek Sood Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/base/core.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) kernel signature: cda13e74abbfdddc05b99e5e577407ae1e91123f previous signature: 341fb171f68197685919f79e5c8c20c18f6e7e11 revisions tested: 14, total time: 3h25m30.03496984s (build: 1h49m39.621755122s, test: 1h34m40.369762599s) first good commit: 5432923a6b208b253d95d95cee72d0508c803421 driver core: Fix use-after-free and double free on glue directory cc: ["gregkh@linuxfoundation.org" "mojha@codeaurora.org" "prsood@codeaurora.org" "smuchun@gmail.com"]