[syzbot] [net?] BUG: corrupted list in ptp_open

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 2030579113a1 Add linux-next specific files for 20231020
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16ab79a3680000
kernel config: https://syzkaller.appspot.com/x/.config?x=37404d76b3c8840e
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140aa715680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11037669680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a99a981e5d78/disk-20305791.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/073a5ba6a2a6/vmlinux-20305791.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c7c1a7107f7b/bzImage-20305791.xz

The issue was bisected to:

commit 8f5de6fb245326704f37d91780b9a10253a8a100
Author: Xabier Marquiegui <rei...@gmail.com>
Date: Wed Oct 11 22:39:55 2023 +0000

ptp: support multiple timestamp event readers

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15475b89680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=17475b89680000
console output: https://syzkaller.appspot.com/x/log.txt?x=13475b89680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+df3f3e...@syzkaller.appspotmail.com
Fixes: 8f5de6fb2453 ("ptp: support multiple timestamp event readers")

list_add corruption. prev->next should be next (ffff88814a1325e8), but was ffff888078d25048. (prev=ffff888078d21048).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:32!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7237 Comm: syz-executor182 Not tainted 6.6.0-rc6-next-20231020-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__list_add_valid_or_report+0xb6/0x100 lib/list_debug.c:32
Code: e8 2f a5 3a fd 0f 0b 48 89 d9 48 c7 c7 40 9d e9 8a e8 1e a5 3a fd 0f 0b 48 89 f1 48 c7 c7 c0 9d e9 8a 48 89 de e8 0a a5 3a fd <0f> 0b 48 89 f2 48 89 d9 48 89 ee 48 c7 c7 40 9e e9 8a e8 f3 a4 3a
RSP: 0018:ffffc90009b3f898 EFLAGS: 00010286
RAX: 0000000000000075 RBX: ffff88814a1325e8 RCX: ffffffff816bb8d9
RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005
RBP: ffff88807c7a9048 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88814a132000
R13: ffffc90009b3f900 R14: ffff888078d21048 R15: ffff88807c7a9048
FS: 0000555556c00380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffef0aa1138 CR3: 000000007d17e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_add_valid include/linux/list.h:88 [inline]
__list_add include/linux/list.h:150 [inline]
list_add_tail include/linux/list.h:183 [inline]
ptp_open+0x1c5/0x4f0 drivers/ptp/ptp_chardev.c:122
posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]
path_openat+0x1d36/0x2cd0 fs/namei.c:3778
do_filp_open+0x1dc/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1466
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fc6c2099ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef0aa1238 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc6c2099ae9
RDX: 0000000000000000 RSI: 0000000020000300 RDI: ffffffffffffff9c
RBP: 00000000000f4240 R08: 0000000000000000 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000130fc
R13: 00007ffef0aa124c R14: 00007ffef0aa1260 R15: 00007ffef0aa1250
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xb6/0x100 lib/list_debug.c:32
Code: e8 2f a5 3a fd 0f 0b 48 89 d9 48 c7 c7 40 9d e9 8a e8 1e a5 3a fd 0f 0b 48 89 f1 48 c7 c7 c0 9d e9 8a 48 89 de e8 0a a5 3a fd <0f> 0b 48 89 f2 48 89 d9 48 89 ee 48 c7 c7 40 9e e9 8a e8 f3 a4 3a
RSP: 0018:ffffc90009b3f898 EFLAGS: 00010286
RAX: 0000000000000075 RBX: ffff88814a1325e8 RCX: ffffffff816bb8d9
RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005
RBP: ffff88807c7a9048 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88814a132000
R13: ffffc90009b3f900 R14: ffff888078d21048 R15: ffff88807c7a9048
FS: 0000555556c00380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffef0aa1138 CR3: 000000007d17e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in ptp_release

==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x198/0x1b0 lib/list_debug.c:62
Read of size 8 at addr ffff888064c9d048 by task syz-executor.5/11233

CPU: 0 PID: 11233 Comm: syz-executor.5 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
__list_del_entry_valid_or_report+0x198/0x1b0 lib/list_debug.c:62
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
ptp_release+0xc4/0x2b0 drivers/ptp/ptp_chardev.c:147
posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7ff32367b9da
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007ffc081de420 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007ff32367b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000032 R08: 0000001b2e460000 R09: 00007ff32379bf8c
R10: 00007ffc081de570 R11: 0000000000000293 R12: 00007ff3232000a8
R13: ffffffffffffffff R14: 00007ff323200000 R15: 000000000002cf28
</TASK>

Allocated by task 11238:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
ptp_open+0xe3/0x4f0 drivers/ptp/ptp_chardev.c:112

posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]

path_openat+0x1d3b/0x2ce0 fs/namei.c:3778
do_filp_open+0x1de/0x430 fs/namei.c:3808

do_sys_openat2+0x176/0x1e0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1466
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Freed by task 11230:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
ptp_release+0x204/0x2b0 drivers/ptp/ptp_chardev.c:150
posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

The buggy address belongs to the object at ffff888064c9c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4168 bytes inside of
freed 8192-byte region [ffff888064c9c000, ffff888064c9e000)

The buggy address belongs to the physical page:
page:ffffea0001932600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64c98
head:ffffea0001932600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012c42280 ffffea0001906c00 dead000000000004
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 6088, tgid 6086 (syz-executor.1), ts 124963988885, free_ts 124926792735
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xa16/0x3680 mm/page_alloc.c:3348
__alloc_pages+0x1d0/0x4c0 mm/page_alloc.c:4604
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab+0x251/0x380 mm/slub.c:2017
new_slab mm/slub.c:2070 [inline]
___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
kmalloc_trace+0x27/0xf0 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
ptp_open+0xe3/0x4f0 drivers/ptp/ptp_chardev.c:112

posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]

path_openat+0x1d3b/0x2ce0 fs/namei.c:3778
do_filp_open+0x1de/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2383
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2523
__unfreeze_partials+0x21d/0x240 mm/slub.c:2655
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x195/0x310 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0x51/0x120 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
tomoyo_realpath_from_path+0xb9/0x710 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x26f/0x450 security/tomoyo/file.c:822
security_inode_getattr+0xf1/0x150 security/security.c:2153
vfs_getattr fs/stat.c:169 [inline]
vfs_fstat+0x4f/0xc0 fs/stat.c:194
vfs_fstatat+0x130/0x140 fs/stat.c:291
__do_sys_newfstatat+0x98/0x110 fs/stat.c:459

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
ffff888064c9cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888064c9cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888064c9d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888064c9d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888064c9d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17dce535680000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13954463680000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: corrupted list in ptp_release

list_del corruption. prev->next should be ffff8880280e5048, but was ffff888025dc1048. (prev=ffff88814adb1048)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 13142 Comm: syz-executor.2 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023

RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62
Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b
RSP: 0018:ffffc90003167e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff8880280e4000 RCX: ffffffff816b9cd9
RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005
RBP: ffff888023b7c480 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000293
R13: ffff8880280e5008 R14: ffff8880280e5048 R15: ffff8880280e5050
FS: 00005555557e3480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f350fd98000 CR3: 000000002427a000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xca/0x2a0 drivers/ptp/ptp_chardev.c:147

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f350fc7b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007ffc427da040 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f350fc7b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e060000 R09: 00007f350fd9bf8c
R10: 00007ffc427da190 R11: 0000000000000293 R12: 00007f350f8000a8
R13: ffffffffffffffff R14: 00007f350f800000 R15: 0000000000031c43

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62
Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b
RSP: 0018:ffffc90003167e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff8880280e4000 RCX: ffffffff816b9cd9
RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005
RBP: ffff888023b7c480 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000293
R13: ffff8880280e5008 R14: ffff8880280e5048 R15: ffff8880280e5050
FS: 00005555557e3480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f350fd98000 CR3: 000000002427a000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=169a58d1680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15f3ee95680000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: corrupted list in ptp_open

list_add corruption. prev->next should be next (ffff88814b6da5e8), but was ffff888062e9d048. (prev=ffff888144705048).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:32!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 6212 Comm: syz-executor.0 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023

RIP: 0010:__list_add_valid_or_report+0xb6/0x100 lib/list_debug.c:32

Code: e8 2f d5 3a fd 0f 0b 48 89 d9 48 c7 c7 60 8d e9 8a e8 1e d5 3a fd 0f 0b 48 89 f1 48 c7 c7 e0 8d e9 8a 48 89 de e8 0a d5 3a fd <0f> 0b 48 89 f2 48 89 d9 48 89 ee 48 c7 c7 60 8e e9 8a e8 f3 d4 3a
RSP: 0018:ffffc9000318f888 EFLAGS: 00010082
RAX: 0000000000000075 RBX: ffff88814b6da5e8 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff8880183dd048 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff88814b6da000
R13: ffffc9000318f900 R14: ffff888144705048 R15: ffff8880183dd048
FS: 00007f73950b36c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f739439d988 CR3: 00000000213ae000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_add_valid include/linux/list.h:88 [inline]
__list_add include/linux/list.h:150 [inline]
list_add_tail include/linux/list.h:183 [inline]

ptp_open+0x1dd/0x520 drivers/ptp/ptp_chardev.c:125

posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]
path_openat+0x1d3b/0x2ce0 fs/namei.c:3778
do_filp_open+0x1de/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1466

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f739427cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f73950b30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f739439bf80 RCX: 00007f739427cae9

RDX: 0000000000000000 RSI: 0000000020000300 RDI: ffffffffffffff9c

RBP: 00007f73942c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f739439bf80 R15: 00007ffe0f3f5498

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__list_add_valid_or_report+0xb6/0x100 lib/list_debug.c:32

Code: e8 2f d5 3a fd 0f 0b 48 89 d9 48 c7 c7 60 8d e9 8a e8 1e d5 3a fd 0f 0b 48 89 f1 48 c7 c7 e0 8d e9 8a 48 89 de e8 0a d5 3a fd <0f> 0b 48 89 f2 48 89 d9 48 89 ee 48 c7 c7 60 8e e9 8a e8 f3 d4 3a
RSP: 0018:ffffc9000318f888 EFLAGS: 00010082
RAX: 0000000000000075 RBX: ffff88814b6da5e8 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff8880183dd048 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff88814b6da000
R13: ffffc9000318f900 R14: ffff888144705048 R15: ffff8880183dd048
FS: 00007f73950b36c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f739439d988 CR3: 00000000213ae000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16e0bf93680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11e51d2d680000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: corrupted list in ptp_release

ffff88807d338000, ffff88807d339048, ptp_release
list_del corruption. prev->next should be ffff88807d339048, but was ffff888078661048. (prev=ffff88814ae51048)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 7136 Comm: syz-executor.3 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023

RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62
Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b

RSP: 0018:ffffc9000baefe08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88807d338000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888015e74420 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000078 R12: ffff88807d339048
R13: ffff88807d339008 R14: 0000000000000282 R15: ffff88807d339050
FS: 0000555556cd3480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff80415c78 CR3: 000000002823f000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xe3/0x2c0 drivers/ptp/ptp_chardev.c:148

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f3d9de7b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007fffcab9a240 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f3d9de7b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2df60000 R09: 00007f3d9df9bf8c
R10: 00007fffcab9a390 R11: 0000000000000293 R12: 00007f3d9da000a8
R13: ffffffffffffffff R14: 00007f3d9da00000 R15: 0000000000023432

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62
Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b

RSP: 0018:ffffc9000baefe08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88807d338000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888015e74420 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000078 R12: ffff88807d339048
R13: ffff88807d339008 R14: 0000000000000282 R15: ffff88807d339050
FS: 0000555556cd3480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff80415c78 CR3: 000000002823f000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=157d83b9680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17f791a5680000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in ptp_release

==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x198/0x1b0 lib/list_debug.c:62

Read of size 8 at addr ffff88801e361048 by task syz-executor.3/6725

CPU: 1 PID: 6725 Comm: syz-executor.3 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
__list_del_entry_valid_or_report+0x198/0x1b0 lib/list_debug.c:62

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xe3/0x2d0 drivers/ptp/ptp_chardev.c:149

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fcc1207b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007fffa4161680 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fcc1207b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e060000 R09: 00007fcc1219bf8c
R10: 00007fffa41617d0 R11: 0000000000000293 R12: 00007fcc11c000a8
R13: ffffffffffffffff R14: 00007fcc11c00000 R15: 0000000000022079
</TASK>

Allocated by task 6723:

kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]

ptp_open+0xe3/0x510 drivers/ptp/ptp_chardev.c:112

posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]
path_openat+0x1d3b/0x2ce0 fs/namei.c:3778
do_filp_open+0x1de/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1466

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Freed by task 6721:

kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xc0/0x180 mm/slub.c:3822

ptp_release+0x23c/0x2d0 drivers/ptp/ptp_chardev.c:153

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

The buggy address belongs to the object at ffff88801e360000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4168 bytes inside of

freed 8192-byte region [ffff88801e360000, ffff88801e362000)

The buggy address belongs to the physical page:

page:ffffea000078d800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e360
head:ffffea000078d800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 00fff00000000840 ffff888012c42280 ffffea000070e200 dead000000000004

raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 48, tgid 48 (kworker/u4:3), ts 9657783303, free_ts 0

set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xa16/0x3680 mm/page_alloc.c:3348
__alloc_pages+0x1d0/0x4c0 mm/page_alloc.c:4604
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab+0x251/0x380 mm/slub.c:2017
new_slab mm/slub.c:2070 [inline]
___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517

__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node+0x56/0x130 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
kvmalloc_node+0x6f/0x1a0 mm/util.c:607
kvzalloc_node include/linux/slab.h:742 [inline]
sbitmap_init_node+0x1c8/0x680 lib/sbitmap.c:113
scsi_realloc_sdev_budget_map+0x4d4/0x620 drivers/scsi/scsi_scan.c:246
scsi_alloc_sdev+0x9a9/0xd10 drivers/scsi/scsi_scan.c:356
scsi_probe_and_add_lun+0x170d/0x27d0 drivers/scsi/scsi_scan.c:1189
__scsi_scan_target+0x255/0xef0 drivers/scsi/scsi_scan.c:1693
scsi_scan_channel drivers/scsi/scsi_scan.c:1781 [inline]
scsi_scan_channel+0x149/0x1e0 drivers/scsi/scsi_scan.c:1757
page_owner free stack trace missing

Memory state around the buggy address:

ffff88801e360f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801e360f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801e361000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801e361080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801e361100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=149f370d680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15b1e843680000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: corrupted list in ptp_release

ffff88807e820000, ffff88807e821048, ptp_release
list_del corruption. next->prev should be ffff88807e821048, but was dead000000000122. (next=ffff88807e825048)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:65!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 7449 Comm: syz-executor.0 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

RIP: 0010:__list_del_entry_valid_or_report+0x133/0x1b0 lib/list_debug.c:65
Code: e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd 0f 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd <0f> 0b 48 89 34 24 e8 52 0a af fd 48 8b 34 24 e9 e3 fe ff ff 48 89
RSP: 0018:ffffc900041afe08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88807e820000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888020e47e00 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff88807e821048
R13: ffff88807e821008 R14: 0000000000000282 R15: ffff88807e821050
FS: 000055555613d480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007eff0f19d988 CR3: 0000000079d33000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xe3/0x2d0 drivers/ptp/ptp_chardev.c:150

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f16c947b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007ffe57b54ea0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f16c947b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e260000 R09: 00007f16c959bf8c
R10: 00007ffe57b54ff0 R11: 0000000000000293 R12: 00007f16c90000a8
R13: ffffffffffffffff R14: 00007f16c9000000 R15: 0000000000027ccc

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__list_del_entry_valid_or_report+0x133/0x1b0 lib/list_debug.c:65
Code: e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd 0f 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd <0f> 0b 48 89 34 24 e8 52 0a af fd 48 8b 34 24 e9 e3 fe ff ff 48 89
RSP: 0018:ffffc900041afe08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88807e820000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888020e47e00 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff88807e821048
R13: ffff88807e821008 R14: 0000000000000282 R15: ffff88807e821050
FS: 000055555613d480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007eff0f19d988 CR3: 0000000079d33000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16f4f8ad680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=155a21fd680000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in ptp_release

ffff88807ed08000, ffff88807ed09048, ffff88807ed0d048, ffff888024b325e8, ptp_release

==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x198/0x1b0 lib/list_debug.c:62

Read of size 8 at addr ffff88807ed0d048 by task syz-executor.2/7352

CPU: 0 PID: 7352 Comm: syz-executor.2 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
__list_del_entry_valid_or_report+0x198/0x1b0 lib/list_debug.c:62

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0x195/0x3c0 drivers/ptp/ptp_chardev.c:151

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f8f1b47b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007ffcf81e91f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f8f1b47b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e460000 R09: 00007f8f1b59bf8c
R10: 00007ffcf81e9340 R11: 0000000000000293 R12: 00007f8f1b0000a8
R13: ffffffffffffffff R14: 00007f8f1b000000 R15: 0000000000028400
</TASK>

Allocated by task 7351:

kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
ptp_open+0xe3/0x510 drivers/ptp/ptp_chardev.c:112
posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]
path_openat+0x1d3b/0x2ce0 fs/namei.c:3778
do_filp_open+0x1de/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1466

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Freed by task 7350:

kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xc0/0x180 mm/slub.c:3822

ptp_release+0x2ed/0x3c0 drivers/ptp/ptp_chardev.c:156

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

The buggy address belongs to the object at ffff88807ed0c000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4168 bytes inside of

freed 8192-byte region [ffff88807ed0c000, ffff88807ed0e000)

The buggy address belongs to the physical page:

page:ffffea0001fb4200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ed08
head:ffffea0001fb4200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()

raw: 00fff00000000840 ffff888012c42280 ffffea0001ed8c00 dead000000000002
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5807, tgid 5800 (syz-executor.2), ts 128144428861, free_ts 128110488621

set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0xa16/0x3680 mm/page_alloc.c:3348
__alloc_pages+0x1d0/0x4c0 mm/page_alloc.c:4604
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab+0x251/0x380 mm/slub.c:2017
new_slab mm/slub.c:2070 [inline]
___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517

kmalloc_trace+0x27/0xf0 mm/slab_common.c:1098

kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
ptp_open+0xe3/0x510 drivers/ptp/ptp_chardev.c:112
posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]
path_openat+0x1d3b/0x2ce0 fs/namei.c:3778
do_filp_open+0x1de/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2383
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2523
__unfreeze_partials+0x21d/0x240 mm/slub.c:2655
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3478 [inline]

slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc+0x163/0x390 mm/slub.c:3502
getname_flags.part.0+0x50/0x4e0 fs/namei.c:140
getname_flags+0x9c/0xf0 include/linux/audit.h:321
getname fs/namei.c:219 [inline]
__do_sys_symlinkat fs/namei.c:4505 [inline]
__se_sys_symlinkat fs/namei.c:4502 [inline]
__x64_sys_symlinkat+0x7b/0xc0 fs/namei.c:4502

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:

ffff88807ed0cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807ed0cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807ed0d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807ed0d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807ed0d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=125b57fd680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11645bb9680000

[Edward Adam davis]

From: Edward Adam Davis <ead...@qq.com>

Firstly, queue is not the memory allocated in ptp_read;
Secondly, other processes may block at ptp_read and wait for conditions to be
met to perform read operations.

Reported-by: syzbot+df3f3e...@syzkaller.appspotmail.com
Fixes: 8f5de6fb2453 ("ptp: support multiple timestamp event readers")

Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/ptp/ptp_chardev.c | 2 --
1 file changed, 2 deletions(-)

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}
--
2.25.1

[Edward Adam davis]

From: Edward Adam Davis <ead...@qq.com>

please test slab uaf Read in ptp_read

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}
diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..9f7be4236124 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -140,9 +140,9 @@ int ptp_release(struct posix_clock_context *pccontext)
struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;

- if (queue) {
+ pccontext->private_clkdata = NULL;
+ if (!IS_ERR_OR_NULL(queue)) {
debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;
spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
spin_unlock_irqrestore(&queue->lock, flags);

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..341ee9662bc6 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -108,6 +108,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
container_of(pccontext->clk, struct ptp_clock, clock);
struct timestamp_event_queue *queue;
char debugfsname[32];
+ unsigned long flags;

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)
@@ -119,7 +120,10 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);
+
+ spin_lock_irqsave(&queue->lock, flags);
list_add_tail(&queue->qlist, &ptp->tsevqs);
+ spin_unlock_irqrestore(&queue->lock, flags);
pccontext->private_clkdata = queue;

/* Debugfs contents */
@@ -140,9 +144,9 @@ int ptp_release(struct posix_clock_context *pccontext)

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..1a9176e0ce36 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -121,6 +121,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
spin_lock_init(&queue->lock);
list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;
+ printk("%p, %p, %s\n", queue, &queue->qlist, __func__);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);
@@ -140,12 +141,15 @@ int ptp_release(struct posix_clock_context *pccontext)

struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;

- if (queue) {
+ pccontext->private_clkdata = NULL;
+ if (!IS_ERR_OR_NULL(queue)) {

+ struct list_head *ql = &queue->qlist;

debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;

+ printk("%p, %p, %s\n", queue, ql, __func__);
spin_lock_irqsave(&queue->lock, flags);
- list_del(&queue->qlist);
+ list_del(ql);
spin_unlock_irqrestore(&queue->lock, flags);
+ printk("deled, %p, %p, %s\n", queue, ql, __func__);
bitmap_free(queue->mask);
kfree(queue);
}

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..e57b8f0259da 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -121,6 +121,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
spin_lock_init(&queue->lock);
list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;
+ printk("%p, %p, %s\n", queue, &queue->qlist, __func__);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);

@@ -140,12 +141,17 @@ int ptp_release(struct posix_clock_context *pccontext)

struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;

- if (queue) {
+ pccontext->private_clkdata = NULL;
+ if (!IS_ERR_OR_NULL(queue)) {
+ struct list_head *ql = &queue->qlist;
debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;

- spin_lock_irqsave(&queue->lock, flags);
- list_del(&queue->qlist);
- spin_unlock_irqrestore(&queue->lock, flags);
+ printk("%p, %p, %p, %p, %s\n", queue, ql, ql->prev, ql->next, __func__);
+ if (ql->prev != LIST_POISON2 && ql->next != LIST_POISON1) {
+ spin_lock_irqsave(&queue->lock, flags);
+ list_del(ql);
+ spin_unlock_irqrestore(&queue->lock, flags);
+ }

[Edward Adam Davis]

This patch is not fix this issue, please ignore it.

edward

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..5936ca5de805 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -140,9 +140,10 @@ int ptp_release(struct posix_clock_context *pccontext)

struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;

- if (queue) {
+ pccontext->private_clkdata = NULL;
+ if (!IS_ERR_OR_NULL(queue)) {

debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;

+ printk("%p, %p, %s\n", queue, &queue->qlist, __func__);

spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
spin_unlock_irqrestore(&queue->lock, flags);

diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 3d1b0a97301c..fe11e3fc1592 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -181,6 +181,7 @@ static void ptp_clock_release(struct device *dev)
/* Delete first entry */
tsevq = list_first_entry(&ptp->tsevqs, struct timestamp_event_queue,
qlist);
+ printk("%p, %p, %s\n", tsevq, &tsevq->qlist, __func__);
spin_lock_irqsave(&tsevq->lock, flags);
list_del(&tsevq->qlist);
spin_unlock_irqrestore(&tsevq->lock, flags);

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..27c1ef493617 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..bc99d505eeac 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c

@@ -121,6 +121,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
spin_lock_init(&queue->lock);
list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;

+ printk("%p, %p, %s\n", queue, &queue->qlist, __func__);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);

@@ -140,12 +141,14 @@ int ptp_release(struct posix_clock_context *pccontext)

struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;

- if (queue) {
+ pccontext->private_clkdata = NULL;
+ if (!IS_ERR_OR_NULL(queue)) {
debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;
+ printk("%p, %p, %s\n", queue, &queue->qlist, __func__);
spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
spin_unlock_irqrestore(&queue->lock, flags);

+ printk("deled, %p, %p, %s\n", queue, &queue->qlist, __func__);
bitmap_free(queue->mask);
kfree(queue);

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..7a8a6b8a91f9 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -121,6 +121,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
spin_lock_init(&queue->lock);
list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;
+ printk("%p, %p, %s\n", queue, &queue->qlist, __func__);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);

@@ -140,9 +141,11 @@ int ptp_release(struct posix_clock_context *pccontext)

struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;

- if (queue) {
+ pccontext->private_clkdata = NULL;
+ if (!IS_ERR_OR_NULL(queue)) {

+ struct list_head *ql = &queue->qlist;

debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;

+ printk("%p, %p, %p, %s\n", queue, ql, ql->prev, __func__);

spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
spin_unlock_irqrestore(&queue->lock, flags);

@@ -544,9 +547,13 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

cnt = cnt / sizeof(struct ptp_extts_event);

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;
+
if (wait_event_interruptible(ptp->tsev_wq,
ptp->defunct || queue_cnt(queue))) {
- return -ERESTARTSYS;
+ result = -ERESTARTSYS;
+ goto exit;
}

if (ptp->defunct) {
@@ -585,7 +592,6 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);

+ mutex_unlock(&ptp->tsevq_mux);
return result;
}
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 3d1b0a97301c..7930db6ec18d 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -176,6 +176,7 @@ static void ptp_clock_release(struct device *dev)

ptp_cleanup_pin_groups(ptp);
kfree(ptp->vclock_index);
+ mutex_destroy(&ptp->tsevq_mux);
mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);

/* Delete first entry */

@@ -247,6 +248,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (!queue)
goto no_memory_queue;
list_add_tail(&queue->qlist, &ptp->tsevqs);
+ mutex_init(&ptp->tsevq_mux);
queue->mask = bitmap_alloc(PTP_MAX_CHANNELS, GFP_KERNEL);
if (!queue->mask)
goto no_memory_bitmap;
@@ -356,6 +358,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (ptp->kworker)
kthread_destroy_worker(ptp->kworker);
kworker_err:
+ mutex_destroy(&ptp->tsevq_mux);
mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);
bitmap_free(queue->mask);
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index 52f87e394aa6..1525bd2059ba 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -44,6 +44,7 @@ struct ptp_clock {
struct pps_device *pps_source;
long dialed_frequency; /* remembers the frequency adjustment */
struct list_head tsevqs; /* timestamp fifo list */
+ struct mutex tsevq_mux; /* one process at a time reading the fifo */
struct mutex pincfg_mux; /* protect concurrent info->pin_config access */
wait_queue_head_t tsev_wq;
int defunct; /* tells readers to go away when clock is being removed */

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: corrupted list in ptp_release

ffff88801833c000, ffff88801833d048, ffff888018339048, ptp_release
list_del corruption. next->prev should be ffff88801833d048, but was dead000000000122. (next=ffff888064445048)

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:65!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 8570 Comm: syz-executor.0 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

RIP: 0010:__list_del_entry_valid_or_report+0x133/0x1b0 lib/list_debug.c:65
Code: e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd 0f 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd <0f> 0b 48 89 34 24 e8 52 0a af fd 48 8b 34 24 e9 e3 fe ff ff 48 89

RSP: 0018:ffffc90003ae7e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88801833c000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff8880221dd520 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff88801833d048
R13: 0000000000000282 R14: ffff88801833d050 R15: ffff88801833d008
FS: 000055555654f480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fbaa5d9d988 CR3: 000000006b2a6000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0x105/0x2e0 drivers/ptp/ptp_chardev.c:150

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f3495e7b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007fff66ce0d40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f3495e7b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e260000 R09: 00007f3495f9bf8c
R10: 00007fff66ce0e90 R11: 0000000000000293 R12: 00007f3495a000a8
R13: ffffffffffffffff R14: 00007f3495a00000 R15: 000000000002b3f3

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x133/0x1b0 lib/list_debug.c:65
Code: e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd 0f 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd <0f> 0b 48 89 34 24 e8 52 0a af fd 48 8b 34 24 e9 e3 fe ff ff 48 89

RSP: 0018:ffffc90003ae7e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88801833c000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff8880221dd520 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: ffff88801833d048
R13: 0000000000000282 R14: ffff88801833d050 R15: ffff88801833d008
FS: 000055555654f480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fbaa5d9d988 CR3: 000000006b2a6000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1720281d680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17312335680000

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..bf89e1fe6613 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -120,7 +120,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);

spin_lock_init(&queue->lock);
list_add_tail(&queue->qlist, &ptp->tsevqs);

- pccontext->private_clkdata = queue;
+ WRITE_ONCE(pccontext->private_clkdata, queue);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);

@@ -137,12 +137,12 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

int ptp_release(struct posix_clock_context *pccontext)
{
- struct timestamp_event_queue *queue = pccontext->private_clkdata;
+ struct timestamp_event_queue *queue = READ_ONCE(pccontext->private_clkdata);
unsigned long flags;

if (queue) {

debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;

+ WRITE_ONCE(pccontext->private_clkdata, NULL);

spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
spin_unlock_irqrestore(&queue->lock, flags);

@@ -172,7 +172,7 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd,
struct timespec64 ts;
int enable, err = 0;

- tsevq = pccontext->private_clkdata;
+ tsevq = READ_ONCE(pccontext->private_clkdata);

switch (cmd) {

@@ -506,7 +506,7 @@ __poll_t ptp_poll(struct posix_clock_context *pccontext, struct file *fp,

container_of(pccontext->clk, struct ptp_clock, clock);
struct timestamp_event_queue *queue;

- queue = pccontext->private_clkdata;
+ queue = READ_ONCE(pccontext->private_clkdata);
if (!queue)
return EPOLLERR;

@@ -528,7 +528,7 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
size_t qcnt, i;
int result;

- queue = pccontext->private_clkdata;
+ queue = READ_ONCE(pccontext->private_clkdata);
if (!queue) {
result = -EINVAL;
goto exit;
@@ -585,7 +585,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);

return result;
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in ptp_release

list_del corruption. prev->next should be ffff88807d57d048, but was ffff888024fc85e8. (prev=ffff888025009048)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 6284 Comm: syz-executor.3 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023

RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62

Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b
RSP: 0018:ffffc90003b67e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88807d57c000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888027052e20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000246
R13: ffff88807d57d048 R14: ffff88807d57d008 R15: ffff88807d57d050
FS: 0000555556593480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555571d28f8 CR3: 000000006c082000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xc4/0x2b0 drivers/ptp/ptp_chardev.c:147

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x87/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f3eaca7b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007ffe8e413760 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f3eaca7b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e460000 R09: 00007f3eacb9bf8c
R10: 00007ffe8e4138b0 R11: 0000000000000293 R12: 00007f3eac6000a8
R13: ffffffffffffffff R14: 00007f3eac600000 R15: 000000000001f651

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62

Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b
RSP: 0018:ffffc90003b67e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88807d57c000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888027052e20 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000246
R13: ffff88807d57d048 R14: ffff88807d57d008 R15: ffff88807d57d050
FS: 0000555556593480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555571d28f8 CR3: 000000006c082000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=129b7995680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1271e843680000

[Hillf Danton]

On Thu, 26 Oct 2023 07:20:20 -0700

> HEAD commit: 2030579113a1 Add linux-next specific files for 20231020
> git tree: linux-next

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11037669680000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2030579113a1

--- x/drivers/ptp/ptp_chardev.c
+++ y/drivers/ptp/ptp_chardev.c

@@ -108,6 +108,7 @@ int ptp_open(struct posix_clock_context

container_of(pccontext->clk, struct ptp_clock, clock);
struct timestamp_event_queue *queue;

char debugfsname[32];
+ unsigned long flags;

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

@@ -119,7 +120,9 @@ int ptp_open(struct posix_clock_context

}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);

+ spin_lock_irqsave(&queue->lock, flags);
list_add_tail(&queue->qlist, &ptp->tsevqs);

+ spin_unlock_irqrestore(&queue->lock, flags);
pccontext->private_clkdata = queue;

/* Debugfs contents */

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in ptp_release

list_del corruption. prev->next should be ffff88806d1f9048, but was ffff88814ad945e8. (prev=ffff88814ad99048)

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 9040 Comm: syz-executor.1 Not tainted 6.6.0-rc6-next-20231020-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62

Code: 9f e9 8a e8 c3 a3 3a fd 0f 0b 48 89 ca 48 c7 c7 c0 9f e9 8a e8 b2 a3 3a fd 0f 0b 48 89 c2 48 c7 c7 20 a0 e9 8a e8 a1 a3 3a fd <0f> 0b 48 89 d1 48 c7 c7 a0 a0 e9 8a 48 89 c2 e8 8d a3 3a fd 0f 0b
RSP: 0018:ffffc90009f37e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88806d1f8000 RCX: ffffffff816bb8d9

RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005

RBP: ffff88807dbfcbe0 R08: 0000000000000005 R09: 0000000000000000

R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000246

R13: ffff88806d1f9048 R14: ffff88806d1f9008 R15: ffff88806d1f9050
FS: 0000555556b75480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fec1cd98000 CR3: 00000000263b9000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xc4/0x2b0 drivers/ptp/ptp_chardev.c:150

posix_clock_release+0xa4/0x160 kernel/time/posix-clock.c:157
__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]

__x64_sys_close+0x86/0xf0 fs/open.c:1575

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fec1cc7b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007ffc3d751870 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fec1cc7b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2df60000 R09: 00007fec1cd9bf8c
R10: 00007ffc3d7519c0 R11: 0000000000000293 R12: 00007fec1c8000a8
R13: ffffffffffffffff R14: 00007fec1c800000 R15: 0000000000028903

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62

Code: 9f e9 8a e8 c3 a3 3a fd 0f 0b 48 89 ca 48 c7 c7 c0 9f e9 8a e8 b2 a3 3a fd 0f 0b 48 89 c2 48 c7 c7 20 a0 e9 8a e8 a1 a3 3a fd <0f> 0b 48 89 d1 48 c7 c7 a0 a0 e9 8a 48 89 c2 e8 8d a3 3a fd 0f 0b
RSP: 0018:ffffc90009f37e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff88806d1f8000 RCX: ffffffff816bb8d9

RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005

RBP: ffff88807dbfcbe0 R08: 0000000000000005 R09: 0000000000000000

R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000246

R13: ffff88806d1f9048 R14: ffff88806d1f9008 R15: ffff88806d1f9050
FS: 0000555556b75480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fec1cd98000 CR3: 00000000263b9000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 20305791 Add linux-next specific files for 20231020
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16c52007680000
kernel config: https://syzkaller.appspot.com/x/.config?x=37404d76b3c8840e

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17bc6cfd680000

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..b1c9038181c1 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

struct timestamp_event_queue *queue;
char debugfsname[32];

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;
+

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

return -EINVAL;
@@ -138,6 +141,8 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
int ptp_release(struct posix_clock_context *pccontext)
{

struct timestamp_event_queue *queue = pccontext->private_clkdata;

+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);

unsigned long flags;

if (queue) {

@@ -148,6 +153,7 @@ int ptp_release(struct posix_clock_context *pccontext)
spin_unlock_irqrestore(&queue->lock, flags);
bitmap_free(queue->mask);
kfree(queue);
+ mutex_unlock(&ptp->tsevq_mux);
}
return 0;
}
@@ -585,7 +591,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 3d1b0a97301c..7930db6ec18d 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -176,6 +176,7 @@ static void ptp_clock_release(struct device *dev)

ptp_cleanup_pin_groups(ptp);
kfree(ptp->vclock_index);
+ mutex_destroy(&ptp->tsevq_mux);
mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);
/* Delete first entry */
@@ -247,6 +248,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (!queue)
goto no_memory_queue;

list_add_tail(&queue->qlist, &ptp->tsevqs);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

WARNING: lock held when returning to user space in ptp_open

damon-dbgfs: DAMON debugfs interface is deprecated, so users should move to DAMON_SYSFS. If you cannot, please report your usecase to da...@lists.linux.dev and linu...@kvack.org.
================================================
WARNING: lock held when returning to user space!
6.6.0-rc6-next-20231018-syzkaller-dirty #0 Not tainted
------------------------------------------------
syz-fuzzer/5045 is leaving the kernel with locks still held!
1 lock held by syz-fuzzer/5045:
#0: ffff88814b1a0660 (&ptp->tsevq_mux){+.+.}-{3:3}, at: ptp_open+0xbc/0x530 drivers/ptp/ptp_chardev.c:112
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
base_sock_release(ffff888078b99e00) sk=ffff8880763ff000


Warning: Permanently added '10.128.0.79' (ED25519) to the list of known hosts.
2023/10/28 03:37:23 fuzzer started
2023/10/28 03:37:24 connecting to host at 10.128.0.169:37679
2023/10/28 03:37:24 checking machine...
2023/10/28 03:37:24 checking revisions...
2023/10/28 03:37:24 testing simple program...
[ 73.728803][ T5050] cgroup: Unknown subsys name 'net'
[ 73.870798][ T5050] cgroup: Unknown subsys name 'rlimit'
[ 75.511846][ T5050] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 75.705858][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 75.715304][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 75.723361][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 75.731464][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 75.739069][ T50] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 75.746741][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 75.920515][ T5054] chnl_net:caif_netlink_parms(): no params data found
[ 76.000871][ T5054] bridge0: port 1(bridge_slave_0) entered blocking state
[ 76.009054][ T5054] bridge0: port 1(bridge_slave_0) entered disabled state
[ 76.016962][ T5054] bridge_slave_0: entered allmulticast mode
[ 76.024258][ T5054] bridge_slave_0: entered promiscuous mode
[ 76.034137][ T5054] bridge0: port 2(bridge_slave_1) entered blocking state
[ 76.041464][ T5054] bridge0: port 2(bridge_slave_1) entered disabled state
[ 76.049692][ T5054] bridge_slave_1: entered allmulticast mode
[ 76.057019][ T5054] bridge_slave_1: entered promiscuous mode
[ 76.092654][ T5054] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 76.105170][ T5054] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 76.143237][ T5054] team0: Port device team_slave_0 added
[ 76.152852][ T5054] team0: Port device team_slave_1 added
[ 76.184579][ T5054] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 76.191739][ T5054] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 76.219909][ T5054] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 76.233897][ T5054] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 76.241232][ T5054] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 76.274823][ T5054] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 76.322774][ T5054] hsr_slave_0: entered promiscuous mode
[ 76.330966][ T5054] hsr_slave_1: entered promiscuous mode
executing program
[ 76.488934][ T5054] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 76.504201][ T5054] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 76.517321][ T5054] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 76.530847][ T5054] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 76.565890][ T5054] bridge0: port 2(bridge_slave_1) entered blocking state
[ 76.573602][ T5054] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 76.581885][ T5054] bridge0: port 1(bridge_slave_0) entered blocking state
[ 76.589152][ T5054] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 76.671115][ T5054] 8021q: adding VLAN 0 to HW filter on device bond0
[ 76.693269][ T5051] bridge0: port 1(bridge_slave_0) entered disabled state
[ 76.704112][ T5051] bridge0: port 2(bridge_slave_1) entered disabled state
[ 76.722154][ T5054] 8021q: adding VLAN 0 to HW filter on device team0
[ 76.738034][ T780] bridge0: port 1(bridge_slave_0) entered blocking state
[ 76.745264][ T780] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 76.762656][ T5064] bridge0: port 2(bridge_slave_1) entered blocking state
[ 76.770217][ T5064] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 76.962288][ T5054] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 77.022512][ T5054] veth0_vlan: entered promiscuous mode
[ 77.036424][ T5054] veth1_vlan: entered promiscuous mode
[ 77.077554][ T5054] veth0_macvtap: entered promiscuous mode
[ 77.091301][ T5054] veth1_macvtap: entered promiscuous mode
[ 77.115306][ T5054] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 77.137812][ T5054] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 77.153537][ T5054] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 77.164129][ T5054] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 77.173943][ T5054] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 77.183346][ T5054] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 77.282986][ T2836] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 77.297131][ T2836] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 77.334449][ T2836] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 77.342947][ T2836] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2023/10/28 03:37:28 building call list...
executing program
[ 79.839935][ T5045] damon-dbgfs: DAMON debugfs interface is deprecated, so users should move to DAMON_SYSFS. If you cannot, please report your usecase to da...@lists.linux.dev and linu...@kvack.org.
[ 79.953886][ T5045]
[ 79.956273][ T5045] ================================================
[ 79.963071][ T5045] WARNING: lock held when returning to user space!
[ 79.970052][ T5045] 6.6.0-rc6-next-20231018-syzkaller-dirty #0 Not tainted
[ 79.977347][ T5045] ------------------------------------------------
[ 79.984144][ T5045] syz-fuzzer/5045 is leaving the kernel with locks still held!
[ 79.991869][ T5045] 1 lock held by syz-fuzzer/5045:
[ 79.997281][ T5045] #0: ffff88814b1a0660 (&ptp->tsevq_mux){+.+.}-{3:3}, at: ptp_open+0xbc/0x530
[ 80.113342][ T5045] can: request_module (can-proto-0) failed.
[ 80.138941][ T5045] can: request_module (can-proto-0) failed.
[ 80.166188][ T5045] can: request_module (can-proto-0) failed.
[ 80.318727][ T58] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 80.918621][ T5045] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 81.479051][ T5045] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 81.493640][ T5045] base_sock_release(ffff888078b99e00) sk=ffff8880763ff000


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2966533481=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at 361b23dca
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=361b23dca53619ee1dfd92dd6a74a7f3e58f270c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231020-131623'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=361b23dca53619ee1dfd92dd6a74a7f3e58f270c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231020-131623'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=361b23dca53619ee1dfd92dd6a74a7f3e58f270c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231020-131623'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"361b23dca53619ee1dfd92dd6a74a7f3e58f270c\"

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1485728d680000

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..5546e4b4e083 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
struct timestamp_event_queue *queue;
char debugfsname[32];

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;
+
queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)
return -EINVAL;

@@ -132,15 +135,20 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
debugfs_create_u32_array("mask", 0444, queue->debugfs_instance,
&queue->dfs_bitmap);

+ mutex_unlock(&ptp->tsevq_mux);
return 0;
}

int ptp_release(struct posix_clock_context *pccontext)
{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);
unsigned long flags;

if (queue) {

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

debugfs_remove(queue->debugfs_instance);

pccontext->private_clkdata = NULL;
spin_lock_irqsave(&queue->lock, flags);

@@ -148,6 +156,7 @@ int ptp_release(struct posix_clock_context *pccontext)

spin_unlock_irqrestore(&queue->lock, flags);
bitmap_free(queue->mask);
kfree(queue);
+ mutex_unlock(&ptp->tsevq_mux);
}
return 0;
}

@@ -543,6 +552,8 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
cnt = EXTTS_BUFSIZE;

cnt = cnt / sizeof(struct ptp_extts_event);

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

if (wait_event_interruptible(ptp->tsev_wq,
ptp->defunct || queue_cnt(queue))) {

@@ -585,7 +596,6 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);

+ mutex_unlock(&ptp->tsevq_mux);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16b8791b680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=113ad943680000

Note: testing is done by a robot and is best-effort only.

[Hillf Danton]

On Thu, 26 Oct 2023 07:20:20 -0700
> HEAD commit: 2030579113a1 Add linux-next specific files for 20231020
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11037669680000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2030579113a1

--- x/kernel/time/posix-clock.c
+++ y/kernel/time/posix-clock.c
@@ -153,8 +153,10 @@ static int posix_clock_release(struct in
return -ENODEV;
clk = pccontext->clk;

+ down_write(&clk->rwsem);
if (clk->ops.release)
err = clk->ops.release(pccontext);
+ up_write(&clk->rwsem);

put_device(clk->dev);

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in ptp_release

list_del corruption. prev->next should be ffff88807bfb5048, but was ffff888065aa5048. (prev=ffff88814b1c1048)

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 6347 Comm: syz-executor.4 Not tainted 6.6.0-rc6-next-20231020-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62

Code: 9f e9 8a e8 a3 a3 3a fd 0f 0b 48 89 ca 48 c7 c7 c0 9f e9 8a e8 92 a3 3a fd 0f 0b 48 89 c2 48 c7 c7 20 a0 e9 8a e8 81 a3 3a fd <0f> 0b 48 89 d1 48 c7 c7 a0 a0 e9 8a 48 89 c2 e8 6d a3 3a fd 0f 0b
RSP: 0018:ffffc90004807e00 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807bfb4000 RCX: ffffffff816bb8d9

RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005

RBP: ffff88802857b5e0 R08: 0000000000000005 R09: 0000000000000000

R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000246

R13: ffff88807bfb5048 R14: ffff88807bfb5008 R15: ffff88807bfb5050
FS: 0000555556c77480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fde0ff98000 CR3: 00000000247f4000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

ptp_release+0xc4/0x2b0 drivers/ptp/ptp_chardev.c:147
posix_clock_release+0xbc/0x180 kernel/time/posix-clock.c:158

__fput+0x270/0xbb0 fs/file_table.c:394
__fput_sync+0x47/0x50 fs/file_table.c:475
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close fs/open.c:1575 [inline]
__x64_sys_close+0x86/0xf0 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fde0fe7b9da

Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24

RSP: 002b:00007ffd2031d3e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fde0fe7b9da

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 0000000000000032 R08: 0000001b2e460000 R09: 00007fde0ff9bf8c
R10: 00007ffd2031d530 R11: 0000000000000293 R12: 00007fde0fa000a8
R13: ffffffffffffffff R14: 00007fde0fa00000 R15: 0000000000020aa6

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0 lib/list_debug.c:62

Code: 9f e9 8a e8 a3 a3 3a fd 0f 0b 48 89 ca 48 c7 c7 c0 9f e9 8a e8 92 a3 3a fd 0f 0b 48 89 c2 48 c7 c7 20 a0 e9 8a e8 81 a3 3a fd <0f> 0b 48 89 d1 48 c7 c7 a0 a0 e9 8a 48 89 c2 e8 6d a3 3a fd 0f 0b
RSP: 0018:ffffc90004807e00 EFLAGS: 00010082
RAX: 000000000000006d RBX: ffff88807bfb4000 RCX: ffffffff816bb8d9

RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005

RBP: ffff88802857b5e0 R08: 0000000000000005 R09: 0000000000000000

R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000246

R13: ffff88807bfb5048 R14: ffff88807bfb5008 R15: ffff88807bfb5050
FS: 0000555556c77480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fde0ff98000 CR3: 00000000247f4000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 20305791 Add linux-next specific files for 20231020
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11ea5473680000
kernel config: https://syzkaller.appspot.com/x/.config?x=37404d76b3c8840e

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=174d13fd680000

[Hillf Danton]

On Thu, 26 Oct 2023 07:20:20 -0700
> HEAD commit: 2030579113a1 Add linux-next specific files for 20231020
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11037669680000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2030579113a1

diff -pur x/drivers/ptp/ptp_chardev.c y/drivers/ptp/ptp_chardev.c
--- x/drivers/ptp/ptp_chardev.c 2023-10-28 09:05:49.716916500 +0800
+++ y/drivers/ptp/ptp_chardev.c 2023-10-28 19:23:39.463658000 +0800

@@ -108,6 +108,7 @@ int ptp_open(struct posix_clock_context

container_of(pccontext->clk, struct ptp_clock, clock);

struct timestamp_event_queue *queue;
char debugfsname[32];

+ unsigned long flags;

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

@@ -119,7 +120,9 @@ int ptp_open(struct posix_clock_context
}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);

+ spin_lock_irqsave(&ptp->qlock, flags);
list_add_tail(&queue->qlist, &ptp->tsevqs);
+ spin_unlock_irqrestore(&ptp->qlock, flags);

pccontext->private_clkdata = queue;

/* Debugfs contents */

@@ -139,13 +142,14 @@ int ptp_release(struct posix_clock_conte

{
struct timestamp_event_queue *queue = pccontext->private_clkdata;

unsigned long flags;
+ struct ptp_clock *ptp = container_of(pccontext->clk, struct ptp_clock, clock);

if (queue) {

debugfs_remove(queue->debugfs_instance);
pccontext->private_clkdata = NULL;

- spin_lock_irqsave(&queue->lock, flags);
+ spin_lock_irqsave(&ptp->qlock, flags);

list_del(&queue->qlist);
- spin_unlock_irqrestore(&queue->lock, flags);

+ spin_unlock_irqrestore(&ptp->qlock, flags);
bitmap_free(queue->mask);
kfree(queue);
}
diff -pur x/drivers/ptp/ptp_clock.c y/drivers/ptp/ptp_clock.c
--- x/drivers/ptp/ptp_clock.c 2023-10-28 19:07:40.161237900 +0800
+++ y/drivers/ptp/ptp_clock.c 2023-10-28 19:18:55.005187700 +0800
@@ -179,11 +179,10 @@ static void ptp_clock_release(struct dev

mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);
/* Delete first entry */

- tsevq = list_first_entry(&ptp->tsevqs, struct timestamp_event_queue,
- qlist);
- spin_lock_irqsave(&tsevq->lock, flags);
+ spin_lock_irqsave(&ptp->qlock, flags);
+ tsevq = list_first_entry(&ptp->tsevqs, struct timestamp_event_queue, qlist);
list_del(&tsevq->qlist);
- spin_unlock_irqrestore(&tsevq->lock, flags);
+ spin_unlock_irqrestore(&ptp->qlock, flags);
bitmap_free(tsevq->mask);
kfree(tsevq);
debugfs_remove(ptp->debugfs_root);
@@ -243,6 +242,7 @@ struct ptp_clock *ptp_clock_register(str
ptp->devid = MKDEV(major, index);
ptp->index = index;
INIT_LIST_HEAD(&ptp->tsevqs);
+ spin_lock_init(&ptp->qlock);

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

goto no_memory_queue;
@@ -407,6 +407,7 @@ void ptp_clock_event(struct ptp_clock *p
{
struct timestamp_event_queue *tsevq;
struct pps_event_time evt;
+ unsigned long flags;

switch (event->type) {

@@ -415,10 +416,12 @@ void ptp_clock_event(struct ptp_clock *p

case PTP_CLOCK_EXTTS:
/* Enqueue timestamp on selected queues */
+ spin_lock_irqsave(&ptp->qlock, flags);
list_for_each_entry(tsevq, &ptp->tsevqs, qlist) {
if (test_bit((unsigned int)event->index, tsevq->mask))
enqueue_external_timestamp(tsevq, event);
}
+ spin_unlock_irqrestore(&ptp->qlock, flags);
wake_up_interruptible(&ptp->tsev_wq);
break;

diff -pur x/drivers/ptp/ptp_private.h y/drivers/ptp/ptp_private.h
--- x/drivers/ptp/ptp_private.h 2023-10-28 19:07:40.172063600 +0800
+++ y/drivers/ptp/ptp_private.h 2023-10-28 19:09:49.337895700 +0800
@@ -41,6 +41,7 @@ struct ptp_clock {
struct ptp_clock_info *info;
dev_t devid;
int index; /* index into clocks.map */
+ spinlock_t qlock;

struct pps_device *pps_source;
long dialed_frequency; /* remembers the frequency adjustment */
struct list_head tsevqs; /* timestamp fifo list */

--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 20305791 Add linux-next specific files for 20231020
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1751ca8d680000

kernel config: https://syzkaller.appspot.com/x/.config?x=37404d76b3c8840e
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=121ad9eb680000

[Edward Adam Davis]

There is no lock protection when writing ptp->tsevqs in ptp_open(), ptp_read(),
ptp_release(), which can cause data corruption and increase mutual exclusion
to avoid this issue.

Moreover, the queue should not be released in ptp_read() and should be deleted
together.

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Fixes: 8f5de6fb2453 ("ptp: support multiple timestamp event readers")
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---

drivers/ptp/ptp_chardev.c | 14 ++++++++++++--
drivers/ptp/ptp_clock.c | 3 +++
drivers/ptp/ptp_private.h | 1 +
3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..5546e4b4e083 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

struct timestamp_event_queue *queue;
char debugfsname[32];

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;
+

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

return -EINVAL;
@@ -132,15 +135,20 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
debugfs_create_u32_array("mask", 0444, queue->debugfs_instance,
&queue->dfs_bitmap);

+ mutex_unlock(&ptp->tsevq_mux);
return 0;
}

int ptp_release(struct posix_clock_context *pccontext)
{

struct timestamp_event_queue *queue = pccontext->private_clkdata;

+ struct ptp_clock *ptp =

+ container_of(pccontext->clk, struct ptp_clock, clock);
unsigned long flags;

if (queue) {
+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

debugfs_remove(queue->debugfs_instance);
pccontext->private_clkdata = NULL;

mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);
/* Delete first entry */

@@ -247,6 +248,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (!queue)
goto no_memory_queue;

list_add_tail(&queue->qlist, &ptp->tsevqs);

+ mutex_init(&ptp->tsevq_mux);
queue->mask = bitmap_alloc(PTP_MAX_CHANNELS, GFP_KERNEL);
if (!queue->mask)
goto no_memory_bitmap;
@@ -356,6 +358,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (ptp->kworker)
kthread_destroy_worker(ptp->kworker);
kworker_err:
+ mutex_destroy(&ptp->tsevq_mux);
mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);
bitmap_free(queue->mask);
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index 52f87e394aa6..1525bd2059ba 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -44,6 +44,7 @@ struct ptp_clock {

struct pps_device *pps_source;
long dialed_frequency; /* remembers the frequency adjustment */
struct list_head tsevqs; /* timestamp fifo list */

+ struct mutex tsevq_mux; /* one process at a time reading the fifo */
struct mutex pincfg_mux; /* protect concurrent info->pin_config access */
wait_queue_head_t tsev_wq;
int defunct; /* tells readers to go away when clock is being removed */

--
2.25.1

[Richard Cochran]

On Sun, Oct 29, 2023 at 10:09:42AM +0800, Edward Adam Davis wrote:
> There is no lock protection when writing ptp->tsevqs in ptp_open(), ptp_read(),
> ptp_release(), which can cause data corruption and increase mutual exclusion
> to avoid this issue.

-ENOPARSE

How can lack of lock protection increase mutual exclusion?

> Moreover, the queue should not be released in ptp_read() and should be deleted
> together.

The queue should be deleted togther? Huh?

> @@ -543,6 +552,8 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
> cnt = EXTTS_BUFSIZE;
>
> cnt = cnt / sizeof(struct ptp_extts_event);
> + if (mutex_lock_interruptible(&ptp->tsevq_mux))
> + return -ERESTARTSYS;

This is not needed because the spin lock (timestamp_event_queue::lock)
already protects the event queue.

Thanks,
Richard

[Richard Cochran]

On Sun, Oct 29, 2023 at 10:09:42AM +0800, Edward Adam Davis wrote:

> @@ -585,7 +596,6 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
> free_event:
> kfree(event);
> exit:
> - if (result < 0)
> - ptp_release(pccontext);
> + mutex_unlock(&ptp->tsevq_mux);
> return result;
> }

This is the only hunk that makes sense. Keep this, but remove the
rest, just like in your previous patches.

Thanks,
Richard

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..9531ef9c9a3f 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
struct timestamp_event_queue *queue;
char debugfsname[32];

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

+
queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)
return -EINVAL;
@@ -132,15 +135,20 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
debugfs_create_u32_array("mask", 0444, queue->debugfs_instance,
&queue->dfs_bitmap);

+ mutex_unlock(&ptp->tsevq_mux);
return 0;
}

int ptp_release(struct posix_clock_context *pccontext)
{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);
unsigned long flags;

if (queue) {

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

debugfs_remove(queue->debugfs_instance);
pccontext->private_clkdata = NULL;
spin_lock_irqsave(&queue->lock, flags);
@@ -148,6 +156,7 @@ int ptp_release(struct posix_clock_context *pccontext)
spin_unlock_irqrestore(&queue->lock, flags);
bitmap_free(queue->mask);
kfree(queue);
+ mutex_unlock(&ptp->tsevq_mux);
}
return 0;
}

@@ -543,11 +552,8 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

cnt = EXTTS_BUFSIZE;

cnt = cnt / sizeof(struct ptp_extts_event);

-
- if (wait_event_interruptible(ptp->tsev_wq,
- ptp->defunct || queue_cnt(queue))) {
+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
return -ERESTARTSYS;
- }

if (ptp->defunct) {
result = -ENODEV;
@@ -585,7 +591,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..e31551d2697d 100644

@@ -585,7 +594,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1260ff9f680000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1715a279680000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1470c377680000

kernel config: https://syzkaller.appspot.com/x/.config?x=9c95c4e98b206db8
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12e60b57680000

[Edward Adam Davis]

On Sun, 29 Oct 2023 12:49:00 -0700 Richard Cochran wrote:
>> There is no lock protection when writing ptp->tsevqs in ptp_open(), ptp_read(),
>> ptp_release(), which can cause data corruption and increase mutual exclusion
>> to avoid this issue.
>
>-ENOPARSE
>
>How can lack of lock protection increase mutual exclusion?

Use mutex lock to avoid this issue.

>
>> Moreover, the queue should not be released in ptp_read() and should be deleted
>> together.
>
>The queue should be deleted togther? Huh?

No.
ptp_release() should not be used to release the queue in ptp_read(),
and it should be deleted together.

>
>> @@ -543,6 +552,8 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
>> cnt = EXTTS_BUFSIZE;
>>
>> cnt = cnt / sizeof(struct ptp_extts_event);
>> + if (mutex_lock_interruptible(&ptp->tsevq_mux))
>> + return -ERESTARTSYS;
>
>This is not needed because the spin lock (timestamp_event_queue::lock)
>already protects the event queue.

Yes, you are right, I will remove it.

Thanks,
edward

[Edward Adam Davis]

There is no lock protection when writing ptp->tsevqs in ptp_open(),

ptp_release(), which can cause data corruption, use mutex lock to avoid this
issue.

Moreover, ptp_release() should not be used to release the queue in ptp_read(),

and it should be deleted together.

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com
Fixes: 8f5de6fb2453 ("ptp: support multiple timestamp event readers")
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---

drivers/ptp/ptp_chardev.c | 11 +++++++++--

drivers/ptp/ptp_clock.c | 3 +++
drivers/ptp/ptp_private.h | 1 +

3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..e31551d2697d 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
struct timestamp_event_queue *queue;
char debugfsname[32];

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

+
queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)
return -EINVAL;
@@ -132,15 +135,20 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
debugfs_create_u32_array("mask", 0444, queue->debugfs_instance,
&queue->dfs_bitmap);

+ mutex_unlock(&ptp->tsevq_mux);
return 0;
}

int ptp_release(struct posix_clock_context *pccontext)
{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);
unsigned long flags;

if (queue) {

+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;

debugfs_remove(queue->debugfs_instance);
pccontext->private_clkdata = NULL;
spin_lock_irqsave(&queue->lock, flags);
@@ -148,6 +156,7 @@ int ptp_release(struct posix_clock_context *pccontext)
spin_unlock_irqrestore(&queue->lock, flags);
bitmap_free(queue->mask);
kfree(queue);
+ mutex_unlock(&ptp->tsevq_mux);
}
return 0;
}

@@ -585,7 +594,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);

[Martin Habets]

Please use a separate mail thread for a new patch revision.
See the section "Resending after review" in
Documentation/process/maintainer-netdev.rst.

Martin

[Edward Adam Davis]

[Richard Cochran]

On Tue, Oct 31, 2023 at 05:07:08AM +0800, Edward Adam Davis wrote:
> There is no lock protection when writing ptp->tsevqs in ptp_open(),
> ptp_release(), which can cause data corruption,

Really? How?

> use mutex lock to avoid this
> issue.
>
> Moreover, ptp_release() should not be used to release the queue in ptp_read(),
> and it should be deleted together.
>
> Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com
> Fixes: 8f5de6fb2453 ("ptp: support multiple timestamp event readers")
> Signed-off-by: Edward Adam Davis <ead...@qq.com>
> ---
> drivers/ptp/ptp_chardev.c | 11 +++++++++--
> drivers/ptp/ptp_clock.c | 3 +++
> drivers/ptp/ptp_private.h | 1 +
> 3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
> index 282cd7d24077..e31551d2697d 100644
> --- a/drivers/ptp/ptp_chardev.c
> +++ b/drivers/ptp/ptp_chardev.c
> @@ -109,6 +109,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
> struct timestamp_event_queue *queue;
> char debugfsname[32];
>
> + if (mutex_lock_interruptible(&ptp->tsevq_mux))
> + return -ERESTARTSYS;
> +

This mutex is not needed.

Please don't ignore review comments.

Thanks,
Richard

[Richard Cochran]

On Tue, Oct 31, 2023 at 06:25:42PM +0800, Edward Adam Davis wrote:
> There is no lock protection when writing ptp->tsevqs in ptp_open(),
> ptp_release(), which can cause data corruption,

NAK.

You haven't identified any actual data corruption issue.

If there is an issue, please state what it is.

Thanks,
Richard

[Edward Adam Davis]

On Wed, 1 Nov 2023 17:12:53 -0700 Richard Cochran wrote:
>> There is no lock protection when writing ptp->tsevqs in ptp_open(),
>> ptp_release(), which can cause data corruption,
>
>Really? How?

Let me show the corruption that occurs in ptp_open() and ptp_release(),

1. Corruption that appears in ptp_open(),
Link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911

list_add corruption. prev->next should be next (ffff88814a1325e8), but was ffff888078d25048. (prev=ffff888078d21048).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:32!

invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 7237 Comm: syz-executor182 Not tainted 6.6.0-rc6-next-20231020-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__list_add_valid_or_report+0xb6/0x100 lib/list_debug.c:32
Code: e8 2f a5 3a fd 0f 0b 48 89 d9 48 c7 c7 40 9d e9 8a e8 1e a5 3a fd 0f 0b 48 89 f1 48 c7 c7 c0 9d e9 8a 48 89 de e8 0a a5 3a fd <0f> 0b 48 89 f2 48 89 d9 48 89 ee 48 c7 c7 40 9e e9 8a e8 f3 a4 3a
RSP: 0018:ffffc90009b3f898 EFLAGS: 00010286
RAX: 0000000000000075 RBX: ffff88814a1325e8 RCX: ffffffff816bb8d9

RDX: 0000000000000000 RSI: ffffffff816c4d42 RDI: 0000000000000005

RBP: ffff88807c7a9048 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88814a132000
R13: ffffc90009b3f900 R14: ffff888078d21048 R15: ffff88807c7a9048
FS: 0000555556c00380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffef0aa1138 CR3: 000000007d17e000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

__list_add_valid include/linux/list.h:88 [inline]
__list_add include/linux/list.h:150 [inline]
list_add_tail include/linux/list.h:183 [inline]
ptp_open+0x1c5/0x4f0 drivers/ptp/ptp_chardev.c:122
posix_clock_open+0x17e/0x240 kernel/time/posix-clock.c:134
chrdev_open+0x26d/0x6e0 fs/char_dev.c:414
do_dentry_open+0x8d4/0x18d0 fs/open.c:948
do_open fs/namei.c:3621 [inline]
path_openat+0x1d36/0x2cd0 fs/namei.c:3778
do_filp_open+0x1dc/0x430 fs/namei.c:3808
do_sys_openat2+0x176/0x1e0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1466

do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fc6c2099ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef0aa1238 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc6c2099ae9
RDX: 0000000000000000 RSI: 0000000020000300 RDI: ffffffffffffff9c
RBP: 00000000000f4240 R08: 0000000000000000 R09: 00000000000000a0
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000130fc
R13: 00007ffef0aa124c R14: 00007ffef0aa1260 R15: 00007ffef0aa1250
</TASK>

2. Corruption that appears in ptp_open(),
Link: https://syzkaller.appspot.com/x/log.txt?x=169a58d1680000

list_del corruption. prev->next should be ffff8880280e5048, but was ffff888025dc1048. (prev=ffff88814adb1048)

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:62!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 13142 Comm: syz-executor.2 Not tainted 6.6.0-rc6-next-20231018-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:__list_del_entry_valid_or_report+0x11f/0x1b0
Code: 8f e9 8a e8 c3 d3 3a fd 0f 0b 48 89 ca 48 c7 c7 e0 8f e9 8a e8 b2 d3 3a fd 0f 0b 48 89 c2 48 c7 c7 40 90 e9 8a e8 a1 d3 3a fd <0f> 0b 48 89 d1 48 c7 c7 c0 90 e9 8a 48 89 c2 e8 8d d3 3a fd 0f 0b
RSP: 0018:ffffc90003167e08 EFLAGS: 00010086
RAX: 000000000000006d RBX: ffff8880280e4000 RCX: ffffffff816b9cd9

RDX: 0000000000000000 RSI: ffffffff816c3142 RDI: 0000000000000005

RBP: ffff888023b7c480 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000001 R12: 0000000000000293
R13: ffff8880280e5008 R14: ffff8880280e5048 R15: ffff8880280e5050
FS: 00005555557e3480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f350fd98000 CR3: 000000002427a000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

ptp_release+0xca/0x2a0
posix_clock_release+0xa4/0x160
__fput+0x270/0xbb0
__fput_sync+0x47/0x50
__x64_sys_close+0x87/0xf0
do_syscall_64+0x3f/0x110
entry_SYSCALL_64_after_hwframe+0x63/0x6b


The above two logs can clearly indicate that there is corruption when
executing the operation of writing ptp->tsevqs in ptp_open() and ptp_release().

edward

[Jeremy Cline]

Hi Edward,

On Tue, Oct 31, 2023 at 06:25:42PM +0800, Edward Adam Davis wrote:

The lock doesn't need to be held so long here. Doing so causes a bit of
an issue, actually, because the memory allocation for the queue can fail
which will cause the function to return early without releasing the
mutex.

The lock only needs to be held for the list_add_tail() call.

> return 0;
> }
>
> int ptp_release(struct posix_clock_context *pccontext)
> {
> struct timestamp_event_queue *queue = pccontext->private_clkdata;
> + struct ptp_clock *ptp =
> + container_of(pccontext->clk, struct ptp_clock, clock);
> unsigned long flags;
>
> if (queue) {
> + if (mutex_lock_interruptible(&ptp->tsevq_mux))
> + return -ERESTARTSYS;
> debugfs_remove(queue->debugfs_instance);
> pccontext->private_clkdata = NULL;
> spin_lock_irqsave(&queue->lock, flags);
> @@ -148,6 +156,7 @@ int ptp_release(struct posix_clock_context *pccontext)
> spin_unlock_irqrestore(&queue->lock, flags);
> bitmap_free(queue->mask);
> kfree(queue);
> + mutex_unlock(&ptp->tsevq_mux);

Similar to the above note, you don't want to hold the lock any longer
than you must.

While this patch looks to cover adding and removing items from the list,
the code that iterates over the list isn't covered which can be
problematic. If the list is modified while it is being iterated, the
iterating code could chase an invalid pointer.

Regards,
Jeremy

[Edward Adam Davis]

Hi Jeremy,

Thanks for your opinions, I will double check it.

Thanks,
edward

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 282cd7d24077..6e9762a54b14 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -119,8 +119,13 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);

+ if (mutex_lock_interruptible(&ptp->tsevq_mux)) {
+ kfree(queue);
+ return -ERESTARTSYS;
+ }
list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;
+ mutex_unlock(&ptp->tsevq_mux);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);
@@ -138,14 +143,19 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

int ptp_release(struct posix_clock_context *pccontext)
{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);
unsigned long flags;

if (queue) {
+ if (mutex_lock_interruptible(&ptp->tsevq_mux))
+ return -ERESTARTSYS;
debugfs_remove(queue->debugfs_instance);
pccontext->private_clkdata = NULL;
spin_lock_irqsave(&queue->lock, flags);

list_del(&queue->qlist);
spin_unlock_irqrestore(&queue->lock, flags);
+ mutex_unlock(&ptp->tsevq_mux);
bitmap_free(queue->mask);
kfree(queue);
}
@@ -585,7 +595,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=121de6bb680000
kernel config: https://syzkaller.appspot.com/x/.config?x=e86de086e9dddbc6
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=158b353d680000

[Richard Cochran]

On Thu, Nov 02, 2023 at 07:16:17PM +0800, Edward Adam Davis wrote:
> The above two logs can clearly indicate that there is corruption when
> executing the operation of writing ptp->tsevqs in ptp_open() and ptp_release().

So just remove the bogus call to ptp_release.

Thanks,
Richard

[Richard Cochran]

On Thu, Nov 02, 2023 at 02:16:54PM -0400, Jeremy Cline wrote:

> While this patch looks to cover adding and removing items from the list,
> the code that iterates over the list isn't covered which can be
> problematic. If the list is modified while it is being iterated, the
> iterating code could chase an invalid pointer.

Indeed.

See ptp_clock.c:

416 case PTP_CLOCK_EXTTS:
417 /* Enqueue timestamp on selected queues */
418 list_for_each_entry(tsevq, &ptp->tsevqs, qlist) {
419 if (test_bit((unsigned int)event->index, tsevq->mask))
420 enqueue_external_timestamp(tsevq, event);
421 }
422 wake_up_interruptible(&ptp->tsev_wq);
423 break;

Thanks,
Richard

[Richard Cochran]

On Fri, Nov 03, 2023 at 07:13:31PM -0700, Richard Cochran wrote:
> See ptp_clock.c:
>
> 416 case PTP_CLOCK_EXTTS:
> 417 /* Enqueue timestamp on selected queues */
> 418 list_for_each_entry(tsevq, &ptp->tsevqs, qlist) {
> 419 if (test_bit((unsigned int)event->index, tsevq->mask))
> 420 enqueue_external_timestamp(tsevq, event);
> 421 }
> 422 wake_up_interruptible(&ptp->tsev_wq);
> 423 break;

And that code can be called from interrupt context.

Thus the mutex won't work.

It needs to be a spin lock instead.

Thanks,
Richard

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..ba035d6c81ae 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -119,8 +119,13 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);
+ if (mutex_lock_interruptible(&ptp->tsevq_mux)) {
+ kfree(queue);
+ return -ERESTARTSYS;
+ }
list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;
+ mutex_unlock(&ptp->tsevq_mux);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);

@@ -138,14 +143,16 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

int ptp_release(struct posix_clock_context *pccontext)
{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);
unsigned long flags;

if (queue) {

+ mutex_lock(&ptp->tsevq_mux);

debugfs_remove(queue->debugfs_instance);
pccontext->private_clkdata = NULL;

- spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
- spin_unlock_irqrestore(&queue->lock, flags);

+ mutex_unlock(&ptp->tsevq_mux);
bitmap_free(queue->mask);
kfree(queue);
}

@@ -585,7 +592,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

index 52f87e394aa6..7d82960fd946 100644

--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -44,6 +44,7 @@ struct ptp_clock {
struct pps_device *pps_source;
long dialed_frequency; /* remembers the frequency adjustment */
struct list_head tsevqs; /* timestamp fifo list */

+ struct mutex tsevq_mux; /* one process at a time writing the timestamp fifo list */

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=130c500f680000

kernel config: https://syzkaller.appspot.com/x/.config?x=e86de086e9dddbc6
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=171e90c0e80000

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..eb4015ae93a2 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -108,6 +108,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

container_of(pccontext->clk, struct ptp_clock, clock);

struct timestamp_event_queue *queue;
char debugfsname[32];

+ unsigned long flags;

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

@@ -119,8 +120,10 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);

+ spin_lock_irqsave(&ptp->tsevq_lock, flags);

list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;

+ spin_unlock_irqrestore(&ptp->tsevq_lock, flags);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);

@@ -139,13 +142,15 @@ int ptp_release(struct posix_clock_context *pccontext)

{
struct timestamp_event_queue *queue = pccontext->private_clkdata;

unsigned long flags;

+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);

if (queue) {
debugfs_remove(queue->debugfs_instance);
+ spin_lock_irqsave(&ptp->tsevq_lock, flags);

pccontext->private_clkdata = NULL;
- spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
- spin_unlock_irqrestore(&queue->lock, flags);

+ spin_unlock_irqrestore(&ptp->tsevq_lock, flags);
bitmap_free(queue->mask);
kfree(queue);
}
@@ -585,7 +590,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c

index 3d1b0a97301c..d813bf25dffc 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -247,6 +247,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,

if (!queue)
goto no_memory_queue;
list_add_tail(&queue->qlist, &ptp->tsevqs);

+ spin_lock_init(&ptp->tsevq_lock);

queue->mask = bitmap_alloc(PTP_MAX_CHANNELS, GFP_KERNEL);
if (!queue->mask)
goto no_memory_bitmap;

diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index 52f87e394aa6..63af246f17eb 100644

--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -44,6 +44,7 @@ struct ptp_clock {
struct pps_device *pps_source;
long dialed_frequency; /* remembers the frequency adjustment */
struct list_head tsevqs; /* timestamp fifo list */

+ spinlock_t tsevqs_lock; /* one process at a time writing the timestamp fifo list*/

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

drivers/ptp/ptp_clock.c:250:23: error: no member named 'tsevq_lock' in 'struct ptp_clock'; did you mean 'tsevqs_lock'?
drivers/ptp/ptp_chardev.c:123:26: error: no member named 'tsevq_lock' in 'struct ptp_clock'; did you mean 'tsevqs_lock'?
drivers/ptp/ptp_chardev.c:126:31: error: no member named 'tsevq_lock' in 'struct ptp_clock'; did you mean 'tsevqs_lock'?
drivers/ptp/ptp_chardev.c:150:27: error: no member named 'tsevq_lock' in 'struct ptp_clock'; did you mean 'tsevqs_lock'?
drivers/ptp/ptp_chardev.c:153:32: error: no member named 'tsevq_lock' in 'struct ptp_clock'; did you mean 'tsevqs_lock'?

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=d855e3560c4c99c4

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15743708e80000

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..31594f40a21e 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -108,6 +108,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
container_of(pccontext->clk, struct ptp_clock, clock);
struct timestamp_event_queue *queue;
char debugfsname[32];
+ unsigned long flags;

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)
@@ -119,8 +120,10 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);

+ spin_lock_irqsave(&ptp->tsevqs_lock, flags);

list_add_tail(&queue->qlist, &ptp->tsevqs);
pccontext->private_clkdata = queue;

+ spin_unlock_irqrestore(&ptp->tsevqs_lock, flags);

/* Debugfs contents */
sprintf(debugfsname, "0x%p", queue);
@@ -139,13 +142,15 @@ int ptp_release(struct posix_clock_context *pccontext)
{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);

if (queue) {
debugfs_remove(queue->debugfs_instance);

+ spin_lock_irqsave(&ptp->tsevqs_lock, flags);

pccontext->private_clkdata = NULL;
- spin_lock_irqsave(&queue->lock, flags);
list_del(&queue->qlist);
- spin_unlock_irqrestore(&queue->lock, flags);

+ spin_unlock_irqrestore(&ptp->tsevqs_lock, flags);

bitmap_free(queue->mask);
kfree(queue);
}
@@ -585,7 +590,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,
free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c

index 3d1b0a97301c..ea82648ad557 100644

--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -247,6 +247,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (!queue)
goto no_memory_queue;
list_add_tail(&queue->qlist, &ptp->tsevqs);

+ spin_lock_init(&ptp->tsevqs_lock);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1391e40f680000
kernel config: https://syzkaller.appspot.com/x/.config?x=e86de086e9dddbc6

dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f749ef680000

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..3f7a74788802 100644

--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -108,6 +108,7 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)
container_of(pccontext->clk, struct ptp_clock, clock);
struct timestamp_event_queue *queue;
char debugfsname[32];
+ unsigned long flags;

queue = kzalloc(sizeof(*queue), GFP_KERNEL);
if (!queue)

@@ -119,7 +120,9 @@ int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode)

}
bitmap_set(queue->mask, 0, PTP_MAX_CHANNELS);
spin_lock_init(&queue->lock);
+ spin_lock_irqsave(&ptp->tsevqs_lock, flags);
list_add_tail(&queue->qlist, &ptp->tsevqs);

+ spin_unlock_irqrestore(&ptp->tsevqs_lock, flags);
pccontext->private_clkdata = queue;

/* Debugfs contents */
@@ -139,16 +142,16 @@ int ptp_release(struct posix_clock_context *pccontext)

{
struct timestamp_event_queue *queue = pccontext->private_clkdata;
unsigned long flags;
+ struct ptp_clock *ptp =
+ container_of(pccontext->clk, struct ptp_clock, clock);

- if (queue) {
- debugfs_remove(queue->debugfs_instance);
- pccontext->private_clkdata = NULL;
- spin_lock_irqsave(&queue->lock, flags);
- list_del(&queue->qlist);
- spin_unlock_irqrestore(&queue->lock, flags);
- bitmap_free(queue->mask);
- kfree(queue);
- }
+ debugfs_remove(queue->debugfs_instance);
+ pccontext->private_clkdata = NULL;
+ spin_lock_irqsave(&ptp->tsevqs_lock, flags);
+ list_del(&queue->qlist);
+ spin_unlock_irqrestore(&ptp->tsevqs_lock, flags);
+ bitmap_free(queue->mask);
+ kfree(queue);
return 0;
}

@@ -585,7 +588,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}
diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c

index 3d1b0a97301c..41b68568811a 100644

--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -247,6 +247,7 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info,
if (!queue)
goto no_memory_queue;
list_add_tail(&queue->qlist, &ptp->tsevqs);
+ spin_lock_init(&ptp->tsevqs_lock);
queue->mask = bitmap_alloc(PTP_MAX_CHANNELS, GFP_KERNEL);
if (!queue->mask)
goto no_memory_bitmap;

@@ -407,6 +408,7 @@ void ptp_clock_event(struct ptp_clock *ptp, struct ptp_clock_event *event)
{
struct timestamp_event_queue *tsevq;
struct pps_event_time evt;
+ unsigned long flags;

switch (event->type) {

@@ -415,10 +417,12 @@ void ptp_clock_event(struct ptp_clock *ptp, struct ptp_clock_event *event)

case PTP_CLOCK_EXTTS:

/* Enqueue timestamp on selected queues */

+ spin_lock_irqsave(&ptp->tsevqs_lock, flags);
list_for_each_entry(tsevq, &ptp->tsevqs, qlist) {

if (test_bit((unsigned int)event->index, tsevq->mask))

enqueue_external_timestamp(tsevq, event);
}
+ spin_unlock_irqrestore(&ptp->tsevqs_lock, flags);
wake_up_interruptible(&ptp->tsev_wq);
break;

diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index 52f87e394aa6..35fde0a05746 100644

--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -44,6 +44,7 @@ struct ptp_clock {
struct pps_device *pps_source;
long dialed_frequency; /* remembers the frequency adjustment */
struct list_head tsevqs; /* timestamp fifo list */

+ spinlock_t tsevqs_lock; /* protects tsevqs from concurrent access */

[Edward Adam Davis]

please test BUG: corrupted list in ptp_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2dac75696c6d

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c

index 282cd7d24077..473b6d992507 100644

diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
index 3d1b0a97301c..b901f2910963 100644
--- a/drivers/ptp/ptp_clock.c
+++ b/drivers/ptp/ptp_clock.c
@@ -179,11 +179,11 @@ static void ptp_clock_release(struct device *dev)

mutex_destroy(&ptp->pincfg_mux);
mutex_destroy(&ptp->n_vclocks_mux);
/* Delete first entry */

+ spin_lock_irqsave(&tsevq->lock, flags);
tsevq = list_first_entry(&ptp->tsevqs, struct timestamp_event_queue,
qlist);
- spin_lock_irqsave(&tsevq->lock, flags);
list_del(&tsevq->qlist);
- spin_unlock_irqrestore(&tsevq->lock, flags);
+ spin_unlock_irqrestore(&ptp->tsevqs_lock, flags);
bitmap_free(tsevq->mask);
kfree(tsevq);
debugfs_remove(ptp->debugfs_root);

diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
index 473b6d992507..3f7a74788802 100644
--- a/drivers/ptp/ptp_chardev.c
+++ b/drivers/ptp/ptp_chardev.c
@@ -588,7 +588,5 @@ ssize_t ptp_read(struct posix_clock_context *pccontext, uint rdflags,

free_event:
kfree(event);
exit:
- if (result < 0)
- ptp_release(pccontext);
return result;
}

--
2.25.1

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=149170c0e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=e86de086e9dddbc6
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17e6a047680000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1034b717680000

kernel config: https://syzkaller.appspot.com/x/.config?x=e86de086e9dddbc6
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=172c71ef680000

[Edward Adam Davis]

+ spin_lock_irqsave(&ptp->tsevqs_lock, flags);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+df3f3e...@syzkaller.appspotmail.com

Tested on:

commit: 2dac7569 Add linux-next specific files for 20231018
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

console output: https://syzkaller.appspot.com/x/log.txt?x=15765a5b680000

kernel config: https://syzkaller.appspot.com/x/.config?x=e86de086e9dddbc6
dashboard link: https://syzkaller.appspot.com/bug?extid=df3f3ef31f60781fa911
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10fee497680000