[syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 02d5e016800d Merge tag 'sound-5.15-rc4' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130eeb90b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9290a409049988d4
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bc35f...@syzkaller.appspotmail.com

usb 1-1: Direct firmware load for ueagle-atm/adi930.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/adi930.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:294 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1218 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x1da/0x290 fs/kernfs/dir.c:1249
Read of size 2 at addr ffff888064de27d8 by task kworker/0:1/7

CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.15.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
kernfs_type include/linux/kernfs.h:294 [inline]
kernfs_leftmost_descendant fs/kernfs/dir.c:1218 [inline]
kernfs_next_descendant_post+0x1da/0x290 fs/kernfs/dir.c:1249
kernfs_activate+0x3a/0x1d0 fs/kernfs/dir.c:1284
kernfs_add_one+0x368/0x4c0 fs/kernfs/dir.c:766
kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:994
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
class_dir_create_and_add drivers/base/core.c:2913 [inline]
get_device_parent+0x3de/0x590 drivers/base/core.c:2968
device_add+0x2b1/0x21b0 drivers/base/core.c:3280
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 7:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node fs/kernfs/dir.c:647 [inline]
kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:984
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
class_dir_create_and_add drivers/base/core.c:2913 [inline]
get_device_parent+0x3de/0x590 drivers/base/core.c:2968
device_add+0x2b1/0x21b0 drivers/base/core.c:3280
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 20913:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725
slab_free mm/slub.c:3483 [inline]
kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499
kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
__kernfs_remove+0x727/0xab0 fs/kernfs/dir.c:1360
kernfs_remove+0x1d/0x30 fs/kernfs/dir.c:1373
sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:102
__kobject_del+0xe2/0x200 lib/kobject.c:620
kobject_del lib/kobject.c:643 [inline]
kobject_del+0x3c/0x60 lib/kobject.c:635
device_del+0x834/0xd60 drivers/base/core.c:3558
usb_disconnect.cold+0x4ba/0x78e drivers/usb/core/hub.c:2251
hub_port_connect drivers/usb/core/hub.c:5199 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
port_event drivers/usb/core/hub.c:5634 [inline]
hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
process_scheduled_works kernel/workqueue.c:2360 [inline]
worker_thread+0x85c/0x11f0 kernel/workqueue.c:2446
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888064de2740
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 152 bytes inside of
168-byte region [ffff888064de2740, ffff888064de27e8)
The buggy address belongs to the page:
page:ffffea0001937880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64de2
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010dc5a00
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 6583, ts 177318160712, free_ts 177312628642
prep_new_page mm/page_alloc.c:2424 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
alloc_slab_page mm/slub.c:1763 [inline]
allocate_slab mm/slub.c:1900 [inline]
new_slab+0x319/0x490 mm/slub.c:1963
___slab_alloc+0x921/0xfe0 mm/slub.c:2994
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
slab_alloc_node mm/slub.c:3172 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x365/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
sysfs_merge_group+0x198/0x320 fs/sysfs/group.c:343
dpm_sysfs_add+0x241/0x290 drivers/base/power/sysfs.c:707
device_add+0xad8/0x21b0 drivers/base/core.c:3316
netdev_register_kobject+0x181/0x430 net/core/net-sysfs.c:1955
register_netdevice+0xd33/0x1500 net/core/dev.c:10299
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3315 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3394
__vunmap+0x783/0xb70 mm/vmalloc.c:2621
free_work+0x58/0x70 mm/vmalloc.c:95
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
ffff888064de2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888064de2700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888064de2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
^
ffff888064de2800: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
ffff888064de2880: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6c791937c012/disk-55be6084.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cb21a2879b4c/vmlinux-55be6084.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bc35f...@syzkaller.appspotmail.com

usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:337 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
Read of size 2 at addr ffff88814591c180 by task kworker/0:2/140

CPU: 0 PID: 140 Comm: kworker/0:2 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022

Workqueue: events request_firmware_work_func
Call Trace:

<TASK>

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106

print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
kernfs_type include/linux/kernfs.h:337 [inline]
kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
kernfs_activate fs/kernfs/dir.c:1344 [inline]
kernfs_add_one+0x38d/0x4e0 fs/kernfs/dir.c:776
kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:1021
sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:63 [inline]
kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
kobject_add_varg lib/kobject.c:358 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:410
class_dir_create_and_add drivers/base/core.c:3054 [inline]
get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
device_add+0x2aa/0x1e90 drivers/base/core.c:3438
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
_request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>

Allocated by task 140:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:727 [inline]
slab_alloc_node mm/slub.c:3248 [inline]
slab_alloc mm/slub.c:3256 [inline]
__kmem_cache_alloc_lru mm/slub.c:3263 [inline]
kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
kernfs_new_node fs/kernfs/dir.c:665 [inline]
kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1011
sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:63 [inline]
kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
kobject_add_varg lib/kobject.c:358 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:410
class_dir_create_and_add drivers/base/core.c:3054 [inline]
get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
device_add+0x2aa/0x1e90 drivers/base/core.c:3438
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
_request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 2933:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:367 [inline]
____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1759 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
slab_free mm/slub.c:3539 [inline]
kmem_cache_free+0xeb/0x5b0 mm/slub.c:3556
kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:557
kernfs_put+0x42/0x50 fs/kernfs/dir.c:531
__kernfs_remove+0x463/0x600 fs/kernfs/dir.c:1443
kernfs_remove+0x77/0xa0 fs/kernfs/dir.c:1463
sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:101
__kobject_del+0xe2/0x1f0 lib/kobject.c:588
kobject_del lib/kobject.c:611 [inline]
kobject_del+0x3c/0x60 lib/kobject.c:603
device_del+0x81c/0xc80 drivers/base/core.c:3715
usb_disconnect.cold+0x49b/0x6ed drivers/usb/core/hub.c:2261
hub_port_connect drivers/usb/core/hub.c:5197 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
port_event drivers/usb/core/hub.c:5653 [inline]
hub_event+0x1f86/0x45e0 drivers/usb/core/hub.c:5735
process_one_work+0x991/0x1610 kernel/workqueue.c:2289
process_scheduled_works kernel/workqueue.c:2352 [inline]
worker_thread+0x854/0x1080 kernel/workqueue.c:2438
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88814591c0e8

which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 152 bytes inside of

168-byte region [ffff88814591c0e8, ffff88814591c190)

The buggy address belongs to the physical page:
page:ffffea0005164700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14591c
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 0000000000000000 dead000000000001 ffff8880119dbb40

raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 1564996231, free_ts 0
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:1829 [inline]
allocate_slab+0x27e/0x3d0 mm/slub.c:1974
new_slab mm/slub.c:2034 [inline]
___slab_alloc+0x84f/0xe80 mm/slub.c:3036
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123
slab_alloc_node mm/slub.c:3214 [inline]
slab_alloc mm/slub.c:3256 [inline]
__kmem_cache_alloc_lru mm/slub.c:3263 [inline]
kmem_cache_alloc+0x38c/0x3b0 mm/slub.c:3273
kmem_cache_zalloc include/linux/slab.h:723 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:665
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:1043
sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
kernel_add_sysfs_param kernel/params.c:814 [inline]
param_sysfs_builtin kernel/params.c:851 [inline]
param_sysfs_init+0x342/0x43b kernel/params.c:970
do_one_initcall+0xfe/0x650 init/main.c:1296
do_initcall_level init/main.c:1369 [inline]
do_initcalls init/main.c:1385 [inline]
do_basic_setup init/main.c:1404 [inline]
kernel_init_freeable+0x6b1/0x73a init/main.c:1623
page_owner free stack trace missing

Memory state around the buggy address:

ffff88814591c080: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
ffff88814591c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88814591c180: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
^
ffff88814591c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
ffff88814591c280: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
==================================================================

[Hillf Danton]

On 20 Oct 2022 00:15:40 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

Serialize the add and remove pathes with kernfs_rwsem.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 55be6084c8e0

--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -715,6 +715,7 @@ err_unlock:
return NULL;
}

+static void __kernfs_activate(struct kernfs_node *);
/**
* kernfs_add_one - add kernfs_node to parent without warning
* @kn: kernfs_node to be added
@@ -763,8 +764,6 @@ int kernfs_add_one(struct kernfs_node *k
ps_iattr->ia_mtime = ps_iattr->ia_ctime;
}

- up_write(&root->kernfs_rwsem);
-
/*
* Activate the new node unless CREATE_DEACTIVATED is requested.
* If not activated here, the kernfs user is responsible for
@@ -773,7 +772,9 @@ int kernfs_add_one(struct kernfs_node *k
* trigger deactivation.
*/
if (!(kernfs_root(kn)->flags & KERNFS_ROOT_CREATE_DEACTIVATED))
- kernfs_activate(kn);
+ __kernfs_activate(kn);
+
+ up_write(&root->kernfs_rwsem);
return 0;

out_unlock:
@@ -1320,6 +1321,14 @@ static void kernfs_activate_one(struct k
atomic_sub(KN_DEACTIVATED_BIAS, &kn->active);
}

+static void __kernfs_activate(struct kernfs_node *kn)
+{
+ struct kernfs_node *pos = NULL;
+
+ while ((pos = kernfs_next_descendant_post(pos, kn)))
+ kernfs_activate_one(pos);
+}
+
/**
* kernfs_activate - activate a node which started deactivated
* @kn: kernfs_node whose subtree is to be activated
@@ -1335,15 +1344,10 @@ static void kernfs_activate_one(struct k
*/
void kernfs_activate(struct kernfs_node *kn)
{
- struct kernfs_node *pos;
struct kernfs_root *root = kernfs_root(kn);

down_write(&root->kernfs_rwsem);
-
- pos = NULL;
- while ((pos = kernfs_next_descendant_post(pos, kn)))
- kernfs_activate_one(pos);
-
+ __kernfs_activate(kn);
up_write(&root->kernfs_rwsem);
}

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
SYZFATAL: executor failed NUM times: executor NUM: exit status NUM

2022/10/20 21:28:38 SYZFATAL: executor failed 11 times: executor 0: exit status 67
SYZFAIL: wrong response packet
(errno 16: Device or resource busy)
loop exited with status 67

SYZFAIL: wrong response packet
(errno 16: Device or resource busy)
loop exited with status 67


Tested on:

commit: 55be6084 Merge tag 'timers-core-2022-10-05' of git://g..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1086ad3c880000

kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1540e4ba880000

[Hillf Danton]

On 20 Oct 2022 00:15:40 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

Serialize the add and remove pathes with kernfs_rwsem.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

her
[ 5.597695][ T1] NFS: Registering the id_resolver key type
[ 5.599149][ T1] Key type id_resolver registered
[ 5.600622][ T1] Key type id_legacy registered
[ 5.601685][ T1] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 5.602778][ T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 5.611543][ T1] Key type cifs.spnego registered
[ 5.613253][ T1] Key type cifs.idmap registered
[ 5.614650][ T1] ntfs: driver 2.1.32 [Flags: R/W].
[ 5.616739][ T1] ntfs3: Max link count 4000
[ 5.617506][ T1] ntfs3: Enabled Linux POSIX ACLs support
[ 5.618484][ T1] ntfs3: Read-only LZX/Xpress compression included
[ 5.621078][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 5.622255][ T1] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 5.626600][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 5.628348][ T1] QNX4 filesystem 0.2.3 registered.
[ 5.630193][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 5.632221][ T1] fuse: init (API version 7.37)
[ 5.636288][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 5.637940][ T1] orangefs_init: module version upstream loaded
[ 5.639824][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 5.653813][ T1] SGI XFS with ACLs, security attributes, realtime, quota, fatal assert, debug enabled
[ 5.666765][ T1] 9p: Installing v9fs 9p2000 file system support
[ 5.669394][ T1] NILFS version 2 loaded
[ 5.670723][ T1] befs: version: 0.9.3
[ 5.672670][ T1] ocfs2: Registered cluster interface o2cb
[ 5.674777][ T1] ocfs2: Registered cluster interface user
[ 5.676600][ T1] OCFS2 User DLM kernel interface loaded
[ 5.687111][ T1] gfs2: GFS2 installed
[ 5.698581][ T1] ceph: loaded (mds proto 32)
[ 5.710024][ T1] NET: Registered PF_ALG protocol family
[ 5.711181][ T1] xor: automatically using best checksumming function avx
[ 5.712855][ T1] async_tx: api initialized (async)
[ 5.714028][ T1] Key type asymmetric registered
[ 5.714899][ T1] Asymmetric key parser 'x509' registered
[ 5.715986][ T1] Asymmetric key parser 'pkcs8' registered
[ 5.716969][ T1] Key type pkcs7_test registered
[ 5.720754][ T1] alg: self-tests for CTR-KDF (hmac(sha256)) passed
[ 5.721886][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[ 5.723595][ T1] io scheduler mq-deadline registered
[ 5.725006][ T1] io scheduler kyber registered
[ 5.726238][ T1] io scheduler bfq registered
[ 5.733302][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 5.760627][ T1] ACPI: button: Power Button [PWRF]
[ 5.763071][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 5.765552][ T1] ACPI: button: Sleep Button [SLPF]
[ 5.785152][ T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 5.786468][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 5.800106][ T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[ 5.801283][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 5.818083][ T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[ 5.819227][ T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[ 6.139234][ T1] N_HDLC line discipline registered with maxframe=4096
[ 6.143191][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 6.145743][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 6.153400][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 6.158094][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[ 6.164827][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[ 6.173085][ T1] Non-volatile memory driver v1.3
[ 6.191613][ T1] Linux agpgart interface v0.103
[ 6.194194][ T1] ACPI: bus type drm_connector registered
[ 6.199163][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[ 6.204590][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[ 6.264084][ T1] Console: switching to colour frame buffer device 128x48
[ 6.281271][ T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[ 6.282951][ T1] usbcore: registered new interface driver udl
[ 6.331971][ T1] brd: module loaded
[ 6.381966][ T1] loop: module loaded
[ 6.450450][ T1] zram: Added device: zram0
[ 6.456807][ T1] null_blk: disk nullb0 created
[ 6.457559][ T1] null_blk: module loaded
[ 6.458703][ T1] Guest personality initialized and is inactive
[ 6.460362][ T1] VMCI host device registered (name=vmci, major=10, minor=119)
[ 6.461772][ T1] Initialized host personality
[ 6.463064][ T1] usbcore: registered new interface driver rtsx_usb
[ 6.464912][ T1] usbcore: registered new interface driver viperboard
[ 6.466543][ T1] usbcore: registered new interface driver dln2
[ 6.468098][ T1] usbcore: registered new interface driver pn533_usb
[ 6.472749][ T1] nfcsim 0.2 initialized
[ 6.473704][ T1] usbcore: registered new interface driver port100
[ 6.475083][ T1] usbcore: registered new interface driver nfcmrvl
[ 6.478962][ T1] Loading iSCSI transport class v2.0-870.
[ 6.507427][ T1] scsi host0: Virtio SCSI HBA
[ 6.546621][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[ 6.549977][ T91] scsi 0:0:1:0: Direct-Access Google PersistentDisk 1 PQ: 0 ANSI: 6
[ 6.577518][ T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[ 6.579716][ T1] db_root: cannot open: /etc/target
[ 6.581597][ T1] slram: not enough parameters.
[ 6.589382][ T1] ftl_cs: FTL header not found.
[ 6.626146][ T1] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[ 6.627700][ T1] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Ja...@zx2c4.com>. All Rights Reserved.
[ 6.637162][ T1] eql: Equalizer2002: Simon Janes (si...@ncm.com) and David S. Miller (da...@redhat.com)
[ 6.647509][ T1] MACsec IEEE 802.1AE
[ 6.657940][ T1] tun: Universal TUN/TAP device driver, 1.6
[ 6.715241][ T1] ------------[ cut here ]------------
[ 6.716632][ T1] WARNING: CPU: 0 PID: 1 at include/linux/cpumask.h:110 __netif_set_xps_queue+0x88e/0x1f30
[ 6.718427][ T1] Modules linked in:
[ 6.719252][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0
[ 6.721441][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 6.723065][ T1] RIP: 0010:__netif_set_xps_queue+0x88e/0x1f30
[ 6.724387][ T1] Code: fa 48 c7 c2 a0 a8 f4 8a be 2e 0a 00 00 48 c7 c7 40 a7 f4 8a c6 05 a2 69 74 06 01 e8 f2 e3 f1 01 e9 ef fd ff ff e8 e2 ae 24 fa <0f> 0b e9 8e fa ff ff 8b 6c 24 38 e8 d2 ae 24 fa 49 8d 7c 24 04 48
[ 6.727854][ T1] RSP: 0018:ffffc90000067898 EFLAGS: 00010293
[ 6.728833][ T1] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
[ 6.731435][ T1] RDX: ffff88813fe50000 RSI: ffffffff8757dc0e RDI: 0000000000000004
[ 6.734156][ T1] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000002
[ 6.735691][ T1] R10: 0000000000000002 R11: 000000000008c07e R12: ffff88801fb48680
[ 6.737253][ T1] R13: 0000000000000003 R14: ffff88801fb48698 R15: 0000000000000002
[ 6.738658][ T1] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[ 6.740493][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6.741783][ T1] CR2: ffff88823ffff000 CR3: 000000000bc8e000 CR4: 0000000000350ef0
[ 6.743162][ T1] Call Trace:
[ 6.744268][ T1] <TASK>
[ 6.744948][ T1] ? vp_bus_name+0xc0/0xc0
[ 6.745802][ T1] virtnet_set_affinity+0x4f0/0x750
[ 6.746726][ T1] ? skb_recv_done+0x120/0x120
[ 6.747533][ T1] virtnet_probe+0x12ae/0x31e0
[ 6.748436][ T1] ? virtnet_find_vqs+0xc30/0xc30
[ 6.749270][ T1] virtio_dev_probe+0x577/0x870
[ 6.750252][ T1] ? virtio_features_ok+0x1e0/0x1e0
[ 6.751234][ T1] really_probe+0x249/0xb90
[ 6.752007][ T1] __driver_probe_device+0x1df/0x4d0
[ 6.752884][ T1] driver_probe_device+0x4c/0x1a0
[ 6.753955][ T1] __driver_attach+0x1d0/0x550
[ 6.754899][ T1] ? __device_attach_driver+0x2e0/0x2e0
[ 6.756222][ T1] bus_for_each_dev+0x147/0x1d0
[ 6.756970][ T1] ? subsys_dev_iter_exit+0x20/0x20
[ 6.758183][ T1] bus_add_driver+0x4c9/0x640
[ 6.759241][ T1] driver_register+0x220/0x3a0
[ 6.760270][ T1] ? veth_init+0x11/0x11
[ 6.761196][ T1] virtio_net_driver_init+0x93/0xd2
[ 6.762104][ T1] do_one_initcall+0x13d/0x780
[ 6.763172][ T1] ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[ 6.764469][ T1] ? parameq+0x140/0x170
[ 6.765271][ T1] kernel_init_freeable+0x6ff/0x788
[ 6.766089][ T1] ? rest_init+0x270/0x270
[ 6.766807][ T1] kernel_init+0x1a/0x1d0
[ 6.767976][ T1] ? rest_init+0x270/0x270
[ 6.768818][ T1] ret_from_fork+0x1f/0x30
[ 6.770003][ T1] </TASK>
[ 6.770460][ T1] Kernel panic - not syncing: panic_on_warn set ...
[ 6.771442][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0
[ 6.773956][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 6.776134][ T1] Call Trace:
[ 6.776861][ T1] <TASK>
[ 6.777450][ T1] dump_stack_lvl+0xcd/0x134
[ 6.779001][ T1] panic+0x2c8/0x622
[ 6.779782][ T1] ? panic_print_sys_info.part.0+0x110/0x110
[ 6.781025][ T34] sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15 GB/2.00 GiB)
[ 6.781062][ T34] sd 0:0:1:0: [sda] 4096-byte physical blocks
[ 6.781197][ T34] sd 0:0:1:0: [sda] Write Protect is off
[ 6.781220][ T34] sd 0:0:1:0: [sda] Mode Sense: 1f 00 00 08
[ 6.781450][ T34] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 6.787778][ T1] ? __warn.cold+0x24b/0x350
[ 6.789536][ T91] sd 0:0:1:0: Attached scsi generic sg0 type 0
[ 6.790433][ T1] ? __netif_set_xps_queue+0x88e/0x1f30
[ 6.790433][ T1] __warn.cold+0x25c/0x350
[ 6.790433][ T1] ? __netif_set_xps_queue+0x88e/0x1f30
[ 6.790433][ T1] report_bug+0x1bc/0x210
[ 6.790433][ T1] handle_bug+0x3c/0x70
[ 6.794504][ T34] sda: sda1
[ 6.795927][ T34] sd 0:0:1:0: [sda] Attached SCSI disk
[ 6.790433][ T1] exc_invalid_op+0x14/0x40
[ 6.790433][ T1] asm_exc_invalid_op+0x16/0x20
[ 6.799643][ T1] RIP: 0010:__netif_set_xps_queue+0x88e/0x1f30
[ 6.799643][ T1] Code: fa 48 c7 c2 a0 a8 f4 8a be 2e 0a 00 00 48 c7 c7 40 a7 f4 8a c6 05 a2 69 74 06 01 e8 f2 e3 f1 01 e9 ef fd ff ff e8 e2 ae 24 fa <0f> 0b e9 8e fa ff ff 8b 6c 24 38 e8 d2 ae 24 fa 49 8d 7c 24 04 48
[ 6.799643][ T1] RSP: 0018:ffffc90000067898 EFLAGS: 00010293
[ 6.799643][ T1] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
[ 6.799643][ T1] RDX: ffff88813fe50000 RSI: ffffffff8757dc0e RDI: 0000000000000004
[ 6.799643][ T1] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000002
[ 6.799643][ T1] R10: 0000000000000002 R11: 000000000008c07e R12: ffff88801fb48680
[ 6.799643][ T1] R13: 0000000000000003 R14: ffff88801fb48698 R15: 0000000000000002
[ 6.799643][ T1] ? __netif_set_xps_queue+0x88e/0x1f30
[ 6.799643][ T1] ? __netif_set_xps_queue+0x88e/0x1f30
[ 6.799643][ T1] ? vp_bus_name+0xc0/0xc0
[ 6.799643][ T1] virtnet_set_affinity+0x4f0/0x750
[ 6.799643][ T1] ? skb_recv_done+0x120/0x120
[ 6.799643][ T1] virtnet_probe+0x12ae/0x31e0
[ 6.799643][ T1] ? virtnet_find_vqs+0xc30/0xc30
[ 6.799643][ T1] virtio_dev_probe+0x577/0x870
[ 6.799643][ T1] ? virtio_features_ok+0x1e0/0x1e0
[ 6.799643][ T1] really_probe+0x249/0xb90
[ 6.799643][ T1] __driver_probe_device+0x1df/0x4d0
[ 6.799643][ T1] driver_probe_device+0x4c/0x1a0
[ 6.799643][ T1] __driver_attach+0x1d0/0x550
[ 6.799643][ T1] ? __device_attach_driver+0x2e0/0x2e0
[ 6.799643][ T1] bus_for_each_dev+0x147/0x1d0
[ 6.799643][ T1] ? subsys_dev_iter_exit+0x20/0x20
[ 6.799643][ T1] bus_add_driver+0x4c9/0x640
[ 6.799643][ T1] driver_register+0x220/0x3a0
[ 6.799643][ T1] ? veth_init+0x11/0x11
[ 6.829623][ T1] virtio_net_driver_init+0x93/0xd2
[ 6.829623][ T1] do_one_initcall+0x13d/0x780
[ 6.829623][ T1] ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[ 6.829623][ T1] ? parameq+0x140/0x170
[ 6.829623][ T1] kernel_init_freeable+0x6ff/0x788
[ 6.829623][ T1] ? rest_init+0x270/0x270
[ 6.829623][ T1] kernel_init+0x1a/0x1d0
[ 6.829623][ T1] ? rest_init+0x270/0x270
[ 6.829623][ T1] ret_from_fork+0x1f/0x30
[ 6.829623][ T1] </TASK>
[ 6.829623][ T1] Kernel Offset: disabled
[ 6.829623][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2307492022=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at b31320fc8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b31320fc8f3519e40494f64ebf77c13d16284bfd\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16f2e14a880000


Tested on:

commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=135783e6880000

[Hillf Danton]

On 20 Oct 2022 00:15:40 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

Serialize the add and remove pathes with kernfs_rwsem.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
unsigned int nr_bits)
{
- /* n is a prior cpu */
- cpu_max_bits_warn(n + 1, nr_bits);
+ /* -1 is a legal arg here. */
+ if (n != -1)
+ cpu_max_bits_warn(n, nr_bits);

if (srcp)
return find_next_bit(srcp, nr_bits, n + 1);
@@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
const unsigned long *src2p,
unsigned int nr_bits)
{
- /* n is a prior cpu */
- cpu_max_bits_warn(n + 1, nr_bits);
+ /* -1 is a legal arg here. */
+ if (n != -1)
+ cpu_max_bits_warn(n, nr_bits);

if (src1p && src2p)
return find_next_and_bit(src1p, src2p, nr_bits, n + 1);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in firmware_fallback_sysfs

------------[ cut here ]------------
sysfs group 'power' not found for kobject 'ueagle-atm!eagleI.fw'
WARNING: CPU: 1 PID: 4102 at fs/sysfs/group.c:278 sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Modules linked in:

CPU: 1 PID: 4102 Comm: kworker/1:5 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022

Workqueue: events request_firmware_work_func

RIP: 0010:sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c 01 00 75 37 48 8b 33 48 c7 c7 80 bb ff 89 e8 86 43 4a 07 <0f> 0b eb 98 e8 61 b7 c9 ff e9 01 ff ff ff 48 89 df e8 54 b7 c9 ff
RSP: 0018:ffffc90009d479b8 EFLAGS: 00010282

RAX: 0000000000000000 RBX: ffffffff8a62c000 RCX: 0000000000000000
RDX: ffff888024043a80 RSI: ffffffff81620a28 RDI: fffff520013a8f29
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 63656a626f6b2072 R12: ffff88823bdf8808
R13: ffffffff8a62c5a0 R14: 0000000000000000 R15: ffff88823bdf8808
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fc1febad0b0 CR3: 00000000747ce000 CR4: 0000000000350ee0
Call Trace:
<TASK>
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:837
device_del+0x20b/0xc80 drivers/base/core.c:3681
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:120 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
firmware_fallback_sysfs+0x5b7/0xba0 drivers/base/firmware_loader/fallback.c:234

_request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105

process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289

worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>

Tested on:

commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16f4dd0c880000
kernel config: https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=136e3036880000

[Hillf Danton]

On 20 Oct 2022 00:15:40 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -3664,7 +3664,10 @@ void device_del(struct device *dev)
unsigned int noio_flag;

device_lock(dev);
- kill_device(dev);
+ if (kill_device(dev) == false) {
+ device_unlock(dev);
+ return;
+ }
device_unlock(dev);

if (dev->fwnode && dev->fwnode->dev == dev)
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in firmware_fallback_sysfs

------------[ cut here ]------------
sysfs group 'power' not found for kobject 'ueagle-atm!eagleI.fw'

WARNING: CPU: 1 PID: 144 at fs/sysfs/group.c:278 sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Modules linked in:

CPU: 1 PID: 144 Comm: kworker/1:2 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Workqueue: events request_firmware_work_func

RIP: 0010:sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c 01 00 75 37 48 8b 33 48 c7 c7 80 bb ff 89 e8 86 43 4a 07 <0f> 0b eb 98 e8 61 b7 c9 ff e9 01 ff ff ff 48 89 df e8 54 b7 c9 ff

RSP: 0018:ffffc90002d8f9b8 EFLAGS: 00010282

RAX: 0000000000000000 RBX: ffffffff8a62c000 RCX: 0000000000000000

RDX: ffff88801b998000 RSI: ffffffff81620a28 RDI: fffff520005b1f29

RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000

R10: 0000000080000000 R11: 63656a626f6b2072 R12: ffff88801bbc3008
R13: ffffffff8a62c5a0 R14: 0000000000000000 R15: ffff88801bbc3008

FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f475bfad0b0 CR3: 000000007340b000 CR4: 0000000000350ee0

Call Trace:
<TASK>
dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:837

device_del+0x223/0xcb0 drivers/base/core.c:3684

fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:120 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
firmware_fallback_sysfs+0x5b7/0xba0 drivers/base/firmware_loader/fallback.c:234
_request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>


Tested on:

commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=145588b4880000
kernel config: https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=157a759a880000

[Hillf Danton]

On 20 Oct 2022 00:15:40 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
}

static void uea_upload_pre_firmware(const struct firmware *fw_entry,
- void *context)
+ struct usb_device *usb)
{
- struct usb_device *usb = context;
const u8 *pfw;
u8 value;
u32 crc = 0;
@@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
{
int ret;
char *fw_name = EAGLE_FIRMWARE;
+ const struct firmware *fw;

uea_enters(usb);
uea_info(usb, "pre-firmware device, uploading firmware\n");
@@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
break;
}

- ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
- GFP_KERNEL, usb,
- uea_upload_pre_firmware);
+ ret = request_firmware(&fw, fw_name, &usb->dev);
if (ret)
uea_err(usb, "firmware %s is not available\n", fw_name);
- else
+ else {
uea_info(usb, "loading firmware %s\n", fw_name);
+ uea_upload_pre_firmware(fw, usb);
+ }

uea_leaves(usb);
return ret;
--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+6bc35f...@syzkaller.appspotmail.com

Tested on:

commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16261486880000
kernel config: https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1103ce4a880000

Note: testing is done by a robot and is best-effort only.

[Hillf Danton]

On 20 Oct 2022 00:15:40 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

See if the change to ueagle driver alone can survive syzbot test.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
unsigned int nr_bits)
{
- /* n is a prior cpu */
- cpu_max_bits_warn(n + 1, nr_bits);
+ /* -1 is a legal arg here. */
+ if (n != -1)
+ cpu_max_bits_warn(n, nr_bits);

if (srcp)
return find_next_bit(srcp, nr_bits, n + 1);
@@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
const unsigned long *src2p,
unsigned int nr_bits)
{
- /* n is a prior cpu */
- cpu_max_bits_warn(n + 1, nr_bits);
+ /* -1 is a legal arg here. */
+ if (n != -1)
+ cpu_max_bits_warn(n, nr_bits);

if (src1p && src2p)
return find_next_and_bit(src1p, src2p, nr_bits, n + 1);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+6bc35f...@syzkaller.appspotmail.com

Tested on:

commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17242776880000
kernel config: https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1223c16a880000

[Tejun Heo]

(cc'ing Luis for firmware loader and quoting the whole body)

So, the problem is that while request_firmware_nowait() inc's the ref on the
device, if the device gets removed later, having a ref isn't sufficient for
adding stuff to the device. A relatively easy solution would be putting
these firmware load work items into its own workqueue and flushing it on
device removal path. Luis, what do you think?

Thanks.

--
tejun

[Luis Chamberlain]

Since we *can* remove a device after we get a module reference and
since fw_cache_is_setup() tries to use the device before get_device()
(even though this is not the issue reported), I think perhaps the fix
below may be generic and best. It would seem this 2After doing this, I considered simply
removing the try_module_get() but a module which is not respnsible for
creating a device is allowed to request firmware for an arbitrary
device, and so that simplification should not be possible. This would
fix 0cfc1e1e7b534 ("firmware loader: fix device lifetime") since v3.7
but as that commit mentions, there were issues even prior to this get_device()
and so this fix is the proper solution to the reported issue in that
commit. This issue would the date back to f8a4bd3456b98 ("firmware
loader: embed device into firmware_priv structure") since v2.6.36.

Please re-test and let me know if this fixes the issue reported.

diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
index 7c3590fd97c2..177d5767ad3b 100644
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -1141,18 +1141,20 @@ request_firmware_nowait(
const char *name, struct device *device, gfp_t gfp, void *context,
void (*cont)(const struct firmware *fw, void *context))
{
+ int err = -ENOMEM;
struct firmware_work *fw_work;

+ if (get_device(device))
+ return -ENODEV;
+
fw_work = kzalloc(sizeof(struct firmware_work), gfp);
if (!fw_work)
- return -ENOMEM;
+ goto err_out;

fw_work->module = module;
fw_work->name = kstrdup_const(name, gfp);
- if (!fw_work->name) {
- kfree(fw_work);
- return -ENOMEM;
- }
+ if (!fw_work->name)
+ goto err_out_free_work;
fw_work->device = device;
fw_work->context = context;
fw_work->cont = cont;
@@ -1160,21 +1162,26 @@ request_firmware_nowait(
(uevent ? FW_OPT_UEVENT : FW_OPT_USERHELPER);

if (!uevent && fw_cache_is_setup(device, name)) {
- kfree_const(fw_work->name);
- kfree(fw_work);
- return -EOPNOTSUPP;
+ err = -EOPNOTSUPP;
+ goto err_out_free_name;
}

if (!try_module_get(module)) {
- kfree_const(fw_work->name);
- kfree(fw_work);
- return -EFAULT;
+ err = -EFAULT;
+ goto err_out_free_name;
}

- get_device(fw_work->device);
INIT_WORK(&fw_work->work, request_firmware_work_func);
schedule_work(&fw_work->work);
return 0;
+
+err_out_free_name:
+ kfree_const(fw_work->name);
+err_out_free_work:
+ kfree(fw_work);
+err_out:
+ put_device(device);
+ return err;
}
EXPORT_SYMBOL(request_firmware_nowait);

[Dmitry Torokhov]

I do not see how moving the point where we acquire device refcount
around fixes anything. Caller of request_firmware_nowait() is supposed
to have a valid reference to device object and it is supposed to stay
valid for the entire duration of request_firmware_nowait(). Grabbing
and extra reference only matters if the device (or other refcounted
structure) is being passed to another thread of execution.

I think what Tejun is saying is the only way to fix this. Similarly to
work struct, where users are supposed to call cancel_work_sync() during
teardown, users of request_firmware_nowait() need to wait for it to
complete before continuing with tearing down the instance. See for
example ims-pcu driver where it tries to request firmware asynchronously
when it finds the device in bootloader mode, and is waiting for it
completion when handling device disconnect:

https://elixir.bootlin.com/linux/v6.1-rc3/source/drivers/input/misc/ims-pcu.c#L1978

Thanks.

--
Dmitry

[Dmitry Vyukov]

Hi Luis,

syzbot is a self-service, you can ask it to test any patches for
reports with reproducers following these instructions:
https://bit.do/syzbot#testing-patches

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/Y3J8GKR905SZ84EE%40bombadil.infradead.org.

[Luis Chamberlain]

On Mon, Nov 14, 2022 at 10:07:02AM -0800, Dmitry Torokhov wrote:
> I do not see how moving the point where we acquire device refcount
> around fixes anything.

The patch I posted does two things, moving the point where we acquire
device refcount was just one so it was not clear that what I really
wanted to be enforce a check for first, and that is that the driver
*did* do the correct thing.

So while we can surely expect the driver to do proper device refcounting
and waiting on device removal, buggy drivers do exist and we should
strive to not allow UAF with them.

So something like this:

From 92c8f4465a205e744c70dcba320708f72900442e Mon Sep 17 00:00:00 2001
From: Luis Chamberlain <mcg...@kernel.org>
Date: Tue, 15 Nov 2022 10:02:13 -0800
Subject: [PATCH] firmware_loader: avoid UAF on buggy request_firmware_nowait()
users

request_firmware_nowait() is documented as requiring the caller to
ensure to maintain the the reference count of @device during the
lifetime of the call to request_firmware_nowait() and the callback.

It would seem drivers exist which don't follow these rules though,
and things like syzbot can trigger UAF if the device gets nuked
as request_firmware_nowait() is being called. Instead of enabling
use UAF, defend against such improperly written drivers and complain
about it.

Make the documentaiton a bit clearer and give a hint as to how to easily
accomplish device lifetime maintenance on the driver using a completion
and a wait_for_completion().

Fixes: 0cfc1e1e7b534 ("firmware loader: fix device lifetime")
Fixes: f8a4bd3456b98 ("firmware loader: embed device into firmware_priv structure")
Cc: sta...@vger.kernel.org # v2.6.36
Reported-by: syzbot+6bc35f...@syzkaller.appspotmail.com
Signed-off-by: Luis Chamberlain <mcg...@kernel.org>
---
drivers/base/firmware_loader/main.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
index 7c3590fd97c2..6ac92dfdd85e 100644
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -1118,15 +1118,16 @@ static void request_firmware_work_func(struct work_struct *work)
* @uevent: sends uevent to copy the firmware image if this flag
* is non-zero else the firmware copy must be done manually.
* @name: name of firmware file
- * @device: device for which firmware is being loaded
+ * @device: device for which firmware is being loaded. The caller must hold
+ * the reference count of @device during the lifetime of this routine
+ * and the @cont callback. This typically can be done with a completion
+ * and wait_for_completion prior to device teardown.
* @gfp: allocation flags
* @context: will be passed over to @cont, and
* @fw may be %NULL if firmware request fails.
* @cont: function will be called asynchronously when the firmware
* request is over.
*
- * Caller must hold the reference count of @device.
- *
* Asynchronous variant of request_firmware() for user contexts:
* - sleep for as small periods as possible since it may
* increase kernel boot time of built-in device drivers
@@ -1171,7 +1172,12 @@ request_firmware_nowait(
return -EFAULT;
}

- get_device(fw_work->device);
+ if (WARN_ON(!get_device(fw_work->device))) {
+ module_put(module);
+ kfree_const(fw_work->name);
+ kfree(fw_work);
+ return -ENODEV;
+ }

INIT_WORK(&fw_work->work, request_firmware_work_func);
schedule_work(&fw_work->work);
return 0;

--
2.35.1

[Dmitry Torokhov]

On Tue, Nov 15, 2022 at 11:35:10AM -0800, Luis Chamberlain wrote:
> On Mon, Nov 14, 2022 at 10:07:02AM -0800, Dmitry Torokhov wrote:
> > I do not see how moving the point where we acquire device refcount
> > around fixes anything.
>
> The patch I posted does two things, moving the point where we acquire
> device refcount was just one so it was not clear that what I really
> wanted to be enforce a check for first, and that is that the driver
> *did* do the correct thing.
>
> So while we can surely expect the driver to do proper device refcounting
> and waiting on device removal, buggy drivers do exist and we should
> strive to not allow UAF with them.

You can not enforce any of that from the firmware loader itself.

>
> So something like this:
>
> From 92c8f4465a205e744c70dcba320708f72900442e Mon Sep 17 00:00:00 2001
> From: Luis Chamberlain <mcg...@kernel.org>
> Date: Tue, 15 Nov 2022 10:02:13 -0800
> Subject: [PATCH] firmware_loader: avoid UAF on buggy request_firmware_nowait()
> users
>
> request_firmware_nowait() is documented as requiring the caller to
> ensure to maintain the the reference count of @device during the
> lifetime of the call to request_firmware_nowait() and the callback.
>
> It would seem drivers exist which don't follow these rules though,
> and things like syzbot can trigger UAF if the device gets nuked
> as request_firmware_nowait() is being called. Instead of enabling
> use UAF, defend against such improperly written drivers and complain
> about it.

I fail to see how are you defending against improperly written drivers
and in what cases you expect your check to trigger. It is impossible for
get_device() device to fail for non-NULL device (check the code), so
your test will never trigger.

>
> Make the documentaiton a bit clearer and give a hint as to how to easily
> accomplish device lifetime maintenance on the driver using a completion
> and a wait_for_completion().

It is not clear to me why the caller must keep reference to device. The
callback is called with struct firmware and context pointer, which may
or may not be tied to a device instance. What you want to say is that
the caller must ensure that context is valid until after callback is
invoked.

The firmware loader uses device structure itself and does acquire
a reference, so it does the right thing, but the caller is free to drop
the device reference if it chooses to do so.

So for what its worth it is a NAK from me.

Thanks.

--
Dmitry

[Tejun Heo]

On Tue, Nov 15, 2022 at 11:35:10AM -0800, Luis Chamberlain wrote:

> request_firmware_nowait() is documented as requiring the caller to
> ensure to maintain the the reference count of @device during the
> lifetime of the call to request_firmware_nowait() and the callback.

My reading was that just holding the ref isn't enough. The code expects the
device to be not destroyed independent of the refcnt. I don't see how this
would be fixed by diddling with refcnt.

Thanks.

--
tejun

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to copy syz-execprog to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-execprog" "ro...@10.128.0.45:./syz-execprog"]: exit status 1
ssh: connect to host 10.128.0.45 port 22: Connection timed out
lost connection

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build74765184=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at b31320fc8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b31320fc8f3519e40494f64ebf77c13d16284bfd\"

Tested on:

commit: 3960520a firmware_loader: refcount device early on req..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git 20221115-firmware_loader-fixes
kernel config: https://syzkaller.appspot.com/x/.config?x=e9039cbe1d7613aa

dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.