[syzbot] WARNING in kernfs_get (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 80bd9028feca Add linux-next specific files for 20230131
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=155ac609480000
kernel config: https://syzkaller.appspot.com/x/.config?x=904dc2f450eaad4a
dashboard link: https://syzkaller.appspot.com/bug?extid=9be7b6c4b696be5d83ef
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151a6d79480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/924618188238/disk-80bd9028.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7a03cf86e545/vmlinux-80bd9028.xz
kernel image: https://storage.googleapis.com/syzbot-assets/568e80043a41/bzImage-80bd9028.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9be7b6...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5108 at fs/kernfs/dir.c:522 kernfs_get.part.0+0x69/0x80 fs/kernfs/dir.c:522
Modules linked in:
CPU: 0 PID: 5108 Comm: syz-executor.3 Not tainted 6.2.0-rc6-next-20230131-syzkaller-09515-g80bd9028feca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:kernfs_get.part.0+0x69/0x80 fs/kernfs/dir.c:522
Code: 31 ff 89 ee e8 e8 65 7a ff 85 ed 74 18 e8 8f 69 7a ff be 04 00 00 00 48 89 df e8 a2 74 c9 ff f0 ff 03 5b 5d c3 e8 77 69 7a ff <0f> 0b eb df 48 89 df e8 eb 6d c9 ff eb c6 66 0f 1f 84 00 00 00 00
RSP: 0018:ffffc900040bef10 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888077931000 RCX: 0000000000000000
RDX: ffff888021c91d40 RSI: ffffffff820a4ca9 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880779310e8
R13: ffff88802b4c6028 R14: ffff8880222f2b50 R15: 0000000000000000
FS: 00005555572ee400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f167a621718 CR3: 00000000730ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kernfs_get fs/kernfs/dir.c:521 [inline]
kernfs_new_node fs/kernfs/dir.c:676 [inline]
kernfs_create_dir_ns+0xc4/0x230 fs/kernfs/dir.c:1029
sysfs_create_dir_ns+0x12b/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:63 [inline]
kobject_add_internal+0x2c9/0x9c0 lib/kobject.c:231
kobject_add_varg lib/kobject.c:366 [inline]
kobject_init_and_add+0x101/0x170 lib/kobject.c:449
rx_queue_add_kobject net/core/net-sysfs.c:1063 [inline]
net_rx_queue_update_kobjects+0x25f/0x510 net/core/net-sysfs.c:1114
register_queue_kobjects net/core/net-sysfs.c:1774 [inline]
netdev_register_kobject+0x279/0x400 net/core/net-sysfs.c:2019
register_netdevice+0xd77/0x1640 net/core/dev.c:10048
cfg80211_register_netdevice+0x157/0x330 net/wireless/core.c:1397
ieee80211_if_add+0x1096/0x1970 net/mac80211/iface.c:2198
ieee80211_register_hw+0x37db/0x40d0 net/mac80211/main.c:1403
mac80211_hwsim_new_radio+0x25c5/0x4920 drivers/net/wireless/mac80211_hwsim.c:4583
hwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176
genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:722 [inline]
sock_sendmsg+0xde/0x190 net/socket.c:745
__sys_sendto+0x23a/0x340 net/socket.c:2142
__do_sys_sendto net/socket.c:2154 [inline]
__se_sys_sendto net/socket.c:2150 [inline]
__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2150
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f859403e0fc
Code: fa fa ff ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 20 fb ff ff 48 8b
RSP: 002b:00007ffea124f050 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f8594cd4620 RCX: 00007f859403e0fc
RDX: 0000000000000024 RSI: 00007f8594cd4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffea124f0a4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007f8594cd4670 R14: 0000000000000003 R15: 0000000000000000
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Hillf Danton]

On Sat, 04 Feb 2023 10:11:42 -0800

> syzbot found the following issue on:
>
> HEAD commit: 80bd9028feca Add linux-next specific files for 20230131
> git tree: linux-next

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151a6d79480000

Select the correct parent kobj.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 80bd9028feca

--- x/lib/kobject.c
+++ y/lib/kobject.c
@@ -218,7 +218,7 @@ static int kobject_add_internal(struct k
/* join kset if set, use it as parent if we do not already have one */
if (kobj->kset) {
if (!parent)
- parent = kobject_get(&kobj->kset->kobj);
+ parent = kobject_get(kobj->kset->kobj.parent);
kobj_kset_join(kobj);
kobj->parent = parent;
}
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

, MinObjects=0, CPUs=2, Nodes=2
[ 1.717501][ T0] allocated 134217728 bytes of page_ext
[ 1.718540][ T0] Node 0, zone DMA: page owner found early allocated 0 pages
[ 1.734855][ T0] Node 0, zone DMA32: page owner found early allocated 16480 pages
[ 1.749210][ T0] Node 0, zone Normal: page owner found early allocated 0 pages
[ 1.761271][ T0] Node 1, zone Normal: page owner found early allocated 16387 pages
[ 1.765251][ T0] Dynamic Preempt: full
[ 1.768283][ T0] Running RCU self tests
[ 1.769110][ T0] Running RCU synchronous self tests
[ 1.770405][ T0] rcu: Preemptible hierarchical RCU implementation.
[ 1.771628][ T0] rcu: RCU lockdep checking is enabled.
[ 1.772927][ T0] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 1.774914][ T0] rcu: RCU callback double-/use-after-free debug is enabled.
[ 1.778891][ T0] rcu: RCU debug extended QS entry/exit.
[ 1.780014][ T0] All grace periods are expedited (rcu_expedited).
[ 1.781966][ T0] Trampoline variant of Tasks RCU enabled.
[ 1.783245][ T0] Tracing variant of Tasks RCU enabled.
[ 1.784739][ T0] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 1.786570][ T0] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 1.787814][ T0] Running RCU synchronous self tests
[ 1.838925][ T0] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 1.841535][ T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 1.843893][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823bc00000-0xffff88823be00000
[ 1.848775][ T0] Console: colour VGA+ 80x25
[ 1.850276][ T0] printk: console [ttyS0] enabled
[ 1.850276][ T0] printk: console [ttyS0] enabled
[ 1.853413][ T0] printk: bootconsole [earlyser0] disabled
[ 1.853413][ T0] printk: bootconsole [earlyser0] disabled
[ 1.855838][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 1.858426][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 1.859376][ T0] ... MAX_LOCK_DEPTH: 48
[ 1.860552][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 1.861693][ T0] ... CLASSHASH_SIZE: 4096
[ 1.863082][ T0] ... MAX_LOCKDEP_ENTRIES: 131072
[ 1.864096][ T0] ... MAX_LOCKDEP_CHAINS: 262144
[ 1.864989][ T0] ... CHAINHASH_SIZE: 131072
[ 1.866080][ T0] memory used by lock dependency info: 20657 kB
[ 1.871691][ T0] memory used for stack traces: 8320 kB
[ 1.873559][ T0] per task-struct memory footprint: 1920 bytes
[ 1.875136][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 1.877636][ T0] ACPI: Core revision 20221020
[ 1.879981][ T0] APIC: Switch to symmetric I/O mode setup
[ 1.881638][ T0] x2apic enabled
[ 1.885803][ T0] Switched APIC routing to physical x2apic.
[ 1.893298][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 1.895225][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb722e6169, max_idle_ns: 440795315647 ns
[ 1.897819][ T0] Calibrating delay loop (skipped) preset value.. 4400.50 BogoMIPS (lpj=22002540)
[ 1.907869][ T0] pid_max: default: 32768 minimum: 301
[ 1.909069][ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,integrity,tomoyo,apparmor,bpf
[ 1.911604][ T0] landlock: Up and running.
[ 1.912502][ T0] Yama: becoming mindful.
[ 1.913463][ T0] TOMOYO Linux initialized
[ 1.914930][ T0] AppArmor: AppArmor initialized
[ 1.915865][ T0] LSM support for eBPF active
[ 1.922407][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 1.928135][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 1.932994][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 1.935952][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 1.941258][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 1.943936][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 1.945781][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 1.947867][ T0] Spectre V2 : Mitigation: IBRS
[ 1.949618][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 1.952093][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 1.953984][ T0] RETBleed: Mitigation: IBRS
[ 1.957848][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 1.960347][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 1.962099][ T0] MDS: Mitigation: Clear CPU buffers
[ 1.964603][ T0] TAA: Mitigation: Clear CPU buffers
[ 1.965867][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 1.981330][ T0] Freeing SMP alternatives memory: 116K
[ 1.984341][ T0] Running RCU synchronous self tests
[ 1.987821][ T0] Running RCU synchronous self tests
[ 2.111432][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 2.117493][ T1] cblist_init_generic: Setting adjustable number of callback queues.
[ 2.117793][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 2.118358][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 2.120842][ T1] Running RCU-tasks wait API self tests
[ 2.238098][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 2.248777][ T1] rcu: Hierarchical SRCU implementation.
[ 2.250923][ T1] rcu: Max phase no-delay instances is 1000.
[ 2.258590][ T14] Callback from call_rcu_tasks_trace() invoked.
[ 2.261457][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 2.263689][ T1] smp: Bringing up secondary CPUs ...
[ 2.267943][ T1] x86: Booting SMP configuration:
[ 2.269141][ T1] .... node #0, CPUs: #1
[ 2.271428][ T1] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
[ 2.271428][ T1] TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.
[ 2.277943][ T1] MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.
[ 2.280865][ T1] smp: Brought up 2 nodes, 2 CPUs
[ 2.281814][ T1] smpboot: Max logical packages: 1
[ 2.283214][ T1] smpboot: Total of 2 processors activated (8801.01 BogoMIPS)
[ 2.289093][ T1] devtmpfs: initialized
[ 2.290610][ T1] sysfs: cannot create duplicate filename '//platform'
[ 2.290610][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc6-next-20230131-syzkaller-09515-g80bd9028feca-dirty #0
[ 2.292379][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
[ 2.293844][ T1] Call Trace:
[ 2.294334][ T1] <TASK>
[ 2.294828][ T1] dump_stack_lvl+0x136/0x150
[ 2.295942][ T1] sysfs_warn_dup+0x80/0xa0
[ 2.297243][ T1] sysfs_create_dir_ns+0x237/0x290
[ 2.297793][ T1] ? sysfs_create_mount_point+0xb0/0xb0
[ 2.297793][ T1] ? spin_bug+0x1c0/0x1c0
[ 2.297793][ T1] ? kobject_add_internal+0x12d/0x9e0
[ 2.297793][ T1] ? do_raw_spin_unlock+0x175/0x230
[ 2.297793][ T1] kobject_add_internal+0x2c7/0x9e0
[ 2.297793][ T1] kset_register+0x169/0x260
[ 2.297793][ T1] bus_register+0x230/0xc20
[ 2.297793][ T1] platform_bus_init+0x3e/0xa0
[ 2.297793][ T1] driver_init+0x38/0x60
[ 2.297793][ T1] kernel_init_freeable+0x42b/0x900
[ 2.297793][ T1] ? rest_init+0x2b0/0x2b0
[ 2.297793][ T1] kernel_init+0x1e/0x2c0
[ 2.297793][ T1] ? rest_init+0x2b0/0x2b0
[ 2.297793][ T1] ret_from_fork+0x1f/0x30
[ 2.297793][ T1] </TASK>
[ 2.307843][ T1] kobject_add_internal failed for platform with -EEXIST, don't try to register things with the same name in the same directory.
[ 2.310575][ T1] ------------[ cut here ]------------
[ 2.311327][ T1] Device 'platform' does not have a release() function, it is broken and must be fixed. See Documentation/core-api/kobject.rst.
[ 2.313636][ T1] WARNING: CPU: 1 PID: 1 at drivers/base/core.c:2291 device_release+0x1b5/0x240
[ 2.317815][ T1] Modules linked in:
[ 2.318583][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc6-next-20230131-syzkaller-09515-g80bd9028feca-dirty #0
[ 2.320242][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
[ 2.321651][ T1] RIP: 0010:device_release+0x1b5/0x240
[ 2.322452][ T1] Code: c1 ea 03 80 3c 02 00 0f 85 96 00 00 00 4c 8b 6d 50 4d 85 ed 74 1b e8 0a 3e 6a fc 4c 89 ee 48 c7 c7 a0 94 cd 8a e8 0b d9 31 fc <0f> 0b e9 e7 fe ff ff e8 ef 3d 6a fc 48 89 ea 48 b8 00 00 00 00 00
[ 2.327815][ T1] RSP: 0000:ffffc90000067e58 EFLAGS: 00010282
[ 2.329139][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 2.330511][ T1] RDX: ffff8881400a8000 RSI: ffffffff81692aec RDI: 0000000000000005
[ 2.331965][ T1] RBP: ffffffff8d40ccc0 R08: 0000000000000005 R09: 0000000000000000
[ 2.333427][ T1] R10: 0000000080000000 R11: 0000000000000000 R12: ffff888144a28000
[ 2.334702][ T1] R13: ffffffff8acde860 R14: ffffffff8acde860 R15: 0000000000000000
[ 2.336135][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 2.337810][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.339203][ T1] CR2: 0000000000000000 CR3: 000000000c571000 CR4: 00000000003506e0
[ 2.340338][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.341852][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.343006][ T1] Call Trace:
[ 2.343585][ T1] <TASK>
[ 2.348082][ T1] kobject_put+0x1c2/0x4d0
[ 2.348082][ T1] device_unregister+0x30/0xc0
[ 2.348082][ T1] platform_bus_init+0x6b/0xa0
[ 2.348082][ T1] driver_init+0x38/0x60
[ 2.349919][ T1] kernel_init_freeable+0x42b/0x900
[ 2.351030][ T1] ? rest_init+0x2b0/0x2b0
[ 2.351733][ T1] kernel_init+0x1e/0x2c0
[ 2.353339][ T1] ? rest_init+0x2b0/0x2b0
[ 2.354220][ T1] ret_from_fork+0x1f/0x30
[ 2.355137][ T1] </TASK>
[ 2.359190][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 2.359190][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc6-next-20230131-syzkaller-09515-g80bd9028feca-dirty #0
[ 2.359190][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
[ 2.359190][ T1] Call Trace:
[ 2.359190][ T1] <TASK>
[ 2.359190][ T1] dump_stack_lvl+0xd9/0x150
[ 2.367824][ T1] panic+0x61b/0x6c0
[ 2.367824][ T1] ? panic_smp_self_stop+0x90/0x90
[ 2.367824][ T1] ? show_trace_log_lvl+0x285/0x390
[ 2.367824][ T1] ? device_release+0x1b5/0x240
[ 2.367824][ T1] check_panic_on_warn+0xb1/0xc0
[ 2.367824][ T1] __warn+0xf2/0x4f0
[ 2.367824][ T1] ? device_release+0x1b5/0x240
[ 2.367824][ T1] report_bug+0x206/0x2b0
[ 2.377836][ T1] handle_bug+0x3c/0x70
[ 2.377836][ T1] exc_invalid_op+0x18/0x50
[ 2.377836][ T1] asm_exc_invalid_op+0x1a/0x20
[ 2.377836][ T1] RIP: 0010:device_release+0x1b5/0x240
[ 2.377836][ T1] Code: c1 ea 03 80 3c 02 00 0f 85 96 00 00 00 4c 8b 6d 50 4d 85 ed 74 1b e8 0a 3e 6a fc 4c 89 ee 48 c7 c7 a0 94 cd 8a e8 0b d9 31 fc <0f> 0b e9 e7 fe ff ff e8 ef 3d 6a fc 48 89 ea 48 b8 00 00 00 00 00
[ 2.377836][ T1] RSP: 0000:ffffc90000067e58 EFLAGS: 00010282
[ 2.377836][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 2.387900][ T1] RDX: ffff8881400a8000 RSI: ffffffff81692aec RDI: 0000000000000005
[ 2.387900][ T1] RBP: ffffffff8d40ccc0 R08: 0000000000000005 R09: 0000000000000000
[ 2.387900][ T1] R10: 0000000080000000 R11: 0000000000000000 R12: ffff888144a28000
[ 2.387900][ T1] R13: ffffffff8acde860 R14: ffffffff8acde860 R15: 0000000000000000
[ 2.387900][ T1] ? vprintk+0x8c/0xa0
[ 2.387900][ T1] ? device_release+0x1b5/0x240
[ 2.397826][ T1] kobject_put+0x1c2/0x4d0
[ 2.397826][ T1] device_unregister+0x30/0xc0
[ 2.397826][ T1] platform_bus_init+0x6b/0xa0
[ 2.397826][ T1] driver_init+0x38/0x60
[ 2.397826][ T1] kernel_init_freeable+0x42b/0x900
[ 2.397826][ T1] ? rest_init+0x2b0/0x2b0
[ 2.397826][ T1] kernel_init+0x1e/0x2c0
[ 2.397826][ T1] ? rest_init+0x2b0/0x2b0
[ 2.397826][ T1] ret_from_fork+0x1f/0x30
[ 2.407859][ T1] </TASK>
[ 2.407859][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build4151365248=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at 9dfcf09cf
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9dfcf09cf38eb123a007af28c5ee2562718893a0 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230123-142548'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9dfcf09cf38eb123a007af28c5ee2562718893a0 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230123-142548'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=9dfcf09cf38eb123a007af28c5ee2562718893a0 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230123-142548'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"9dfcf09cf38eb123a007af28c5ee2562718893a0\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15b247a5480000


Tested on:

commit: 80bd9028 Add linux-next specific files for 20230131
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git

kernel config: https://syzkaller.appspot.com/x/.config?x=904dc2f450eaad4a
dashboard link: https://syzkaller.appspot.com/bug?extid=9be7b6c4b696be5d83ef
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=153e4c5d480000

[Hillf Danton]

On Sat, 04 Feb 2023 10:11:42 -0800

> syzbot found the following issue on:
>
> HEAD commit: 80bd9028feca Add linux-next specific files for 20230131
> git tree: linux-next

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151a6d79480000

Check parent valid before creating new node.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 80bd9028feca

--- x/fs/kernfs/dir.c
+++ y/fs/kernfs/dir.c
@@ -1025,9 +1025,12 @@ struct kernfs_node *kernfs_create_dir_ns
struct kernfs_node *kn;
int rc;

+ if (!atomic_inc_not_zero(&parent->count))
+ return ERR_PTR(-EINVAL);
/* allocate */
kn = kernfs_new_node(parent, name, mode | S_IFDIR,
uid, gid, KERNFS_DIR);
+ kernfs_put(parent);
if (!kn)
return ERR_PTR(-ENOMEM);

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __tlb_remove_page_size

filemap_readahead mm/filemap.c:2572 [inline]
filemap_get_pages+0x6c5/0x16b0 mm/filemap.c:2612
filemap_read+0x315/0xc00 mm/filemap.c:2690
generic_file_read_iter+0x3ad/0x5b0 mm/filemap.c:2836
ext4_file_read_iter+0x1d9/0x690 fs/ext4/file.c:147
__kernel_read+0x2ca/0x830 fs/read_write.c:428
integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:199
ima_calc_file_hash_tfm+0x2aa/0x3b0 security/integrity/ima/ima_crypto.c:485
page_owner free stack trace missing
------------[ cut here ]------------
kernel BUG at mm/mmu_gather.c:139!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5741 Comm: dhcpcd-run-hook Not tainted 6.2.0-rc6-next-20230131-syzkaller-09515-g80bd9028feca-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023

RIP: 0010:__tlb_remove_page_size+0x24c/0x480 mm/mmu_gather.c:139
Code: 01 00 00 8b 6d 0c e9 e1 fe ff ff e8 8e 62 c1 ff 0f 0b e8 87 62 c1 ff 4c 89 f7 48 c7 c6 00 72 58 8a 48 83 e7 fc e8 64 0b fa ff <0f> 0b e8 6d 62 c1 ff 4c 8d 6b 24 48 b8 00 00 00 00 00 fc ff df 4c
RSP: 0018:ffffc900060c78d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc900060c7cd8 RCX: 0000000000000000
RDX: ffff888024319d40 RSI: ffffffff81c353ac RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff8e74c317
R10: fffffbfff1ce9862 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffffea0004ff8d00 R15: ffffc900060c7d00
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffdc63210f8 CR3: 0000000071dca000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Call Trace:
<TASK>
__tlb_remove_page include/asm-generic/tlb.h:472 [inline]
zap_pte_range mm/memory.c:1416 [inline]
zap_pmd_range mm/memory.c:1536 [inline]
zap_pud_range mm/memory.c:1565 [inline]
zap_p4d_range mm/memory.c:1586 [inline]
unmap_page_range+0x1226/0x3ce0 mm/memory.c:1607
unmap_single_vma+0x194/0x2a0 mm/memory.c:1653
unmap_vmas+0x234/0x380 mm/memory.c:1692
exit_mmap+0x190/0x7d0 mm/mmap.c:3036
__mmput+0x128/0x4c0 kernel/fork.c:1209
mmput+0x60/0x70 kernel/fork.c:1231
exit_mm kernel/exit.c:563 [inline]
do_exit+0x9d7/0x2b60 kernel/exit.c:856
do_group_exit+0xd4/0x2a0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1028

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f36bdf61309
Code: Unable to access opcode bytes at 0x7f36bdf612df.
RSP: 002b:00007ffdc6321008 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00005598b8ccfe04 RCX: 00007f36bdf61309
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffffffffff88 R09: 0000000000000000
R10: 00005598b8ce05f0 R11: 0000000000000202 R12: 00005598b7637070
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tlb_remove_page_size+0x24c/0x480 mm/mmu_gather.c:139
Code: 01 00 00 8b 6d 0c e9 e1 fe ff ff e8 8e 62 c1 ff 0f 0b e8 87 62 c1 ff 4c 89 f7 48 c7 c6 00 72 58 8a 48 83 e7 fc e8 64 0b fa ff <0f> 0b e8 6d 62 c1 ff 4c 8d 6b 24 48 b8 00 00 00 00 00 fc ff df 4c
RSP: 0018:ffffc900060c78d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc900060c7cd8 RCX: 0000000000000000
RDX: ffff888024319d40 RSI: ffffffff81c353ac RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff8e74c317
R10: fffffbfff1ce9862 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffffea0004ff8d00 R15: ffffc900060c7d00
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffdc63210f8 CR3: 0000000071dca000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 80bd9028 Add linux-next specific files for 20230131
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=154f1123480000

kernel config: https://syzkaller.appspot.com/x/.config?x=904dc2f450eaad4a
dashboard link: https://syzkaller.appspot.com/bug?extid=9be7b6c4b696be5d83ef
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1331cbbb480000

[Hillf Danton]

On Sat, 04 Feb 2023 10:11:42 -0800

> syzbot found the following issue on:
>
> HEAD commit: 80bd9028feca Add linux-next specific files for 20230131
> git tree: linux-next

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151a6d79480000

Check parent valid before creating new node.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/fs/kernfs/dir.c
+++ y/fs/kernfs/dir.c
@@ -1028,9 +1028,12 @@ struct kernfs_node *kernfs_create_dir_ns

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: rcu detected stall in corrupted

rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { P5555 } 2647 jiffies s: 2837 root: 0x0/T
rcu: blocking rcu_node structures (internal RCU debug):


Tested on:

commit: 837c07cf Merge tag 'powerpc-6.2-4' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=113f785d480000
kernel config: https://syzkaller.appspot.com/x/.config?x=723d250bd16cf869

dashboard link: https://syzkaller.appspot.com/bug?extid=9be7b6c4b696be5d83ef
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1369cb27480000

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.