[syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    02d5e016800d Merge tag 'sound-5.15-rc4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=130eeb90b00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9290a409049988d4
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com

usb 1-1: Direct firmware load for ueagle-atm/adi930.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/adi930.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:294 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1218 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x1da/0x290 fs/kernfs/dir.c:1249
Read of size 2 at addr ffff888064de27d8 by task kworker/0:1/7

CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.15.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 kernfs_type include/linux/kernfs.h:294 [inline]
 kernfs_leftmost_descendant fs/kernfs/dir.c:1218 [inline]
 kernfs_next_descendant_post+0x1da/0x290 fs/kernfs/dir.c:1249
 kernfs_activate+0x3a/0x1d0 fs/kernfs/dir.c:1284
 kernfs_add_one+0x368/0x4c0 fs/kernfs/dir.c:766
 kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:994
 sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:89 [inline]
 kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
 kobject_add_varg lib/kobject.c:390 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:442
 class_dir_create_and_add drivers/base/core.c:2913 [inline]
 get_device_parent+0x3de/0x590 drivers/base/core.c:2968
 device_add+0x2b1/0x21b0 drivers/base/core.c:3280
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
 firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
 _request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 7:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3206 [inline]
 slab_alloc mm/slub.c:3214 [inline]
 kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
 kmem_cache_zalloc include/linux/slab.h:711 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
 kernfs_new_node fs/kernfs/dir.c:647 [inline]
 kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:984
 sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:89 [inline]
 kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
 kobject_add_varg lib/kobject.c:390 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:442
 class_dir_create_and_add drivers/base/core.c:2913 [inline]
 get_device_parent+0x3de/0x590 drivers/base/core.c:2968
 device_add+0x2b1/0x21b0 drivers/base/core.c:3280
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
 firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
 _request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 20913:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1700 [inline]
 slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725
 slab_free mm/slub.c:3483 [inline]
 kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499
 kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
 __kernfs_remove+0x727/0xab0 fs/kernfs/dir.c:1360
 kernfs_remove+0x1d/0x30 fs/kernfs/dir.c:1373
 sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:102
 __kobject_del+0xe2/0x200 lib/kobject.c:620
 kobject_del lib/kobject.c:643 [inline]
 kobject_del+0x3c/0x60 lib/kobject.c:635
 device_del+0x834/0xd60 drivers/base/core.c:3558
 usb_disconnect.cold+0x4ba/0x78e drivers/usb/core/hub.c:2251
 hub_port_connect drivers/usb/core/hub.c:5199 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
 port_event drivers/usb/core/hub.c:5634 [inline]
 hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 process_scheduled_works kernel/workqueue.c:2360 [inline]
 worker_thread+0x85c/0x11f0 kernel/workqueue.c:2446
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888064de2740
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 152 bytes inside of
 168-byte region [ffff888064de2740, ffff888064de27e8)
The buggy address belongs to the page:
page:ffffea0001937880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64de2
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010dc5a00
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 6583, ts 177318160712, free_ts 177312628642
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
 alloc_slab_page mm/slub.c:1763 [inline]
 allocate_slab mm/slub.c:1900 [inline]
 new_slab+0x319/0x490 mm/slub.c:1963
 ___slab_alloc+0x921/0xfe0 mm/slub.c:2994
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
 slab_alloc_node mm/slub.c:3172 [inline]
 slab_alloc mm/slub.c:3214 [inline]
 kmem_cache_alloc+0x365/0x390 mm/slub.c:3219
 kmem_cache_zalloc include/linux/slab.h:711 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
 sysfs_merge_group+0x198/0x320 fs/sysfs/group.c:343
 dpm_sysfs_add+0x241/0x290 drivers/base/power/sysfs.c:707
 device_add+0xad8/0x21b0 drivers/base/core.c:3316
 netdev_register_kobject+0x181/0x430 net/core/net-sysfs.c:1955
 register_netdevice+0xd33/0x1500 net/core/dev.c:10299
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3315 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3394
 __vunmap+0x783/0xb70 mm/vmalloc.c:2621
 free_work+0x58/0x70 mm/vmalloc.c:95
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff888064de2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888064de2700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888064de2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                    ^
 ffff888064de2800: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
 ffff888064de2880: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6c791937c012/disk-55be6084.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cb21a2879b4c/vmlinux-55be6084.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com

usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:337 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
Read of size 2 at addr ffff88814591c180 by task kworker/0:2/140

CPU: 0 PID: 140 Comm: kworker/0:2 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 kernfs_type include/linux/kernfs.h:337 [inline]
 kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
 kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
 kernfs_activate fs/kernfs/dir.c:1344 [inline]
 kernfs_add_one+0x38d/0x4e0 fs/kernfs/dir.c:776
 kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:1021
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:3054 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
 device_add+0x2aa/0x1e90 drivers/base/core.c:3438
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 140:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc_node mm/slub.c:3248 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
 kernfs_new_node fs/kernfs/dir.c:665 [inline]
 kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1011
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:3054 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
 device_add+0x2aa/0x1e90 drivers/base/core.c:3438
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 2933:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1759 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
 slab_free mm/slub.c:3539 [inline]
 kmem_cache_free+0xeb/0x5b0 mm/slub.c:3556
 kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:557
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:531
 __kernfs_remove+0x463/0x600 fs/kernfs/dir.c:1443
 kernfs_remove+0x77/0xa0 fs/kernfs/dir.c:1463
 sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:101
 __kobject_del+0xe2/0x1f0 lib/kobject.c:588
 kobject_del lib/kobject.c:611 [inline]
 kobject_del+0x3c/0x60 lib/kobject.c:603
 device_del+0x81c/0xc80 drivers/base/core.c:3715
 usb_disconnect.cold+0x49b/0x6ed drivers/usb/core/hub.c:2261
 hub_port_connect drivers/usb/core/hub.c:5197 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x1f86/0x45e0 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 process_scheduled_works kernel/workqueue.c:2352 [inline]
 worker_thread+0x854/0x1080 kernel/workqueue.c:2438
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88814591c0e8
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 152 bytes inside of
 168-byte region [ffff88814591c0e8, ffff88814591c190)

The buggy address belongs to the physical page:
page:ffffea0005164700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14591c
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 0000000000000000 dead000000000001 ffff8880119dbb40
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 1564996231, free_ts 0
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
 alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:1829 [inline]
 allocate_slab+0x27e/0x3d0 mm/slub.c:1974
 new_slab mm/slub.c:2034 [inline]
 ___slab_alloc+0x84f/0xe80 mm/slub.c:3036
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123
 slab_alloc_node mm/slub.c:3214 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x38c/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:665
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:1043
 sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
 kernel_add_sysfs_param kernel/params.c:814 [inline]
 param_sysfs_builtin kernel/params.c:851 [inline]
 param_sysfs_init+0x342/0x43b kernel/params.c:970
 do_one_initcall+0xfe/0x650 init/main.c:1296
 do_initcall_level init/main.c:1369 [inline]
 do_initcalls init/main.c:1385 [inline]
 do_basic_setup init/main.c:1404 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1623
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88814591c080: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
 ffff88814591c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88814591c180: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
                   ^
 ffff88814591c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
 ffff88814591c280: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
==================================================================

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com

Tested on:

commit:         aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17242776880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1223c16a880000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Tejun Heo]

(cc'ing Luis for firmware loader and quoting the whole body)

On Sat, Oct 22, 2022 at 06:52:28AM +0800, Hillf Danton wrote:
> On 20 Oct 2022 00:15:40 -0700
> > syzbot has found a reproducer for the following issue on:
> > 
> > HEAD commit:    55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> > git tree:       upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> > dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1128908c880000
> 
> See if the change to ueagle driver alone can survive syzbot test.
> 
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  aae703b02f92
> 
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
>  static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
>  					       unsigned int nr_bits)
>  {
> -	/* n is a prior cpu */
> -	cpu_max_bits_warn(n + 1, nr_bits);
> +	/* -1 is a legal arg here. */
> +	if (n != -1)
> +		cpu_max_bits_warn(n, nr_bits);
>  
>  	if (srcp)
>  		return find_next_bit(srcp, nr_bits, n + 1);
> @@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
>  					  const unsigned long *src2p,
>  					  unsigned int nr_bits)
>  {
> -	/* n is a prior cpu */
> -	cpu_max_bits_warn(n + 1, nr_bits);
> +	/* -1 is a legal arg here. */
> +	if (n != -1)
> +		cpu_max_bits_warn(n, nr_bits);
>  
>  	if (src1p && src2p)
>  		return find_next_and_bit(src1p, src2p, nr_bits, n + 1);
> --- a/drivers/usb/atm/ueagle-atm.c
> +++ b/drivers/usb/atm/ueagle-atm.c
> @@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
>  }
>  
>  static void uea_upload_pre_firmware(const struct firmware *fw_entry,
> -								void *context)
> +					struct usb_device *usb)
>  {
> -	struct usb_device *usb = context;
>  	const u8 *pfw;
>  	u8 value;
>  	u32 crc = 0;
> @@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
>  {
>  	int ret;
>  	char *fw_name = EAGLE_FIRMWARE;
> +	const struct firmware *fw;
>  
>  	uea_enters(usb);
>  	uea_info(usb, "pre-firmware device, uploading firmware\n");
> @@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
>  		break;
>  	}
>  
> -	ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
> -					GFP_KERNEL, usb,
> -					uea_upload_pre_firmware);
> +	ret = request_firmware(&fw, fw_name, &usb->dev);
>  	if (ret)
>  		uea_err(usb, "firmware %s is not available\n", fw_name);
> -	else
> +	else {
>  		uea_info(usb, "loading firmware %s\n", fw_name);
> +		uea_upload_pre_firmware(fw, usb);
> +	}
>  
>  	uea_leaves(usb);
>  	return ret;

So, the problem is that while request_firmware_nowait() inc's the ref on the
device, if the device gets removed later, having a ref isn't sufficient for
adding stuff to the device. A relatively easy solution would be putting
these firmware load work items into its own workqueue and flushing it on
device removal path. Luis, what do you think?

Thanks.

-- 
tejun

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Luis Chamberlain]

On Mon, Oct 31, 2022 at 12:53:00PM -1000, Tejun Heo wrote:
> (cc'ing Luis for firmware loader and quoting the whole body)
> 
> On Sat, Oct 22, 2022 at 06:52:28AM +0800, Hillf Danton wrote:
> > On 20 Oct 2022 00:15:40 -0700
> > > syzbot has found a reproducer for the following issue on:
> > > 
> > > HEAD commit:    55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> > > git tree:       upstream
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1128908c880000
> > 
> > See if the change to ueagle driver alone can survive syzbot test.
> > 
> > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  aae703b02f92
> > 
> > --- a/include/linux/netdevice.h
> > +++ b/include/linux/netdevice.h
> > @@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
> >  static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
> >  					       unsigned int nr_bits)
> >  {
> > -	/* n is a prior cpu */
> > -	cpu_max_bits_warn(n + 1, nr_bits);
> > +	/* -1 is a legal arg here. */
> > +	if (n != -1)
> > +		cpu_max_bits_warn(n, nr_bits);
> >  
> >  	if (srcp)
> >  		return find_next_bit(srcp, nr_bits, n + 1);
> > @@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
> >  					  const unsigned long *src2p,
> >  					  unsigned int nr_bits)
> >  {
> > -	/* n is a prior cpu */
> > -	cpu_max_bits_warn(n + 1, nr_bits);
> > +	/* -1 is a legal arg here. */
> > +	if (n != -1)
> > +		cpu_max_bits_warn(n, nr_bits);
> >  
> >  	if (src1p && src2p)
> >  		return find_next_and_bit(src1p, src2p, nr_bits, n + 1);
> > --- a/drivers/usb/atm/ueagle-atm.c
> > +++ b/drivers/usb/atm/ueagle-atm.c
> > @@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
> >  }
> >  
> >  static void uea_upload_pre_firmware(const struct firmware *fw_entry,
> > -								void *context)
> > +					struct usb_device *usb)
> >  {
> > -	struct usb_device *usb = context;
> >  	const u8 *pfw;
> >  	u8 value;
> >  	u32 crc = 0;
> > @@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
> >  {
> >  	int ret;
> >  	char *fw_name = EAGLE_FIRMWARE;
> > +	const struct firmware *fw;
> >  
> >  	uea_enters(usb);
> >  	uea_info(usb, "pre-firmware device, uploading firmware\n");
> > @@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
> >  		break;
> >  	}
> >  
> > -	ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
> > -					GFP_KERNEL, usb,
> > -					uea_upload_pre_firmware);
> > +	ret = request_firmware(&fw, fw_name, &usb->dev);
> >  	if (ret)
> >  		uea_err(usb, "firmware %s is not available\n", fw_name);
> > -	else
> > +	else {
> >  		uea_info(usb, "loading firmware %s\n", fw_name);
> > +		uea_upload_pre_firmware(fw, usb);
> > +	}
> >  
> >  	uea_leaves(usb);
> >  	return ret;
> 
> So, the problem is that while request_firmware_nowait() inc's the ref on the
> device, if the device gets removed later, having a ref isn't sufficient for
> adding stuff to the device. A relatively easy solution would be putting
> these firmware load work items into its own workqueue and flushing it on
> device removal path. Luis, what do you think?

Since we *can* remove a device after we get a module reference and
since fw_cache_is_setup() tries to use the device before get_device()
(even though this is not the issue reported), I think perhaps the fix
below may be generic and best. It would seem this 2After doing this, I considered simply
removing the try_module_get() but a module which is not respnsible for
creating a device is allowed to request firmware for an arbitrary
device, and so that simplification should not be possible. This would
fix 0cfc1e1e7b534 ("firmware loader: fix device lifetime") since v3.7
but as that commit mentions, there were issues even prior to this get_device()
and so this fix is the proper solution to the reported issue in that
commit. This issue would the date back to f8a4bd3456b98 ("firmware
loader: embed device into firmware_priv structure") since v2.6.36.

Please re-test and let me know if this fixes the issue reported.

diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
index 7c3590fd97c2..177d5767ad3b 100644
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -1141,18 +1141,20 @@ request_firmware_nowait(
 	const char *name, struct device *device, gfp_t gfp, void *context,
 	void (*cont)(const struct firmware *fw, void *context))
 {
+	int err = -ENOMEM;
 	struct firmware_work *fw_work;
 
+	if (get_device(device))
+		return -ENODEV;
+
 	fw_work = kzalloc(sizeof(struct firmware_work), gfp);
 	if (!fw_work)
-		return -ENOMEM;
+		goto err_out;
 
 	fw_work->module = module;
 	fw_work->name = kstrdup_const(name, gfp);
-	if (!fw_work->name) {
-		kfree(fw_work);
-		return -ENOMEM;
-	}
+	if (!fw_work->name)
+		goto err_out_free_work;
 	fw_work->device = device;
 	fw_work->context = context;
 	fw_work->cont = cont;
@@ -1160,21 +1162,26 @@ request_firmware_nowait(
 		(uevent ? FW_OPT_UEVENT : FW_OPT_USERHELPER);
 
 	if (!uevent && fw_cache_is_setup(device, name)) {
-		kfree_const(fw_work->name);
-		kfree(fw_work);
-		return -EOPNOTSUPP;
+		err = -EOPNOTSUPP;
+		goto err_out_free_name;
 	}
 
 	if (!try_module_get(module)) {
-		kfree_const(fw_work->name);
-		kfree(fw_work);
-		return -EFAULT;
+		err = -EFAULT;
+		goto err_out_free_name;
 	}
 
-	get_device(fw_work->device);
 	INIT_WORK(&fw_work->work, request_firmware_work_func);
 	schedule_work(&fw_work->work);
 	return 0;
+
+err_out_free_name:
+	kfree_const(fw_work->name);
+err_out_free_work:
+	kfree(fw_work);
+err_out:
+	put_device(device);
+	return err;
 }
 EXPORT_SYMBOL(request_firmware_nowait);
 

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Dmitry Torokhov]

On Mon, Nov 14, 2022 at 09:34:16AM -0800, Luis Chamberlain wrote:
> On Mon, Oct 31, 2022 at 12:53:00PM -1000, Tejun Heo wrote:
> > (cc'ing Luis for firmware loader and quoting the whole body)
> > 
> > On Sat, Oct 22, 2022 at 06:52:28AM +0800, Hillf Danton wrote:
> > > On 20 Oct 2022 00:15:40 -0700
> > > > syzbot has found a reproducer for the following issue on:
> > > > 
> > > > HEAD commit:    55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> > > > git tree:       upstream
> > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1128908c880000
> > > 
> > > See if the change to ueagle driver alone can survive syzbot test.
> > > 
> > > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  aae703b02f92
> > > 
> > > --- a/include/linux/netdevice.h
> > > +++ b/include/linux/netdevice.h
> > > @@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
> > >  static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
> > >  					       unsigned int nr_bits)
> > >  {
> > > -	/* n is a prior cpu */
> > > -	cpu_max_bits_warn(n + 1, nr_bits);
> > > +	/* -1 is a legal arg here. */
> > > +	if (n != -1)
> > > +		cpu_max_bits_warn(n, nr_bits);
> > >  
> > >  	if (srcp)
> > >  		return find_next_bit(srcp, nr_bits, n + 1);
> > > @@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
> > >  					  const unsigned long *src2p,
> > >  					  unsigned int nr_bits)
> > >  {
> > > -	/* n is a prior cpu */
> > > -	cpu_max_bits_warn(n + 1, nr_bits);
> > > +	/* -1 is a legal arg here. */
> > > +	if (n != -1)
> > > +		cpu_max_bits_warn(n, nr_bits);
> > >  
> > >  	if (src1p && src2p)
> > >  		return find_next_and_bit(src1p, src2p, nr_bits, n + 1);
> > > --- a/drivers/usb/atm/ueagle-atm.c
> > > +++ b/drivers/usb/atm/ueagle-atm.c
> > > @@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
> > >  }
> > >  
> > >  static void uea_upload_pre_firmware(const struct firmware *fw_entry,
> > > -								void *context)
> > > +					struct usb_device *usb)
> > >  {
> > > -	struct usb_device *usb = context;
> > >  	const u8 *pfw;
> > >  	u8 value;
> > >  	u32 crc = 0;
> > > @@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
> > >  {
> > >  	int ret;
> > >  	char *fw_name = EAGLE_FIRMWARE;
> > > +	const struct firmware *fw;
> > >  
> > >  	uea_enters(usb);
> > >  	uea_info(usb, "pre-firmware device, uploading firmware\n");
> > > @@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
> > >  		break;
> > >  	}
> > >  
> > > -	ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
> > > -					GFP_KERNEL, usb,
> > > -					uea_upload_pre_firmware);
> > > +	ret = request_firmware(&fw, fw_name, &usb->dev);
> > >  	if (ret)
> > >  		uea_err(usb, "firmware %s is not available\n", fw_name);
> > > -	else
> > > +	else {
> > >  		uea_info(usb, "loading firmware %s\n", fw_name);
> > > +		uea_upload_pre_firmware(fw, usb);
> > > +	}
> > >  
> > >  	uea_leaves(usb);
> > >  	return ret;
> > 
> > So, the problem is that while request_firmware_nowait() inc's the ref on the
> > device, if the device gets removed later, having a ref isn't sufficient for
> > adding stuff to the device. A relatively easy solution would be putting
> > these firmware load work items into its own workqueue and flushing it on
> > device removal path. Luis, what do you think?
> 
> Since we *can* remove a device after we get a module reference and
> since fw_cache_is_setup() tries to use the device before get_device()
> (even though this is not the issue reported), I think perhaps the fix
> below may be generic and best.

I do not see how moving the point where we acquire device refcount
around fixes anything. Caller of request_firmware_nowait() is supposed
to have a valid reference to device object and it is supposed to stay
valid for the entire duration of request_firmware_nowait(). Grabbing
and extra reference only matters if the device (or other refcounted
structure) is being passed to another thread of execution.

I think what Tejun is saying is the only way to fix this. Similarly to
work struct, where users are supposed to call cancel_work_sync() during
teardown, users of request_firmware_nowait() need to wait for it to
complete before continuing with tearing down the instance. See for
example ims-pcu driver where it tries to request firmware asynchronously
when it finds the device in bootloader mode, and is waiting for it
completion when handling device disconnect:

https://elixir.bootlin.com/linux/v6.1-rc3/source/drivers/input/misc/ims-pcu.c#L1978

Thanks.

-- 
Dmitry

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Dmitry Vyukov]

On Mon, 14 Nov 2022 at 18:34, Luis Chamberlain <mcgrof@kernel.org> wrote:
>
> On Mon, Oct 31, 2022 at 12:53:00PM -1000, Tejun Heo wrote:
> > (cc'ing Luis for firmware loader and quoting the whole body)
> >
> > On Sat, Oct 22, 2022 at 06:52:28AM +0800, Hillf Danton wrote:
> > > On 20 Oct 2022 00:15:40 -0700
> > > > syzbot has found a reproducer for the following issue on:
> > > >
> > > > HEAD commit:    55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
> > > > git tree:       upstream
> > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
> > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1128908c880000
> > >
> > > See if the change to ueagle driver alone can survive syzbot test.
> > >
> > > #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  aae703b02f92
> > >
> > > --- a/include/linux/netdevice.h
> > > +++ b/include/linux/netdevice.h
> > > @@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
> > >  static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
> > >                                            unsigned int nr_bits)
> > >  {
> > > -   /* n is a prior cpu */
> > > -   cpu_max_bits_warn(n + 1, nr_bits);
> > > +   /* -1 is a legal arg here. */
> > > +   if (n != -1)
> > > +           cpu_max_bits_warn(n, nr_bits);
> > >
> > >     if (srcp)
> > >             return find_next_bit(srcp, nr_bits, n + 1);
> > > @@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
> > >                                       const unsigned long *src2p,
> > >                                       unsigned int nr_bits)
> > >  {
> > > -   /* n is a prior cpu */
> > > -   cpu_max_bits_warn(n + 1, nr_bits);
> > > +   /* -1 is a legal arg here. */
> > > +   if (n != -1)
> > > +           cpu_max_bits_warn(n, nr_bits);
> > >
> > >     if (src1p && src2p)
> > >             return find_next_and_bit(src1p, src2p, nr_bits, n + 1);
> > > --- a/drivers/usb/atm/ueagle-atm.c
> > > +++ b/drivers/usb/atm/ueagle-atm.c
> > > @@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
> > >  }
> > >
> > >  static void uea_upload_pre_firmware(const struct firmware *fw_entry,
> > > -                                                           void *context)
> > > +                                   struct usb_device *usb)
> > >  {
> > > -   struct usb_device *usb = context;
> > >     const u8 *pfw;
> > >     u8 value;
> > >     u32 crc = 0;
> > > @@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
> > >  {
> > >     int ret;
> > >     char *fw_name = EAGLE_FIRMWARE;
> > > +   const struct firmware *fw;
> > >
> > >     uea_enters(usb);
> > >     uea_info(usb, "pre-firmware device, uploading firmware\n");
> > > @@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
> > >             break;
> > >     }
> > >
> > > -   ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
> > > -                                   GFP_KERNEL, usb,
> > > -                                   uea_upload_pre_firmware);
> > > +   ret = request_firmware(&fw, fw_name, &usb->dev);
> > >     if (ret)
> > >             uea_err(usb, "firmware %s is not available\n", fw_name);
> > > -   else
> > > +   else {
> > >             uea_info(usb, "loading firmware %s\n", fw_name);
> > > +           uea_upload_pre_firmware(fw, usb);
> > > +   }
> > >
> > >     uea_leaves(usb);
> > >     return ret;
> >
> > So, the problem is that while request_firmware_nowait() inc's the ref on the
> > device, if the device gets removed later, having a ref isn't sufficient for
> > adding stuff to the device. A relatively easy solution would be putting
> > these firmware load work items into its own workqueue and flushing it on
> > device removal path. Luis, what do you think?
>
> Since we *can* remove a device after we get a module reference and
> since fw_cache_is_setup() tries to use the device before get_device()
> (even though this is not the issue reported), I think perhaps the fix
> below may be generic and best. It would seem this 2After doing this, I considered simply
> removing the try_module_get() but a module which is not respnsible for
> creating a device is allowed to request firmware for an arbitrary
> device, and so that simplification should not be possible. This would
> fix 0cfc1e1e7b534 ("firmware loader: fix device lifetime") since v3.7
> but as that commit mentions, there were issues even prior to this get_device()
> and so this fix is the proper solution to the reported issue in that
> commit. This issue would the date back to f8a4bd3456b98 ("firmware
> loader: embed device into firmware_priv structure") since v2.6.36.
>
> Please re-test and let me know if this fixes the issue reported.

Hi Luis,

syzbot is a self-service, you can ask it to test any patches for
reports with reproducers following these instructions:
https://bit.do/syzbot#testing-patches

> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index 7c3590fd97c2..177d5767ad3b 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -1141,18 +1141,20 @@ request_firmware_nowait(
>         const char *name, struct device *device, gfp_t gfp, void *context,
>         void (*cont)(const struct firmware *fw, void *context))
>  {
> +       int err = -ENOMEM;
>         struct firmware_work *fw_work;
>
> +       if (get_device(device))
> +               return -ENODEV;
> +
>         fw_work = kzalloc(sizeof(struct firmware_work), gfp);
>         if (!fw_work)
> -               return -ENOMEM;
> +               goto err_out;
>
>         fw_work->module = module;
>         fw_work->name = kstrdup_const(name, gfp);
> -       if (!fw_work->name) {
> -               kfree(fw_work);
> -               return -ENOMEM;
> -       }
> +       if (!fw_work->name)
> +               goto err_out_free_work;
>         fw_work->device = device;
>         fw_work->context = context;
>         fw_work->cont = cont;
> @@ -1160,21 +1162,26 @@ request_firmware_nowait(
>                 (uevent ? FW_OPT_UEVENT : FW_OPT_USERHELPER);
>
>         if (!uevent && fw_cache_is_setup(device, name)) {
> -               kfree_const(fw_work->name);
> -               kfree(fw_work);
> -               return -EOPNOTSUPP;
> +               err = -EOPNOTSUPP;
> +               goto err_out_free_name;
>         }
>
>         if (!try_module_get(module)) {
> -               kfree_const(fw_work->name);
> -               kfree(fw_work);
> -               return -EFAULT;
> +               err = -EFAULT;
> +               goto err_out_free_name;
>         }
>
> -       get_device(fw_work->device);
>         INIT_WORK(&fw_work->work, request_firmware_work_func);
>         schedule_work(&fw_work->work);
>         return 0;
> +
> +err_out_free_name:
> +       kfree_const(fw_work->name);
> +err_out_free_work:
> +       kfree(fw_work);
> +err_out:
> +       put_device(device);
> +       return err;
>  }
>  EXPORT_SYMBOL(request_firmware_nowait);
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/Y3J8GKR905SZ84EE%40bombadil.infradead.org.

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Luis Chamberlain]

On Mon, Nov 14, 2022 at 10:07:02AM -0800, Dmitry Torokhov wrote:
> I do not see how moving the point where we acquire device refcount
> around fixes anything.

The patch I posted does two things, moving the point where we acquire
device refcount was just one so it was not clear that what I really
wanted to be enforce a check for first, and that is that the driver
*did* do the correct thing.

So while we can surely expect the driver to do proper device refcounting
and waiting on device removal, buggy drivers do exist and we should
strive to not allow UAF with them.

So something like this:

From 92c8f4465a205e744c70dcba320708f72900442e Mon Sep 17 00:00:00 2001
From: Luis Chamberlain <mcgrof@kernel.org>
Date: Tue, 15 Nov 2022 10:02:13 -0800
Subject: [PATCH] firmware_loader: avoid UAF on buggy request_firmware_nowait()
 users

request_firmware_nowait() is documented as requiring the caller to
ensure to maintain the the reference count of @device during the
lifetime of the call to request_firmware_nowait() and the callback.

It would seem drivers exist which don't follow these rules though,
and things like syzbot can trigger UAF if the device gets nuked
as request_firmware_nowait() is being called. Instead of enabling
use UAF, defend against such improperly written drivers and complain
about it.

Make the documentaiton a bit clearer and give a hint as to how to easily
accomplish device lifetime maintenance on the driver using a completion
and a wait_for_completion().

Fixes: 0cfc1e1e7b534 ("firmware loader: fix device lifetime")
Fixes: f8a4bd3456b98 ("firmware loader: embed device into firmware_priv structure")
Cc: stable@vger.kernel.org # v2.6.36
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 drivers/base/firmware_loader/main.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
index 7c3590fd97c2..6ac92dfdd85e 100644
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -1118,15 +1118,16 @@ static void request_firmware_work_func(struct work_struct *work)
  * @uevent: sends uevent to copy the firmware image if this flag
  *	is non-zero else the firmware copy must be done manually.
  * @name: name of firmware file
- * @device: device for which firmware is being loaded
+ * @device: device for which firmware is being loaded. The caller must hold
+ * 	the reference count of @device during the lifetime of this routine
+ * 	and the @cont callback. This typically can be done with a completion
+ * 	and wait_for_completion prior to device teardown.
  * @gfp: allocation flags
  * @context: will be passed over to @cont, and
  *	@fw may be %NULL if firmware request fails.
  * @cont: function will be called asynchronously when the firmware
  *	request is over.
  *
- *	Caller must hold the reference count of @device.
- *
  *	Asynchronous variant of request_firmware() for user contexts:
  *		- sleep for as small periods as possible since it may
  *		  increase kernel boot time of built-in device drivers
@@ -1171,7 +1172,12 @@ request_firmware_nowait(
 		return -EFAULT;
 	}
 
-	get_device(fw_work->device);
+	if (WARN_ON(!get_device(fw_work->device))) {
+		module_put(module);
+		kfree_const(fw_work->name);
+		kfree(fw_work);
+		return -ENODEV;
+	}
 	INIT_WORK(&fw_work->work, request_firmware_work_func);
 	schedule_work(&fw_work->work);
 	return 0;
-- 
2.35.1

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Dmitry Torokhov]

On Tue, Nov 15, 2022 at 11:35:10AM -0800, Luis Chamberlain wrote:
> On Mon, Nov 14, 2022 at 10:07:02AM -0800, Dmitry Torokhov wrote:
> > I do not see how moving the point where we acquire device refcount
> > around fixes anything.
> 
> The patch I posted does two things, moving the point where we acquire
> device refcount was just one so it was not clear that what I really
> wanted to be enforce a check for first, and that is that the driver
> *did* do the correct thing.
> 
> So while we can surely expect the driver to do proper device refcounting
> and waiting on device removal, buggy drivers do exist and we should
> strive to not allow UAF with them.

You can not enforce any of that from the firmware loader itself.

> 
> So something like this:
> 
> From 92c8f4465a205e744c70dcba320708f72900442e Mon Sep 17 00:00:00 2001
> From: Luis Chamberlain <mcgrof@kernel.org>
> Date: Tue, 15 Nov 2022 10:02:13 -0800
> Subject: [PATCH] firmware_loader: avoid UAF on buggy request_firmware_nowait()
>  users
> 
> request_firmware_nowait() is documented as requiring the caller to
> ensure to maintain the the reference count of @device during the
> lifetime of the call to request_firmware_nowait() and the callback.
> 
> It would seem drivers exist which don't follow these rules though,
> and things like syzbot can trigger UAF if the device gets nuked
> as request_firmware_nowait() is being called. Instead of enabling
> use UAF, defend against such improperly written drivers and complain
> about it.

I fail to see how are you defending against improperly written drivers
and in what cases you expect your check to trigger. It is impossible for 
get_device() device to fail for non-NULL device (check the code), so
your test will never trigger.

> 
> Make the documentaiton a bit clearer and give a hint as to how to easily
> accomplish device lifetime maintenance on the driver using a completion
> and a wait_for_completion().

It is not clear to me why the caller must keep reference to device. The
callback is called with struct firmware and context pointer, which may
or may not be tied to a device instance. What you want to say is that
the caller must ensure that context is valid until after callback is
invoked.

The firmware loader uses device structure itself and does acquire
a reference, so it does the right thing, but the caller is free to drop
the device reference if it chooses to do so.

So for what its worth it is a NAK from me.

> 
> Fixes: 0cfc1e1e7b534 ("firmware loader: fix device lifetime")
> Fixes: f8a4bd3456b98 ("firmware loader: embed device into firmware_priv structure")
> Cc: stable@vger.kernel.org # v2.6.36
> Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com
> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
> ---
>  drivers/base/firmware_loader/main.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index 7c3590fd97c2..6ac92dfdd85e 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -1118,15 +1118,16 @@ static void request_firmware_work_func(struct work_struct *work)
>   * @uevent: sends uevent to copy the firmware image if this flag
>   *	is non-zero else the firmware copy must be done manually.
>   * @name: name of firmware file
> - * @device: device for which firmware is being loaded
> + * @device: device for which firmware is being loaded. The caller must hold
> + * 	the reference count of @device during the lifetime of this routine
> + * 	and the @cont callback. This typically can be done with a completion
> + * 	and wait_for_completion prior to device teardown.
>   * @gfp: allocation flags
>   * @context: will be passed over to @cont, and
>   *	@fw may be %NULL if firmware request fails.
>   * @cont: function will be called asynchronously when the firmware
>   *	request is over.
>   *
> - *	Caller must hold the reference count of @device.
> - *
>   *	Asynchronous variant of request_firmware() for user contexts:
>   *		- sleep for as small periods as possible since it may
>   *		  increase kernel boot time of built-in device drivers
> @@ -1171,7 +1172,12 @@ request_firmware_nowait(
>  		return -EFAULT;
>  	}
>  
> -	get_device(fw_work->device);
> +	if (WARN_ON(!get_device(fw_work->device))) {
> +		module_put(module);
> +		kfree_const(fw_work->name);
> +		kfree(fw_work);
> +		return -ENODEV;
> +	}
>  	INIT_WORK(&fw_work->work, request_firmware_work_func);
>  	schedule_work(&fw_work->work);
>  	return 0;
> -- 
> 2.35.1
> 

Thanks.

-- 
Dmitry

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[Tejun Heo]

On Tue, Nov 15, 2022 at 11:35:10AM -0800, Luis Chamberlain wrote:
> request_firmware_nowait() is documented as requiring the caller to
> ensure to maintain the the reference count of @device during the
> lifetime of the call to request_firmware_nowait() and the callback.

My reading was that just holding the ref isn't enough. The code expects the
device to be not destroyed independent of the refcnt. I don't see how this
would be fixed by diddling with refcnt.

Thanks.

-- 
tejun

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com

Tested on:

commit:         aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16261486880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1103ce4a880000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in firmware_fallback_sysfs

------------[ cut here ]------------
sysfs group 'power' not found for kobject 'ueagle-atm!eagleI.fw'
WARNING: CPU: 1 PID: 144 at fs/sysfs/group.c:278 sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Modules linked in:

CPU: 1 PID: 144 Comm: kworker/1:2 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Workqueue: events request_firmware_work_func

RIP: 0010:sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c 01 00 75 37 48 8b 33 48 c7 c7 80 bb ff 89 e8 86 43 4a 07 <0f> 0b eb 98 e8 61 b7 c9 ff e9 01 ff ff ff 48 89 df e8 54 b7 c9 ff
RSP: 0018:ffffc90002d8f9b8 EFLAGS: 00010282

RAX: 0000000000000000 RBX: ffffffff8a62c000 RCX: 0000000000000000
RDX: ffff88801b998000 RSI: ffffffff81620a28 RDI: fffff520005b1f29
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 63656a626f6b2072 R12: ffff88801bbc3008
R13: ffffffff8a62c5a0 R14: 0000000000000000 R15: ffff88801bbc3008
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f475bfad0b0 CR3: 000000007340b000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:837
 device_del+0x223/0xcb0 drivers/base/core.c:3684
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:120 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x5b7/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>


Tested on:

commit:         aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=145588b4880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=157a759a880000

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in firmware_fallback_sysfs

------------[ cut here ]------------
sysfs group 'power' not found for kobject 'ueagle-atm!eagleI.fw'
WARNING: CPU: 1 PID: 4102 at fs/sysfs/group.c:278 sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Modules linked in:

CPU: 1 PID: 4102 Comm: kworker/1:5 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Workqueue: events request_firmware_work_func

RIP: 0010:sysfs_remove_group+0x126/0x170 fs/sysfs/group.c:278
Code: 48 89 d9 49 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 e9 03 80 3c 01 00 75 37 48 8b 33 48 c7 c7 80 bb ff 89 e8 86 43 4a 07 <0f> 0b eb 98 e8 61 b7 c9 ff e9 01 ff ff ff 48 89 df e8 54 b7 c9 ff
RSP: 0018:ffffc90009d479b8 EFLAGS: 00010282

RAX: 0000000000000000 RBX: ffffffff8a62c000 RCX: 0000000000000000
RDX: ffff888024043a80 RSI: ffffffff81620a28 RDI: fffff520013a8f29
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 63656a626f6b2072 R12: ffff88823bdf8808
R13: ffffffff8a62c5a0 R14: 0000000000000000 R15: ffff88823bdf8808
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc1febad0b0 CR3: 00000000747ce000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 dpm_sysfs_remove+0x97/0xb0 drivers/base/power/sysfs.c:837
 device_del+0x20b/0xc80 drivers/base/core.c:3681
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:120 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x5b7/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>


Tested on:

commit:         aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16f4dd0c880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=136e3036880000

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

her
[    5.597695][    T1] NFS: Registering the id_resolver key type
[    5.599149][    T1] Key type id_resolver registered
[    5.600622][    T1] Key type id_legacy registered
[    5.601685][    T1] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    5.602778][    T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[    5.611543][    T1] Key type cifs.spnego registered
[    5.613253][    T1] Key type cifs.idmap registered
[    5.614650][    T1] ntfs: driver 2.1.32 [Flags: R/W].
[    5.616739][    T1] ntfs3: Max link count 4000
[    5.617506][    T1] ntfs3: Enabled Linux POSIX ACLs support
[    5.618484][    T1] ntfs3: Read-only LZX/Xpress compression included
[    5.621078][    T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[    5.622255][    T1] jffs2: version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
[    5.626600][    T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[    5.628348][    T1] QNX4 filesystem 0.2.3 registered.
[    5.630193][    T1] qnx6: QNX6 filesystem 1.0.0 registered.
[    5.632221][    T1] fuse: init (API version 7.37)
[    5.636288][    T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[    5.637940][    T1] orangefs_init: module version upstream loaded
[    5.639824][    T1] JFS: nTxBlock = 8192, nTxLock = 65536
[    5.653813][    T1] SGI XFS with ACLs, security attributes, realtime, quota, fatal assert, debug enabled
[    5.666765][    T1] 9p: Installing v9fs 9p2000 file system support
[    5.669394][    T1] NILFS version 2 loaded
[    5.670723][    T1] befs: version: 0.9.3
[    5.672670][    T1] ocfs2: Registered cluster interface o2cb
[    5.674777][    T1] ocfs2: Registered cluster interface user
[    5.676600][    T1] OCFS2 User DLM kernel interface loaded
[    5.687111][    T1] gfs2: GFS2 installed
[    5.698581][    T1] ceph: loaded (mds proto 32)
[    5.710024][    T1] NET: Registered PF_ALG protocol family
[    5.711181][    T1] xor: automatically using best checksumming function   avx       
[    5.712855][    T1] async_tx: api initialized (async)
[    5.714028][    T1] Key type asymmetric registered
[    5.714899][    T1] Asymmetric key parser 'x509' registered
[    5.715986][    T1] Asymmetric key parser 'pkcs8' registered
[    5.716969][    T1] Key type pkcs7_test registered
[    5.720754][    T1] alg: self-tests for CTR-KDF (hmac(sha256)) passed
[    5.721886][    T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 240)
[    5.723595][    T1] io scheduler mq-deadline registered
[    5.725006][    T1] io scheduler kyber registered
[    5.726238][    T1] io scheduler bfq registered
[    5.733302][    T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[    5.760627][    T1] ACPI: button: Power Button [PWRF]
[    5.763071][    T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[    5.765552][    T1] ACPI: button: Sleep Button [SLPF]
[    5.785152][    T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[    5.786468][    T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[    5.800106][    T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[    5.801283][    T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[    5.818083][    T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[    5.819227][    T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[    6.139234][    T1] N_HDLC line discipline registered with maxframe=4096
[    6.143191][    T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    6.145743][    T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    6.153400][    T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[    6.158094][    T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[    6.164827][    T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[    6.173085][    T1] Non-volatile memory driver v1.3
[    6.191613][    T1] Linux agpgart interface v0.103
[    6.194194][    T1] ACPI: bus type drm_connector registered
[    6.199163][    T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[    6.204590][    T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[    6.264084][    T1] Console: switching to colour frame buffer device 128x48
[    6.281271][    T1] platform vkms: [drm] fb0: vkmsdrmfb frame buffer device
[    6.282951][    T1] usbcore: registered new interface driver udl
[    6.331971][    T1] brd: module loaded
[    6.381966][    T1] loop: module loaded
[    6.450450][    T1] zram: Added device: zram0
[    6.456807][    T1] null_blk: disk nullb0 created
[    6.457559][    T1] null_blk: module loaded
[    6.458703][    T1] Guest personality initialized and is inactive
[    6.460362][    T1] VMCI host device registered (name=vmci, major=10, minor=119)
[    6.461772][    T1] Initialized host personality
[    6.463064][    T1] usbcore: registered new interface driver rtsx_usb
[    6.464912][    T1] usbcore: registered new interface driver viperboard
[    6.466543][    T1] usbcore: registered new interface driver dln2
[    6.468098][    T1] usbcore: registered new interface driver pn533_usb
[    6.472749][    T1] nfcsim 0.2 initialized
[    6.473704][    T1] usbcore: registered new interface driver port100
[    6.475083][    T1] usbcore: registered new interface driver nfcmrvl
[    6.478962][    T1] Loading iSCSI transport class v2.0-870.
[    6.507427][    T1] scsi host0: Virtio SCSI HBA
[    6.546621][    T1] st: Version 20160209, fixed bufsize 32768, s/g segs 256
[    6.549977][   T91] scsi 0:0:1:0: Direct-Access     Google   PersistentDisk   1    PQ: 0 ANSI: 6
[    6.577518][    T1] Rounding down aligned max_sectors from 4294967295 to 4294967288
[    6.579716][    T1] db_root: cannot open: /etc/target
[    6.581597][    T1] slram: not enough parameters.
[    6.589382][    T1] ftl_cs: FTL header not found.
[    6.626146][    T1] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[    6.627700][    T1] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[    6.637162][    T1] eql: Equalizer2002: Simon Janes (simon@ncm.com) and David S. Miller (davem@redhat.com)
[    6.647509][    T1] MACsec IEEE 802.1AE
[    6.657940][    T1] tun: Universal TUN/TAP device driver, 1.6
[    6.715241][    T1] ------------[ cut here ]------------
[    6.716632][    T1] WARNING: CPU: 0 PID: 1 at include/linux/cpumask.h:110 __netif_set_xps_queue+0x88e/0x1f30
[    6.718427][    T1] Modules linked in:
[    6.719252][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0
[    6.721441][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[    6.723065][    T1] RIP: 0010:__netif_set_xps_queue+0x88e/0x1f30
[    6.724387][    T1] Code: fa 48 c7 c2 a0 a8 f4 8a be 2e 0a 00 00 48 c7 c7 40 a7 f4 8a c6 05 a2 69 74 06 01 e8 f2 e3 f1 01 e9 ef fd ff ff e8 e2 ae 24 fa <0f> 0b e9 8e fa ff ff 8b 6c 24 38 e8 d2 ae 24 fa 49 8d 7c 24 04 48
[    6.727854][    T1] RSP: 0018:ffffc90000067898 EFLAGS: 00010293
[    6.728833][    T1] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
[    6.731435][    T1] RDX: ffff88813fe50000 RSI: ffffffff8757dc0e RDI: 0000000000000004
[    6.734156][    T1] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000002
[    6.735691][    T1] R10: 0000000000000002 R11: 000000000008c07e R12: ffff88801fb48680
[    6.737253][    T1] R13: 0000000000000003 R14: ffff88801fb48698 R15: 0000000000000002
[    6.738658][    T1] FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[    6.740493][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.741783][    T1] CR2: ffff88823ffff000 CR3: 000000000bc8e000 CR4: 0000000000350ef0
[    6.743162][    T1] Call Trace:
[    6.744268][    T1]  <TASK>
[    6.744948][    T1]  ? vp_bus_name+0xc0/0xc0
[    6.745802][    T1]  virtnet_set_affinity+0x4f0/0x750
[    6.746726][    T1]  ? skb_recv_done+0x120/0x120
[    6.747533][    T1]  virtnet_probe+0x12ae/0x31e0
[    6.748436][    T1]  ? virtnet_find_vqs+0xc30/0xc30
[    6.749270][    T1]  virtio_dev_probe+0x577/0x870
[    6.750252][    T1]  ? virtio_features_ok+0x1e0/0x1e0
[    6.751234][    T1]  really_probe+0x249/0xb90
[    6.752007][    T1]  __driver_probe_device+0x1df/0x4d0
[    6.752884][    T1]  driver_probe_device+0x4c/0x1a0
[    6.753955][    T1]  __driver_attach+0x1d0/0x550
[    6.754899][    T1]  ? __device_attach_driver+0x2e0/0x2e0
[    6.756222][    T1]  bus_for_each_dev+0x147/0x1d0
[    6.756970][    T1]  ? subsys_dev_iter_exit+0x20/0x20
[    6.758183][    T1]  bus_add_driver+0x4c9/0x640
[    6.759241][    T1]  driver_register+0x220/0x3a0
[    6.760270][    T1]  ? veth_init+0x11/0x11
[    6.761196][    T1]  virtio_net_driver_init+0x93/0xd2
[    6.762104][    T1]  do_one_initcall+0x13d/0x780
[    6.763172][    T1]  ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[    6.764469][    T1]  ? parameq+0x140/0x170
[    6.765271][    T1]  kernel_init_freeable+0x6ff/0x788
[    6.766089][    T1]  ? rest_init+0x270/0x270
[    6.766807][    T1]  kernel_init+0x1a/0x1d0
[    6.767976][    T1]  ? rest_init+0x270/0x270
[    6.768818][    T1]  ret_from_fork+0x1f/0x30
[    6.770003][    T1]  </TASK>
[    6.770460][    T1] Kernel panic - not syncing: panic_on_warn set ...
[    6.771442][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-syzkaller-00025-gaae703b02f92-dirty #0
[    6.773956][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[    6.776134][    T1] Call Trace:
[    6.776861][    T1]  <TASK>
[    6.777450][    T1]  dump_stack_lvl+0xcd/0x134
[    6.779001][    T1]  panic+0x2c8/0x622
[    6.779782][    T1]  ? panic_print_sys_info.part.0+0x110/0x110
[    6.781025][   T34] sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15 GB/2.00 GiB)
[    6.781062][   T34] sd 0:0:1:0: [sda] 4096-byte physical blocks
[    6.781197][   T34] sd 0:0:1:0: [sda] Write Protect is off
[    6.781220][   T34] sd 0:0:1:0: [sda] Mode Sense: 1f 00 00 08
[    6.781450][   T34] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    6.787778][    T1]  ? __warn.cold+0x24b/0x350
[    6.789536][   T91] sd 0:0:1:0: Attached scsi generic sg0 type 0
[    6.790433][    T1]  ? __netif_set_xps_queue+0x88e/0x1f30
[    6.790433][    T1]  __warn.cold+0x25c/0x350
[    6.790433][    T1]  ? __netif_set_xps_queue+0x88e/0x1f30
[    6.790433][    T1]  report_bug+0x1bc/0x210
[    6.790433][    T1]  handle_bug+0x3c/0x70
[    6.794504][   T34]  sda: sda1
[    6.795927][   T34] sd 0:0:1:0: [sda] Attached SCSI disk
[    6.790433][    T1]  exc_invalid_op+0x14/0x40
[    6.790433][    T1]  asm_exc_invalid_op+0x16/0x20
[    6.799643][    T1] RIP: 0010:__netif_set_xps_queue+0x88e/0x1f30
[    6.799643][    T1] Code: fa 48 c7 c2 a0 a8 f4 8a be 2e 0a 00 00 48 c7 c7 40 a7 f4 8a c6 05 a2 69 74 06 01 e8 f2 e3 f1 01 e9 ef fd ff ff e8 e2 ae 24 fa <0f> 0b e9 8e fa ff ff 8b 6c 24 38 e8 d2 ae 24 fa 49 8d 7c 24 04 48
[    6.799643][    T1] RSP: 0018:ffffc90000067898 EFLAGS: 00010293
[    6.799643][    T1] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
[    6.799643][    T1] RDX: ffff88813fe50000 RSI: ffffffff8757dc0e RDI: 0000000000000004
[    6.799643][    T1] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000002
[    6.799643][    T1] R10: 0000000000000002 R11: 000000000008c07e R12: ffff88801fb48680
[    6.799643][    T1] R13: 0000000000000003 R14: ffff88801fb48698 R15: 0000000000000002
[    6.799643][    T1]  ? __netif_set_xps_queue+0x88e/0x1f30
[    6.799643][    T1]  ? __netif_set_xps_queue+0x88e/0x1f30
[    6.799643][    T1]  ? vp_bus_name+0xc0/0xc0
[    6.799643][    T1]  virtnet_set_affinity+0x4f0/0x750
[    6.799643][    T1]  ? skb_recv_done+0x120/0x120
[    6.799643][    T1]  virtnet_probe+0x12ae/0x31e0
[    6.799643][    T1]  ? virtnet_find_vqs+0xc30/0xc30
[    6.799643][    T1]  virtio_dev_probe+0x577/0x870
[    6.799643][    T1]  ? virtio_features_ok+0x1e0/0x1e0
[    6.799643][    T1]  really_probe+0x249/0xb90
[    6.799643][    T1]  __driver_probe_device+0x1df/0x4d0
[    6.799643][    T1]  driver_probe_device+0x4c/0x1a0
[    6.799643][    T1]  __driver_attach+0x1d0/0x550
[    6.799643][    T1]  ? __device_attach_driver+0x2e0/0x2e0
[    6.799643][    T1]  bus_for_each_dev+0x147/0x1d0
[    6.799643][    T1]  ? subsys_dev_iter_exit+0x20/0x20
[    6.799643][    T1]  bus_add_driver+0x4c9/0x640
[    6.799643][    T1]  driver_register+0x220/0x3a0
[    6.799643][    T1]  ? veth_init+0x11/0x11
[    6.829623][    T1]  virtio_net_driver_init+0x93/0xd2
[    6.829623][    T1]  do_one_initcall+0x13d/0x780
[    6.829623][    T1]  ? trace_event_raw_event_initcall_level+0x1f0/0x1f0
[    6.829623][    T1]  ? parameq+0x140/0x170
[    6.829623][    T1]  kernel_init_freeable+0x6ff/0x788
[    6.829623][    T1]  ? rest_init+0x270/0x270
[    6.829623][    T1]  kernel_init+0x1a/0x1d0
[    6.829623][    T1]  ? rest_init+0x270/0x270
[    6.829623][    T1]  ret_from_fork+0x1f/0x30
[    6.829623][    T1]  </TASK>
[    6.829623][    T1] Kernel Offset: disabled
[    6.829623][    T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2307492022=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at b31320fc8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b31320fc8f3519e40494f64ebf77c13d16284bfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221018-073740'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b31320fc8f3519e40494f64ebf77c13d16284bfd\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16f2e14a880000


Tested on:

commit:         aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=ea03ca45176080bc
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=135783e6880000

Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
SYZFATAL: executor failed NUM times: executor NUM: exit status NUM

2022/10/20 21:28:38 SYZFATAL: executor failed 11 times: executor 0: exit status 67
SYZFAIL: wrong response packet
 (errno 16: Device or resource busy)
loop exited with status 67

SYZFAIL: wrong response packet
 (errno 16: Device or resource busy)
loop exited with status 67


Tested on:

commit:         55be6084 Merge tag 'timers-core-2022-10-05' of git://g..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1086ad3c880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1540e4ba880000