Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp893054ybc; Tue, 19 Nov 2019 11:01:49 -0800 (PST) X-Google-Smtp-Source: APXvYqwn4orvL8T3NrjCWW9ElS2E7pv8NzX/x1MbqHDeTCBCHSQNQ2kAMUeHZq+f0+K+bMt4RUdB X-Received: by 2002:a19:5509:: with SMTP id n9mr5181946lfe.27.1574190108824; Tue, 19 Nov 2019 11:01:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574190108; cv=none; d=google.com; s=arc-20160816; b=znNBWpkHuf3M1Rr8oP8HSJdpFfk20s/ykB4d5wGurIVwy7GTfxzpUhdTxwzwSPLiYn hu4HMnZ5pafFMjoKyA2K/NflRVHApyuEX8xU1pPD870SlSstwpHzQX7C/INhkONTjTpj c5WNAw6OwOl/uamwIiTyVpZ6xAR/6DcIvpGei8bVufku2GUmzyxGDxvhUxvI4M7I4Wri fl0z70tdsD/cpZtDpYRqfIBtZYmWVhFT/aCjJDJ+JZp332ASUWP3a8dijk1uJJyVLDxU DG1StFJWlnMRJjGmLA9eM2XAIamESJm36IqtHHciq0rF6ZhUy27DRBLRDgbrtJpzEPSa Y2kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=OF+Hm1yLKQyYYXudgW+BkQo1KPOL73kywpvDxtIxLj8=; b=m9+qhrPW10MM3O68ks7xIrWYMzxdzQRUHlOnw7aDL+jPxAbg6/mrydwabK8Vtqyat8 4Vv7digkdnRpRIdhCInKIMmKoPwM2dGatv3lJ805oh7dVBj2/wICetG4ZiSojwhpKHW/ 9V3Er2jIah4ag898qYuK7g9qA5j/FEWWzgyqGZKvIJlc2wHqyFJ+EvN2veRkWGCd0Zcf 27GNxuXfqwu03sKcXY6KWZWHb7Iz0KcxQ8ayzM/QEHfHtinm2CJGDPFrryqh1djYF5zU fue8yLxMoaYbHXKPwaTb1on6AGd2tatGzjfy0BwcWcmSpWkWq5fRsAfApZasItDwg0cA DAiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Plbrv5tH; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id qk28si14334133ejb.292.2019.11.19.11.01.07; Tue, 19 Nov 2019 11:01:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Plbrv5tH; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727104AbfKSTAd (ORCPT + 99 others); Tue, 19 Nov 2019 14:00:33 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:38649 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726836AbfKSTAd (ORCPT ); Tue, 19 Nov 2019 14:00:33 -0500 Received: by mail-lj1-f195.google.com with SMTP id v8so24605505ljh.5 for ; Tue, 19 Nov 2019 11:00:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OF+Hm1yLKQyYYXudgW+BkQo1KPOL73kywpvDxtIxLj8=; b=Plbrv5tHUJb0P7rN2sE4VFihDEzSU96EeXoYyr/JkcAFj5zbFTFPhTUimdmhvMUEBq OhzKynh0wiTSOkT8dYI+kHFBpPzasJHzONIdCFCsg4B8Kq8egOfpuzjrpluxYP04gFgQ GFCXfwdqUmjfCMFCAqdG4nhlfxcx16r/1PQec= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OF+Hm1yLKQyYYXudgW+BkQo1KPOL73kywpvDxtIxLj8=; b=sfH+6ImWHlRNU3Gu/dYptmZLt80t/0fNn9jDWyfVmwuiLwks8JtFH5LYSFzb8b5YpD JzhdoJXuF9g/yjsRFV/a2j7xm75DVwlAtInRCI+cXVObSD4+YivNusHisEVaeku645R6 dxojytA6RGsszwgVdjt8qtRSoeQoGyQ2jkB3hKou4fB+83/ihsMtaFaac0AFPGhrp9QR 1fq2oAYQWEnw3FtseIOYhu9+iyjorG1B4nq9dugdXsft2LgKqg8Rei8eOQXxPnvjs62h EUzI7zqnUYglaUdd+8Jm3kI6zn5rY+DyM6YQXPuJq8SCUnQ3o6KNOM4Hu2xokitbPZdJ /78w== X-Gm-Message-State: APjAAAVNyQQhC7NO/QoOdaaoOlBAxCqF60rvm5WUbTHNGdLdC1wD6b7g fy3h4ERXTVU/yBkjLaX2xj+qqOVF6SQ= X-Received: by 2002:a2e:22c4:: with SMTP id i187mr5513670lji.86.1574190029394; Tue, 19 Nov 2019 11:00:29 -0800 (PST) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com. [209.85.208.180]) by smtp.gmail.com with ESMTPSA id b3sm1118142lfq.10.2019.11.19.11.00.27 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Nov 2019 11:00:27 -0800 (PST) Received: by mail-lj1-f180.google.com with SMTP id q2so24623453ljg.7 for ; Tue, 19 Nov 2019 11:00:27 -0800 (PST) X-Received: by 2002:a2e:982:: with SMTP id 124mr5474404ljj.48.1574190026950; Tue, 19 Nov 2019 11:00:26 -0800 (PST) MIME-Version: 1.0 References: <000000000000bf6bd30575fec528@google.com> <000000000000e2ac670597ad2663@google.com> In-Reply-To: <000000000000e2ac670597ad2663@google.com> From: Linus Torvalds Date: Tue, 19 Nov 2019 11:00:11 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: general protection fault in kernfs_add_one To: syzbot , Marcel Holtmann , Johan Hedberg , "David S. Miller" Cc: Benjamin Herrenschmidt , Greg Kroah-Hartman , Linux Kernel Mailing List , Rafael Wysocki , syzkaller-bugs , Tejun Heo , linux-bluetooth Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org So looking at the decode, as usual the noise generated by KASAN isn't being very helpful, but it does look like at least one of the reports (I picked 5.2 because I don't care about 4.19 etc) is because 'kernfs_root(kn) is NULL in kernfs_add_one(). Looking at the reports, every single one seems to have a call chain that comes from vhci_write() -> vhci_get_user() -> vhci_create_device() -> __vhci_create_device() -> hci_register_dev() -> device_add() -> kobject_add(). (In this case, "every single one" is by looking at the last 10 reports sorted by date, it wasn't exhaustive). The way it got into 'write()' can be a bit varied (splice, write, whatever). That makes me think it's bluetooth that is the problem, but it might be an effect of how syzbot groups the reports too, of course. Might the device have been added at the same time that the last previous device was removed, so that the parent was deleted as the new device was aded? I dunno. The repro seem to be a repeated "open /dev/vhci, write two random bytes to it" Or might it be some "it happens after you've added enough devices that something overflows" issue? Adding bluetooth people to the cc. Linus On Mon, Nov 18, 2019 at 10:27 PM syzbot wrote: > > syzbot has bisected this bug to: > > commit 726e41097920a73e4c7c33385dcc0debb1281e18 > Author: Benjamin Herrenschmidt > Date: Tue Jul 10 00:29:10 2018 +0000 > > drivers: core: Remove glue dirs from sysfs earlier > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=168e1012e00000 > start commit: 5e335542 Merge branch 'for-linus' of git://git.kernel.org/.. > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=158e1012e00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=118e1012e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=9917ff4b798e1a1e > dashboard link: https://syzkaller.appspot.com/bug?extid=db1637662f412ac0d556 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a66c11400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1346c771400000 > > Reported-by: syzbot+db1637662f412ac0d556@syzkaller.appspotmail.com > Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection