From nobody Sun Jun 14 04:21:58 2026 Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73C8525392A for ; Mon, 4 May 2026 05:07:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777871276; cv=none; b=Hg7cwKdYW62ykj6aRT4OVUd4RD7VJLWeayIVTdzOvRkEShbYmTT16ZV7LgH5JvyK4FLK5hX/3x5DhwoiquHILeonLZpJ5cICeUasSExV6hK/smBFR8Yki+fctkYNSpS07T4T2sWSonAhIFBzqhXOM7+V13D0e4bLeM4yVCjaBFY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777871276; c=relaxed/simple; bh=E32bK2qLJyOT8y0iWLUoQdzRqE32ppr0Bx3idjtawYI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tn+Ar1A5ZWmaUdKa63HPkWhGomblMjw/qHNyBaAgvy8cw2n75l3k7ubYi7oL5RYsXRX4mcgR5sI5sizDKcOP84LS/zqREJtd0TgV8uW3STzGms8yk6iz0SBc2ltclgxdLHcqcwIA/G9kDw4OoBaxBy4EFz860BNi2Mf1RSlo1ls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=u.northwestern.edu; spf=pass smtp.mailfrom=u.northwestern.edu; dkim=pass (2048-bit key) header.d=u-northwestern-edu.20251104.gappssmtp.com header.i=@u-northwestern-edu.20251104.gappssmtp.com header.b=H/TMM8yp; arc=none smtp.client-ip=209.85.160.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=u.northwestern.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=u.northwestern.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=u-northwestern-edu.20251104.gappssmtp.com header.i=@u-northwestern-edu.20251104.gappssmtp.com header.b="H/TMM8yp" Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-50d7c12e48eso31230161cf.1 for ; Sun, 03 May 2026 22:07:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=u-northwestern-edu.20251104.gappssmtp.com; s=20251104; t=1777871273; x=1778476073; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lTroaTH8vyZ3o3Up6auB4LFBfOAeXvYkb5rPynl4ydw=; b=H/TMM8ypS4l7Za6/drzkcSJenjsWoHbgq/oxFfowhX63JUPrC08V0D8IgffOq83QT2 Fyp7XY34evwbz9uzpzV92oya+ympTrA4qGBOBN/4gpGc4E/B0c0iig8diIvoMCBKHY+v k8GDsp4Oe4Ct707lAt++ysqOmmcJ1q4Ll/Ukw9+4oJYsiK8YeBoPfrqN/YZWt2Phaooq KdRLz7SHAtF4qHmBhCQl6UItJD4FLnrk/0lAavrYmsGmV8bo37hDccpcvcTcNXNjNVls chAXn/VmpguNFYZbdie/MCoC8EcnuQlHG1wqRK4jdBQzPUVJ+XBPyG/ADIHQZuETYoYm aiaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777871273; x=1778476073; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=lTroaTH8vyZ3o3Up6auB4LFBfOAeXvYkb5rPynl4ydw=; b=mKUq6C2+3vP/QzR3R8xaKUQA5A9W3qwWM4OuRwfJyBgdK01JBVfi7b9iBdvFqlmZci qLRxiT9XSzwIwUgh4gp7fggBVlhRYJ7CwOtQROlW7FiaEpLK0UIYnaCmN6ecrBaslP2l +Sh7UDmTx7nlQZ6PSIAZqhU+yYy/cyHWGwtqLANUJXHnwyqC+1zQ4uuN9poji+p2vS1g 45xlIPgxLKWnYNUtTIjqKWHH5Yi87p3SdDEU13ZEiiYFEFYsiGafYndRJ8Py2UmtPxFp 6m2J59cL+W1x6Z6rM7Bj4vjABw5geX0lAFKuDsjBUK/clhiDJaB2mFp5jbY7vTUY+1i9 OAzw== X-Forwarded-Encrypted: i=1; AFNElJ9aQBDtZhk0sqaqdltrA4EqriwX7RoDpAlU7Ggv/h7/L8fM28Ki7ZpTP3kK58JPPcUQkGSI3Lj0ruF81/E=@vger.kernel.org X-Gm-Message-State: AOJu0YyAHUW3taEEWuYp1VqEN1qVJiRSMjTY9wUofPvjhpM/sZNICRuz aA0k/xkadUznf9EsWRFyxefy2cfQlixGpKWbWHsn7AvPOe4zCYmVH9dXaF8HrWNVcCU= X-Gm-Gg: AeBDieval49V+cr01nrMtkE08TKmwjm7l4QjTN09W1e/pq8PScBRDXpvXm0mSixgTrR ti8uKICXce//LSCMPJ3dtGXHIdEZhypH5q5x8Q8LOEMS8Z4HrQpQnzTsYMRWNzqd9zsE5HwnMe6 qpWHTWvKvj5zXXaQnJJOFOMjzBW8/77U9BmXxg1ncH608WRS993aXUZ0pmCndGZG30X3khsMoBT LVw1LDGkQQd7meBUui2it7U+Z24GX7KKrdcYoBW9c37zUdldz0JnEOmp5HiuZnjKzlTBdeMbflO m+1z6N5+WHzICK82JPq1iKJL1YL2hp7hU8AX119rQIUXpqxLY23KDGmEC9tytafMFffyoK4CDWr l2Bm64XP300bBbbMUZyuNyh2mjdg3REXh6yhPdoTzSQbgV3BZVVKK4+YYmFyhTRHkPME41kjsLf ElzI5SQgIlMjWbj6qfGTgUQcZB4kHT/Pe+gmYN9g8XFTR1zFkGrNboN47Uj37b7D6/7mRs4y5Mh 6Y85J+HejSWMdANl1T270PGJk/35n5CaS3dJo4tncYAYShh2kooKbtkaIntpTKCdOSSBf0= X-Received: by 2002:a05:622a:550c:b0:50b:2542:e16f with SMTP id d75a77b69052e-5104b5275a2mr113445211cf.15.1777871273379; Sun, 03 May 2026 22:07:53 -0700 (PDT) Received: from 10-19-124-38.dynapool.wireless.nyu.edu (216-165-95-157.natpool.nyu.edu. [216.165.95.157]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-51040b35527sm84983031cf.17.2026.05.03.22.07.52 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Sun, 03 May 2026 22:07:52 -0700 (PDT) From: Conor Kotwasinski To: Greg Kroah-Hartman , "Rafael J . Wysocki" Cc: Danilo Krummrich , driver-core@lists.linux.dev, linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org, syzbot+d1db96f72a452dc9cbd2@syzkaller.appspotmail.com, syzbot+faeac5b54ba997a96278@syzkaller.appspotmail.com, Conor Kotwasinski Subject: [PATCH v2] sysfs: return -ENOENT from move/rename when kobj->sd is NULL Date: Mon, 4 May 2026 01:07:36 -0400 Message-ID: <20260504050736.17672-1-conorkotwasinski2024@u.northwestern.edu> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260416150600.2148935-1-conorkotwasinski2024@u.northwestern.edu> References: <20260416150600.2148935-1-conorkotwasinski2024@u.northwestern.edu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sysfs_move_dir_ns() and sysfs_rename_dir_ns() pass kobj->sd to kernfs_rename_ns() unconditionally. If sysfs_remove_dir() has already cleared kobj->sd, the NULL flows through and kernfs_rename_ns() dereferences it via rcu_access_pointer(kn->__parent), which KASAN surfaces as a stack-segment fault on the shadow lookup: Oops: stack segment: 0000 [#1] SMP KASAN PTI RIP: 0010:kernfs_rename_ns+0x3a/0x7a0 fs/kernfs/dir.c:1752 Call Trace: kobject_move+0x525/0x6e0 lib/kobject.c:569 device_move+0xe0/0x730 drivers/base/core.c:4606 hci_conn_del_sysfs+0xb8/0x1a0 net/bluetooth/hci_sysfs.c:75 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0xc36/0x1240 net/bluetooth/hci_conn.c:1234 hci_conn_hash_flush+0x191/0x260 net/bluetooth/hci_conn.c:2638 hci_dev_close_sync+0x821/0x1100 net/bluetooth/hci_sync.c:5327 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] hci_unregister_dev+0x21a/0x5b0 net/bluetooth/hci_core.c:2715 syzbot has reported 35 hits with this signature across net, net-next and linux-next between July 2025 and January 2026, via both vhci release and HCIDEVRESET ioctl. Return -ENOENT in that case, consistent with sysfs_create_dir_ns(). The underlying ordering problem in bluetooth -- device_move() called after the target's sysfs has been torn down -- is a separate issue. Reported-by: syzbot+d1db96f72a452dc9cbd2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/687c6966.a70a0220.693ce.00a5.GAE@google= .com/ Reported-by: syzbot+faeac5b54ba997a96278@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dfaeac5b54ba997a96278 Fixes: 324a56e16e44 ("kernfs: s/sysfs_dirent/kernfs_node/ and rename its fr= iends accordingly") Cc: stable@vger.kernel.org Signed-off-by: Conor Kotwasinski Reviewed-by: Danilo Krummrich --- fs/sysfs/dir.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index ffdcd4153c58..6664fae288c9 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -108,6 +108,9 @@ int sysfs_rename_dir_ns(struct kobject *kobj, const cha= r *new_name, struct kernfs_node *parent; int ret; =20 + if (!kobj->sd) + return -ENOENT; + parent =3D kernfs_get_parent(kobj->sd); ret =3D kernfs_rename_ns(kobj->sd, parent, new_name, new_ns); kernfs_put(parent); @@ -120,6 +123,9 @@ int sysfs_move_dir_ns(struct kobject *kobj, struct kobj= ect *new_parent_kobj, struct kernfs_node *kn =3D kobj->sd; struct kernfs_node *new_parent; =20 + if (!kn) + return -ENOENT; + new_parent =3D new_parent_kobj && new_parent_kobj->sd ? new_parent_kobj->sd : sysfs_root_kn; =20 base-commit: 36f35b8df6972167102a1c3d4361e0afb6a84534 --=20 2.50.1 (Apple Git-155)