bisecting fixing commit since fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f building syzkaller on ab342da3f9aa45e3f2d9e872576ab5cd3e3c350b testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: 4d1dba5a2388405732b97d03958925eb637806b25e78b5829433da18b2d77ef9 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Write in release_tty run #5: crashed: KASAN: use-after-free Read in tty_open run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty testing current HEAD 4520f06b03ae667e442da1ab9351fd28cd7ac598 testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0 kernel signature: 4521150e783908d4853352ef4fbc3a0fe77627af71a93c81a617ff5654e0f670 all runs: OK # git bisect start 4520f06b03ae667e442da1ab9351fd28cd7ac598 fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f Bisecting: 1175 revisions left to test after this (roughly 10 steps) [5cd9f229dd3e4980580406f5a47230ec5ee836d7] iwlwifi: mvm: fix RSS config command testing commit 5cd9f229dd3e4980580406f5a47230ec5ee836d7 with gcc (GCC) 8.1.0 kernel signature: a837e5bfba20920497ce90640c8e57548d42b7d23797fff432cae741f0a5572b run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Read in tty_open run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty # git bisect good 5cd9f229dd3e4980580406f5a47230ec5ee836d7 Bisecting: 587 revisions left to test after this (roughly 9 steps) [cd24510b31c1fb04afcd84847664a76b9033d3c3] arm64: ssbs: Fix context-switch when SSBS is present on all CPUs testing commit cd24510b31c1fb04afcd84847664a76b9033d3c3 with gcc (GCC) 8.1.0 kernel signature: 8b4250b155597a7056356fbf8393c4e1f81d86711aa04e21be85ffa852bef039 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Write in release_tty run #5: crashed: KASAN: use-after-free Read in tty_open run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty # git bisect good cd24510b31c1fb04afcd84847664a76b9033d3c3 Bisecting: 293 revisions left to test after this (roughly 8 steps) [ea29d94b09cb7629a7ddd5e1484c00a56ed20a86] net: ks8851-ml: Remove 8-bit bus accessors testing commit ea29d94b09cb7629a7ddd5e1484c00a56ed20a86 with gcc (GCC) 8.1.0 kernel signature: 0bc36988c70c02fd1af7b1424cbd7911bf0930488913703f82064f2d7b476ea9 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Read in tty_open run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Write in release_tty run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Read in tty_open # git bisect good ea29d94b09cb7629a7ddd5e1484c00a56ed20a86 Bisecting: 146 revisions left to test after this (roughly 7 steps) [9e92bbac2d92c72fff268e0fe447adc3bcc9e28e] powerpc: Include .BTF section testing commit 9e92bbac2d92c72fff268e0fe447adc3bcc9e28e with gcc (GCC) 8.1.0 kernel signature: 96341fd30a72cc34124102e89ee5327a5045bc84faa50a651e787fdbce03a046 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Read in tty_open run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Read in tty_open run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty # git bisect good 9e92bbac2d92c72fff268e0fe447adc3bcc9e28e Bisecting: 73 revisions left to test after this (roughly 6 steps) [2c1f4d27781351a85333c267c9a06f41ba526921] cpupower: avoid multiple definition with gcc -fno-common testing commit 2c1f4d27781351a85333c267c9a06f41ba526921 with gcc (GCC) 8.1.0 kernel signature: 2d8bdc1269d46b7ca645770f9f4b2fc5dcdf78a2542d95a175168482112a23e6 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Write in release_tty run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Read in tty_open run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty # git bisect good 2c1f4d27781351a85333c267c9a06f41ba526921 Bisecting: 36 revisions left to test after this (roughly 5 steps) [c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() testing commit c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20 with gcc (GCC) 8.1.0 kernel signature: a3aca3f9ea47faf31778186a5b87690a0d82f4f31a03d013eea6750bb9f62563 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Write in release_tty run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Read in tty_open run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Read in tty_open run #9: crashed: KASAN: use-after-free Write in release_tty # git bisect good c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20 Bisecting: 18 revisions left to test after this (roughly 4 steps) [07dc42ff9b9c38eae221b36acda7134ab8670af8] mac80211: Check port authorization in the ieee80211_tx_dequeue() case testing commit 07dc42ff9b9c38eae221b36acda7134ab8670af8 with gcc (GCC) 8.1.0 kernel signature: 0d221dc098486d2009314faff8b7ef550fb40e38c02f3289be51332bf21bac0b all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 07dc42ff9b9c38eae221b36acda7134ab8670af8 Bisecting: 9 revisions left to test after this (roughly 3 steps) [ba1ebf3aef04922bfbe549bb5254765379d62f77] bpf: Explicitly memset the bpf_attr structure testing commit ba1ebf3aef04922bfbe549bb5254765379d62f77 with gcc (GCC) 8.1.0 kernel signature: d5c5bb64291ce93aecd73d9d00fe7ba6fec8a932a82f8b55e255da93637d519b run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: boot failed: can't ssh into the instance run #9: OK # git bisect bad ba1ebf3aef04922bfbe549bb5254765379d62f77 Bisecting: 4 revisions left to test after this (roughly 2 steps) [56a5db17b2985e01e0fa425b119bb7586c0ece28] vt: switch vt_dont_switch to bool testing commit 56a5db17b2985e01e0fa425b119bb7586c0ece28 with gcc (GCC) 8.1.0 kernel signature: 9cce2ded599922af3206a48c4511667d8740d829d8d2488559110df836266d96 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 56a5db17b2985e01e0fa425b119bb7586c0ece28 Bisecting: 2 revisions left to test after this (roughly 1 step) [b9eb60a0ef3971101c94f9cddb09708c2f900b35] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console testing commit b9eb60a0ef3971101c94f9cddb09708c2f900b35 with gcc (GCC) 8.1.0 kernel signature: 9b67d5b775ef5b53cb94784030bba7b122e5de808f3d665d93e0d0f02034cd90 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: boot failed: can't ssh into the instance run #9: OK # git bisect bad b9eb60a0ef3971101c94f9cddb09708c2f900b35 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ac7136b9f15740d5f17a017a5febdf875239a3ea] vt: vt_ioctl: remove unnecessary console allocation checks testing commit ac7136b9f15740d5f17a017a5febdf875239a3ea with gcc (GCC) 8.1.0 kernel signature: 8155115a899fc8561c854bcaab8171f5ef799605d8c86e7914b1092529c69b7f run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Write in release_tty run #4: crashed: KASAN: use-after-free Read in tty_open run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty # git bisect good ac7136b9f15740d5f17a017a5febdf875239a3ea b9eb60a0ef3971101c94f9cddb09708c2f900b35 is the first bad commit commit b9eb60a0ef3971101c94f9cddb09708c2f900b35 Author: Eric Biggers Date: Sat Mar 21 20:43:04 2020 -0700 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream. The VT_DISALLOCATE ioctl can free a virtual console while tty_release() is still running, causing a use-after-free in con_shutdown(). This occurs because VT_DISALLOCATE considers a virtual console's 'struct vc_data' to be unused as soon as the corresponding tty's refcount hits 0. But actually it may be still being closed. Fix this by making vc_data be reference-counted via the embedded 'struct tty_port'. A newly allocated virtual console has refcount 1. Opening it for the first time increments the refcount to 2. Closing it for the last time decrements the refcount (in tty_operations::cleanup() so that it happens late enough), as does VT_DISALLOCATE. Reproducer: #include #include #include #include int main() { if (fork()) { for (;;) close(open("/dev/tty5", O_RDWR)); } else { int fd = open("/dev/tty10", O_RDWR); for (;;) ioctl(fd, VT_DISALLOCATE, 5); } } KASAN report: BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129 CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014 Call Trace: [...] con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514 tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629 tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789 [...] Allocated by task 129: [...] kzalloc include/linux/slab.h:669 [inline] vc_allocate drivers/tty/vt/vt.c:1085 [inline] vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066 con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229 tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline] tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341 tty_open_by_driver drivers/tty/tty_io.c:1987 [inline] tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035 [...] Freed by task 130: [...] kfree+0xbf/0x1e0 mm/slab.c:3757 vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline] vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818 tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660 [...] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 23 ++++++++++++++++++++++- drivers/tty/vt/vt_ioctl.c | 12 ++++-------- 2 files changed, 26 insertions(+), 9 deletions(-) culprit signature: 9b67d5b775ef5b53cb94784030bba7b122e5de808f3d665d93e0d0f02034cd90 parent signature: 8155115a899fc8561c854bcaab8171f5ef799605d8c86e7914b1092529c69b7f revisions tested: 13, total time: 3h0m13.39623418s (build: 1h50m48.594605409s, test: 1h7m46.114326199s) first good commit: b9eb60a0ef3971101c94f9cddb09708c2f900b35 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console cc: ["ebiggers@google.com" "gregkh@linuxfoundation.org" "jslaby@suse.cz"]