bisecting fixing commit since 07c4b9e9f71aa4bc74009f710fc5a745e10981bf
building syzkaller on eef6e5808d6507716d331b9eff67fdd991be891a
testing commit 07c4b9e9f71aa4bc74009f710fc5a745e10981bf with gcc (GCC) 8.1.0
kernel signature: 9fb62b98d8a84d422b8103e4569b2b48ea8abf22db7d1d79ebd24029377ec40d
all runs: crashed: KASAN: use-after-free Write in release_tty
testing current HEAD 4544db3f848f1d5d0f48d39c22c9636aecf73cf6
testing commit 4544db3f848f1d5d0f48d39c22c9636aecf73cf6 with gcc (GCC) 8.1.0
kernel signature: 501571628fadb108de4e6b8cba0d34e67784091cbf79c9d1d047f3e1e72b14aa
all runs: OK
# git bisect start 4544db3f848f1d5d0f48d39c22c9636aecf73cf6 07c4b9e9f71aa4bc74009f710fc5a745e10981bf
Bisecting: 14400 revisions left to test after this (roughly 14 steps)
[ea93ed4c181bd42d27b49b612d56f4ceb23d1d6c] spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode
testing commit ea93ed4c181bd42d27b49b612d56f4ceb23d1d6c with gcc (GCC) 8.1.0
kernel signature: 68c7547b80679ee642bece6e71e1c52268bff95f7974a61636bb291ab478ca27
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good ea93ed4c181bd42d27b49b612d56f4ceb23d1d6c
Bisecting: 7530 revisions left to test after this (roughly 13 steps)
[4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration
testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0
kernel signature: ae9eda7ccdeff1cd5b54bc5543176b6634f03d49636f6d20b1c8aa4ef719a4dc
all runs: OK
# git bisect bad 4646de87d32526ee87b46c2e0130413367fb5362
Bisecting: 3430 revisions left to test after this (roughly 12 steps)
[5a470b1a63ac211e01a93de9d913753d64a21d9a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 5a470b1a63ac211e01a93de9d913753d64a21d9a with gcc (GCC) 8.1.0
kernel signature: 74afdc12c34037511b228b6d31f3d90b3967f61f9db36f71f14b04695e55715a
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Write in tty_buffer_cancel_work
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Write in release_tty
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Write in release_tty
run #7: crashed: KASAN: use-after-free Write in release_tty
run #8: crashed: KASAN: use-after-free Write in release_tty
run #9: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 5a470b1a63ac211e01a93de9d913753d64a21d9a
Bisecting: 1719 revisions left to test after this (roughly 11 steps)
[7c4fa150714fb319d4e2bb2303ebbd7307b0fb6d] Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 7c4fa150714fb319d4e2bb2303ebbd7307b0fb6d with gcc (GCC) 8.1.0
kernel signature: 81b125a18dea4d4ecb25e1d49bcd56c3570cf3911c18b1fd08589238031ab1e2
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 7c4fa150714fb319d4e2bb2303ebbd7307b0fb6d
Bisecting: 910 revisions left to test after this (roughly 10 steps)
[1455c69900c8c6442b182a74087931f4ffb1cac4] Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt
testing commit 1455c69900c8c6442b182a74087931f4ffb1cac4 with gcc (GCC) 8.1.0
kernel signature: 8a949426376399f427331fc8a09750587ccf1357fbb10cf78e4ab25d505b0b90
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 1455c69900c8c6442b182a74087931f4ffb1cac4
Bisecting: 481 revisions left to test after this (roughly 9 steps)
[dfabb077d62552797ca0ae7756cb30d3e195ead5] Merge tag 'mmc-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
testing commit dfabb077d62552797ca0ae7756cb30d3e195ead5 with gcc (GCC) 8.1.0
kernel signature: 5a6b78d6902c311e6e400d6eb666bbf6e8da55e29487cdfa8cd19b1b37e40a82
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good dfabb077d62552797ca0ae7756cb30d3e195ead5
Bisecting: 239 revisions left to test after this (roughly 8 steps)
[dba43fc4ba2fed63e898867fa973c69c37623939] Merge tag 'platform-drivers-x86-v5.7-1' of git://git.infradead.org/linux-platform-drivers-x86
testing commit dba43fc4ba2fed63e898867fa973c69c37623939 with gcc (GCC) 8.1.0
kernel signature: 295e9beff4ee6959afa0788986aa9bb03bf1f38af0d84439e97d4f86c30fd8c0
all runs: OK
# git bisect bad dba43fc4ba2fed63e898867fa973c69c37623939
Bisecting: 122 revisions left to test after this (roughly 7 steps)
[7e13d0a6b189169d9339a6ef96383cd6f0e00b2c] Revert "tty: serial: samsung_tty: build it for any platform"
testing commit 7e13d0a6b189169d9339a6ef96383cd6f0e00b2c with gcc (GCC) 8.1.0
kernel signature: 72b7a3989078c36ca24eacbd35f1edc4c6c5a634fe90acc7be56318d70777358
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 7e13d0a6b189169d9339a6ef96383cd6f0e00b2c
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[74062363f8556fb15834caf4be4212da065e6712] tools/power/x86/intel-speed-select: Avoid duplicate Package strings for json
testing commit 74062363f8556fb15834caf4be4212da065e6712 with gcc (GCC) 8.1.0
kernel signature: 273050401dee3f07e5ecaa32fa83f5053703a8c0ba4de0843dbface40e80612c
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Write in release_tty
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Write in release_tty
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Write in release_tty
run #7: crashed: KASAN: use-after-free Write in release_tty
run #8: crashed: KASAN: use-after-free Write in release_tty
run #9: OK
# git bisect good 74062363f8556fb15834caf4be4212da065e6712
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[c26389f998a865e5eb37e0c90d3a6ded2d2d513b] serial: 8250: 8250_omap: Add DMA support for UARTs on K3 SoCs
testing commit c26389f998a865e5eb37e0c90d3a6ded2d2d513b with gcc (GCC) 8.1.0
kernel signature: b2f09319f392524e1544ab7d7e205e0e3a3d803d8d63ded85339da97d28da5c3
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good c26389f998a865e5eb37e0c90d3a6ded2d2d513b
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[8d5b305484e8a3216eeb700ed6c6de870306adbd] serial: 8250: Optimize irq enable after console write
testing commit 8d5b305484e8a3216eeb700ed6c6de870306adbd with gcc (GCC) 8.1.0
kernel signature: ef2881109f3af4f272a857620de772cf4d6022c0e9b86ff5b5946d54e24127b9
all runs: OK
# git bisect bad 8d5b305484e8a3216eeb700ed6c6de870306adbd
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[ecd755fb730e627918146e3d04acbdeb01e1761f] ARM: dts: mmp*: Make the serial ports compatible with xscale-uart
testing commit ecd755fb730e627918146e3d04acbdeb01e1761f with gcc (GCC) 8.1.0
kernel signature: 8ecf60b0572702eb6a8fd6cba81c2cd8eb6a30336df79756e7213cdcded97f49
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Write in release_tty
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Write in release_tty
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Write in release_tty
run #7: crashed: KASAN: use-after-free Write in release_tty
run #8: crashed: KASAN: use-after-free Write in release_tty
run #9: crashed: KASAN: use-after-free Read in tty_buffer_cancel_work
# git bisect good ecd755fb730e627918146e3d04acbdeb01e1761f
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[3b9c55efb23ebc6edb8190d9afa78b311e49404f] tty: serial: make SERIAL_SPRD depend on COMMON_CLK
testing commit 3b9c55efb23ebc6edb8190d9afa78b311e49404f with gcc (GCC) 8.1.0
kernel signature: dd78da3c6a417633a792fa02b8d966c75cbbdd94e4d2b6e40a4947841e52a88a
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Write in release_tty
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Write in release_tty
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Write in release_tty
run #7: crashed: KASAN: use-after-free Write in release_tty
run #8: OK
run #9: OK
# git bisect good 3b9c55efb23ebc6edb8190d9afa78b311e49404f
Bisecting: 1 revision left to test after this (roughly 1 step)
[7cf64b18b0b96e751178b8d0505d8466ff5a448f] vt: vt_ioctl: fix use-after-free in vt_in_use()
testing commit 7cf64b18b0b96e751178b8d0505d8466ff5a448f with gcc (GCC) 8.1.0
kernel signature: f1993f4bfe1cf9d9348b4c40c9d8490b5bc5a6da3bb288df1d354d9028c2b4fc
all runs: OK
# git bisect bad 7cf64b18b0b96e751178b8d0505d8466ff5a448f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ca4463bf8438b403596edd0ec961ca0d4fbe0220] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
testing commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 with gcc (GCC) 8.1.0
kernel signature: 5c693d9ae0fdce0e46a17dfc5216bf098320a0386c23c4f102db22253168e92c
all runs: OK
# git bisect bad ca4463bf8438b403596edd0ec961ca0d4fbe0220
ca4463bf8438b403596edd0ec961ca0d4fbe0220 is the first bad commit
commit ca4463bf8438b403596edd0ec961ca0d4fbe0220
Author: Eric Biggers <ebiggers@google.com>
Date:   Sat Mar 21 20:43:04 2020 -0700

    vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
    
    The VT_DISALLOCATE ioctl can free a virtual console while tty_release()
    is still running, causing a use-after-free in con_shutdown().  This
    occurs because VT_DISALLOCATE considers a virtual console's
    'struct vc_data' to be unused as soon as the corresponding tty's
    refcount hits 0.  But actually it may be still being closed.
    
    Fix this by making vc_data be reference-counted via the embedded
    'struct tty_port'.  A newly allocated virtual console has refcount 1.
    Opening it for the first time increments the refcount to 2.  Closing it
    for the last time decrements the refcount (in tty_operations::cleanup()
    so that it happens late enough), as does VT_DISALLOCATE.
    
    Reproducer:
            #include <fcntl.h>
            #include <linux/vt.h>
            #include <sys/ioctl.h>
            #include <unistd.h>
    
            int main()
            {
                    if (fork()) {
                            for (;;)
                                    close(open("/dev/tty5", O_RDWR));
                    } else {
                            int fd = open("/dev/tty10", O_RDWR);
    
                            for (;;)
                                    ioctl(fd, VT_DISALLOCATE, 5);
                    }
            }
    
    KASAN report:
            BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
            Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129
    
            CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11
            Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
            Call Trace:
             [...]
             con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
             release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514
             tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629
             tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789
             [...]
    
            Allocated by task 129:
             [...]
             kzalloc include/linux/slab.h:669 [inline]
             vc_allocate drivers/tty/vt/vt.c:1085 [inline]
             vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066
             con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229
             tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]
             tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341
             tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]
             tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035
             [...]
    
            Freed by task 130:
             [...]
             kfree+0xbf/0x1e0 mm/slab.c:3757
             vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]
             vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818
             tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660
             [...]
    
    Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle")
    Cc: <stable@vger.kernel.org> # v3.4+
    Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com
    Acked-by: Jiri Slaby <jslaby@suse.cz>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c       | 23 ++++++++++++++++++++++-
 drivers/tty/vt/vt_ioctl.c | 12 ++++--------
 2 files changed, 26 insertions(+), 9 deletions(-)
culprit signature: 5c693d9ae0fdce0e46a17dfc5216bf098320a0386c23c4f102db22253168e92c
parent  signature: dd78da3c6a417633a792fa02b8d966c75cbbdd94e4d2b6e40a4947841e52a88a
revisions tested: 17, total time: 4h0m57.811391751s (build: 1h46m42.853083938s, test: 2h12m43.405029325s)
first good commit: ca4463bf8438b403596edd0ec961ca0d4fbe0220 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
cc: ["ebiggers@google.com" "gregkh@linuxfoundation.org" "jslaby@suse.cz"]