bisecting fixing commit since 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 building syzkaller on 2489ab887a86e8b1b253aef742e365a606db3a4f testing commit 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 0c3d2afb67aa4b3e0699be64ed14b280ad28bc17f16a24519dc1b5209890b0fb run #0: crashed: KASAN: use-after-free Read in skb_dequeue run #1: crashed: KASAN: use-after-free Read in skb_dequeue run #2: crashed: KASAN: use-after-free Read in skb_dequeue run #3: crashed: KASAN: use-after-free Read in skb_dequeue run #4: crashed: KASAN: use-after-free Read in skb_dequeue run #5: crashed: KASAN: use-after-free Read in skb_dequeue run #6: crashed: KASAN: use-after-free Read in skb_dequeue run #7: crashed: KASAN: use-after-free Read in skb_dequeue run #8: crashed: KASAN: use-after-free Read in skb_dequeue run #9: crashed: KASAN: use-after-free Read in skb_dequeue run #10: crashed: KASAN: use-after-free Read in skb_dequeue run #11: crashed: KASAN: use-after-free Read in skb_dequeue run #12: crashed: KASAN: use-after-free Read in skb_dequeue run #13: crashed: KASAN: use-after-free Read in skb_dequeue run #14: crashed: KASAN: use-after-free Write in hci_recv_frame run #15: crashed: KASAN: use-after-free Read in skb_dequeue run #16: crashed: KASAN: use-after-free Read in h4_recv_buf run #17: crashed: KASAN: use-after-free Read in h4_recv_buf run #18: crashed: KASAN: use-after-free Write in hci_recv_frame run #19: crashed: KASAN: use-after-free Write in hci_recv_frame testing current HEAD 3f8a27f9e27bd78604c0709224cec0ec85a8b106 testing commit 3f8a27f9e27bd78604c0709224cec0ec85a8b106 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 5b852b02cd53b41d7ea967779191b236e7bc77ff717fb129c7c69809dc999ab6 all runs: OK # git bisect start 3f8a27f9e27bd78604c0709224cec0ec85a8b106 59456c9cc40c8f75b5a7efa0fe1f211d9c6fcaf1 Bisecting: 291 revisions left to test after this (roughly 8 steps) [6d941bd6366a08bf5c660dbd4f8345427d56aefe] PCI: Use pci_update_current_state() in pci_enable_device_flags() testing commit 6d941bd6366a08bf5c660dbd4f8345427d56aefe compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 235ab63cf9411152679e47ebbca663de1b4dae605df965825f4e79b7001e9fd4 all runs: OK # git bisect bad 6d941bd6366a08bf5c660dbd4f8345427d56aefe Bisecting: 145 revisions left to test after this (roughly 7 steps) [b8f832d565e769d88dbcfb3a3a53c7918e01c371] usb: mtu3: use @mult for HS isoc or intr testing commit b8f832d565e769d88dbcfb3a3a53c7918e01c371 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 4e531d3554def102fb9325ecbf00baad5816cbf08a133c3d1904a6edb0f79979 run #0: crashed: KASAN: use-after-free Read in skb_dequeue run #1: crashed: KASAN: use-after-free Read in skb_dequeue run #2: crashed: KASAN: use-after-free Read in skb_dequeue run #3: crashed: KASAN: use-after-free Write in hci_recv_frame run #4: crashed: KASAN: use-after-free Read in skb_dequeue run #5: crashed: KASAN: use-after-free Read in skb_dequeue run #6: crashed: KASAN: use-after-free Read in skb_dequeue run #7: crashed: KASAN: use-after-free Read in skb_dequeue run #8: crashed: KASAN: use-after-free Write in hci_recv_frame run #9: crashed: KASAN: use-after-free Read in h4_recv_buf # git bisect good b8f832d565e769d88dbcfb3a3a53c7918e01c371 Bisecting: 72 revisions left to test after this (roughly 6 steps) [3e6bd2b583f18da9856fc9741ffa200a74a52cba] ipv4: make exception cache less predictible testing commit 3e6bd2b583f18da9856fc9741ffa200a74a52cba compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dd05152af7e4fd2fdc1a83d1941ae3e2d81d37241fb7b4d6527052a4508520b6 run #0: crashed: KASAN: use-after-free Read in h4_recv_buf run #1: crashed: KASAN: use-after-free Read in skb_dequeue run #2: crashed: KASAN: use-after-free Read in skb_dequeue run #3: crashed: KASAN: use-after-free Read in skb_dequeue run #4: crashed: KASAN: use-after-free Read in skb_dequeue run #5: crashed: KASAN: use-after-free Read in skb_dequeue run #6: crashed: KASAN: use-after-free Read in skb_dequeue run #7: crashed: KASAN: use-after-free Read in skb_dequeue run #8: crashed: KASAN: use-after-free Read in skb_dequeue run #9: crashed: KASAN: use-after-free Read in skb_dequeue # git bisect good 3e6bd2b583f18da9856fc9741ffa200a74a52cba Bisecting: 36 revisions left to test after this (roughly 5 steps) [872968502114d68c21419cf7eb5ab97717e7b803] bpf: Fix leakage due to insufficient speculative store bypass mitigation testing commit 872968502114d68c21419cf7eb5ab97717e7b803 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: da72808bd7ef9ba4ed5c2f1e645f0606cdadcd4e6d535c49c90dd1011ee00b5e all runs: OK # git bisect bad 872968502114d68c21419cf7eb5ab97717e7b803 Bisecting: 17 revisions left to test after this (roughly 4 steps) [e44d9cfb15a3c2a304545eaf2f7aa882b4263578] btrfs: reset replace target device to allocation state on close testing commit e44d9cfb15a3c2a304545eaf2f7aa882b4263578 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: deb5e68c3c9ae37344c55053ad1252d8351ee995223d0152aef8a52a247e4f78 all runs: OK # git bisect bad e44d9cfb15a3c2a304545eaf2f7aa882b4263578 Bisecting: 8 revisions left to test after this (roughly 3 steps) [f7bffefa322a3d5a292c0b7a9b93302b392928f6] tty: Fix data race between tiocsti() and flush_to_ldisc() testing commit f7bffefa322a3d5a292c0b7a9b93302b392928f6 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 31547760cb62e86eba4039317c9d5ddeb00df74664da745ddec57e2a7cb2a012 all runs: OK # git bisect bad f7bffefa322a3d5a292c0b7a9b93302b392928f6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [f94601e19dd7e80bf12f42a7cdfed9652a9a01dc] netns: protect netns ID lookups with RCU testing commit f94601e19dd7e80bf12f42a7cdfed9652a9a01dc compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 2f409a8ef0fc1945d1aab3193a4ac5cb09ad02253fe6e90a4059c0eba274cc1a run #0: crashed: KASAN: use-after-free Read in skb_dequeue run #1: crashed: KASAN: use-after-free Read in skb_dequeue run #2: crashed: KASAN: use-after-free Read in skb_dequeue run #3: crashed: KASAN: use-after-free Read in skb_dequeue run #4: crashed: KASAN: use-after-free Read in skb_dequeue run #5: crashed: KASAN: use-after-free Read in skb_dequeue run #6: crashed: KASAN: use-after-free Read in skb_dequeue run #7: crashed: KASAN: use-after-free Read in skb_dequeue run #8: crashed: KASAN: use-after-free Read in h4_recv_buf run #9: crashed: KASAN: use-after-free Read in skb_dequeue # git bisect good f94601e19dd7e80bf12f42a7cdfed9652a9a01dc Bisecting: 2 revisions left to test after this (roughly 1 step) [24eb2413d3f9e7fcf47b53b9934fa3eadbf20011] ext4: report correct st_size for encrypted symlinks testing commit 24eb2413d3f9e7fcf47b53b9934fa3eadbf20011 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 003805cffa45e1e810fb35ffb81f59b497359362c42d12682913f26b99bb40a5 run #0: crashed: KASAN: use-after-free Read in skb_dequeue run #1: crashed: KASAN: use-after-free Write in hci_recv_frame run #2: crashed: KASAN: use-after-free Read in skb_dequeue run #3: crashed: KASAN: use-after-free Read in skb_dequeue run #4: crashed: KASAN: use-after-free Read in skb_dequeue run #5: crashed: KASAN: use-after-free Read in skb_dequeue run #6: crashed: KASAN: use-after-free Read in skb_dequeue run #7: crashed: KASAN: use-after-free Read in skb_dequeue run #8: crashed: KASAN: use-after-free Read in skb_dequeue run #9: crashed: KASAN: use-after-free Read in skb_dequeue # git bisect good 24eb2413d3f9e7fcf47b53b9934fa3eadbf20011 Bisecting: 0 revisions left to test after this (roughly 1 step) [7e7b9f8867ad82a1ef495abb32f127d5142fb107] ubifs: report correct st_size for encrypted symlinks testing commit 7e7b9f8867ad82a1ef495abb32f127d5142fb107 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 1646033e5685fc055f5b69280ad52979084e67a9b9d02f270e3a1077483d51ad run #0: crashed: KASAN: use-after-free Read in skb_dequeue run #1: crashed: KASAN: use-after-free Read in skb_dequeue run #2: crashed: KASAN: use-after-free Read in skb_dequeue run #3: crashed: KASAN: use-after-free Read in skb_dequeue run #4: crashed: KASAN: use-after-free Read in h4_recv_buf run #5: crashed: KASAN: use-after-free Read in skb_dequeue run #6: crashed: KASAN: use-after-free Write in hci_recv_frame run #7: crashed: KASAN: use-after-free Write in hci_recv_frame run #8: crashed: KASAN: use-after-free Read in skb_dequeue run #9: crashed: KASAN: use-after-free Read in skb_dequeue # git bisect good 7e7b9f8867ad82a1ef495abb32f127d5142fb107 f7bffefa322a3d5a292c0b7a9b93302b392928f6 is the first bad commit commit f7bffefa322a3d5a292c0b7a9b93302b392928f6 Author: Nguyen Dinh Phi Date: Mon Aug 23 08:06:41 2021 +0800 tty: Fix data race between tiocsti() and flush_to_ldisc() commit bb2853a6a421a052268eee00fd5d3f6b3504b2b1 upstream. The ops->receive_buf() may be accessed concurrently from these two functions. If the driver flushes data to the line discipline receive_buf() method while tiocsti() is waiting for the ops->receive_buf() to finish its work, the data race will happen. For example: tty_ioctl |tty_ldisc_receive_buf ->tioctsi | ->tty_port_default_receive_buf | ->tty_ldisc_receive_buf ->hci_uart_tty_receive | ->hci_uart_tty_receive ->h4_recv | ->h4_recv In this case, the h4 receive buffer will be overwritten by the latecomer, and we will lost the data. Hence, change tioctsi() function to use the exclusive lock interface from tty_buffer to avoid the data race. Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com Reviewed-by: Jiri Slaby Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) culprit signature: 31547760cb62e86eba4039317c9d5ddeb00df74664da745ddec57e2a7cb2a012 parent signature: 1646033e5685fc055f5b69280ad52979084e67a9b9d02f270e3a1077483d51ad revisions tested: 11, total time: 3h44m24.758174824s (build: 2h4m58.761124197s, test: 1h37m49.974920226s) first good commit: f7bffefa322a3d5a292c0b7a9b93302b392928f6 tty: Fix data race between tiocsti() and flush_to_ldisc() recipients (to): ["gregkh@linuxfoundation.org" "jirislaby@kernel.org" "phind.uet@gmail.com"] recipients (cc): []