bisecting fixing commit since 01364dad1d4577e27a57729d41053f661bb8a5b9 building syzkaller on 05736b290dd5af17adbb0fb5ea67405a0167a7c8 testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0 kernel signature: 6093676d8ea9e1aa09afea5ef1b915c7461e8c4693a3ff9225c848e4d9f11d0a all runs: crashed: KASAN: use-after-free Write in release_tty testing current HEAD 050272a0423e68207fd2367831ae610680129062 testing commit 050272a0423e68207fd2367831ae610680129062 with gcc (GCC) 8.1.0 kernel signature: a5b2207441bb2773ad813d444b06a0c0681eb5201ddfeee20f6ac31099bd30aa all runs: OK # git bisect start 050272a0423e68207fd2367831ae610680129062 01364dad1d4577e27a57729d41053f661bb8a5b9 Bisecting: 194 revisions left to test after this (roughly 8 steps) [82146d1de45651ddd02a2c693382b732e4d428bb] hinic: fix wrong para of wait_for_completion_timeout testing commit 82146d1de45651ddd02a2c693382b732e4d428bb with gcc (GCC) 8.1.0 kernel signature: b5536fa7d9b7e11d1d0b24a5a76bef4b0dd808a782267f421886f2435d543f9b all runs: OK # git bisect bad 82146d1de45651ddd02a2c693382b732e4d428bb Bisecting: 96 revisions left to test after this (roughly 7 steps) [1ec47ff0525c4a530dc7783cb28044179334a4cc] mac80211: mark station unauthorized before key removal testing commit 1ec47ff0525c4a530dc7783cb28044179334a4cc with gcc (GCC) 8.1.0 kernel signature: db6c4832fa65f48824b02e4611cac03918c027755e6618914e58f78cb68ab8ce all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 1ec47ff0525c4a530dc7783cb28044179334a4cc Bisecting: 48 revisions left to test after this (roughly 6 steps) [53cdc9f5a25ae224af22a031b6eabca569b288f6] ARM: dts: oxnas: Fix clear-mask property testing commit 53cdc9f5a25ae224af22a031b6eabca569b288f6 with gcc (GCC) 8.1.0 kernel signature: 2b7c5a4e29088b05cc6d5590f6adf8a5485719e7838cb55d3546c00b3680e7d7 all runs: OK # git bisect bad 53cdc9f5a25ae224af22a031b6eabca569b288f6 Bisecting: 23 revisions left to test after this (roughly 5 steps) [1ebcd216ebcc993a6f5b67dd7e35bcc8b79660b5] media: usbtv: fix control-message timeouts testing commit 1ebcd216ebcc993a6f5b67dd7e35bcc8b79660b5 with gcc (GCC) 8.1.0 kernel signature: 821c2b750327faf28747dad5b8bed1b448cbdd409eaa8419114b94a6b7ff92db all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 1ebcd216ebcc993a6f5b67dd7e35bcc8b79660b5 Bisecting: 11 revisions left to test after this (roughly 4 steps) [8d1c9fea39a3a55af0735a4e304d23df7f02dde1] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines testing commit 8d1c9fea39a3a55af0735a4e304d23df7f02dde1 with gcc (GCC) 8.1.0 kernel signature: 0ab779b8d6874395230a23ec0d2faf2dd1f878d4fc3a02ef212dde8f0b573c29 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 8d1c9fea39a3a55af0735a4e304d23df7f02dde1 Bisecting: 5 revisions left to test after this (roughly 3 steps) [ba1ebf3aef04922bfbe549bb5254765379d62f77] bpf: Explicitly memset the bpf_attr structure testing commit ba1ebf3aef04922bfbe549bb5254765379d62f77 with gcc (GCC) 8.1.0 kernel signature: 5614d04205ccd9e2e1e278d929a72a61020419f7a70ea838f94a28a91c10e12e all runs: OK # git bisect bad ba1ebf3aef04922bfbe549bb5254765379d62f77 Bisecting: 2 revisions left to test after this (roughly 2 steps) [b9eb60a0ef3971101c94f9cddb09708c2f900b35] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console testing commit b9eb60a0ef3971101c94f9cddb09708c2f900b35 with gcc (GCC) 8.1.0 kernel signature: c2821a6ab6fb2165d2366c7206236bb05870f756c1edb2e27c5f39f23dd36ac1 all runs: OK # git bisect bad b9eb60a0ef3971101c94f9cddb09708c2f900b35 Bisecting: 0 revisions left to test after this (roughly 1 step) [ac7136b9f15740d5f17a017a5febdf875239a3ea] vt: vt_ioctl: remove unnecessary console allocation checks testing commit ac7136b9f15740d5f17a017a5febdf875239a3ea with gcc (GCC) 8.1.0 kernel signature: 1a34e5b678730b8d0ab7ce6b47b9940f8f0bd66ea6590a33b3b713c0940ff5d0 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good ac7136b9f15740d5f17a017a5febdf875239a3ea b9eb60a0ef3971101c94f9cddb09708c2f900b35 is the first bad commit commit b9eb60a0ef3971101c94f9cddb09708c2f900b35 Author: Eric Biggers Date: Sat Mar 21 20:43:04 2020 -0700 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream. The VT_DISALLOCATE ioctl can free a virtual console while tty_release() is still running, causing a use-after-free in con_shutdown(). This occurs because VT_DISALLOCATE considers a virtual console's 'struct vc_data' to be unused as soon as the corresponding tty's refcount hits 0. But actually it may be still being closed. Fix this by making vc_data be reference-counted via the embedded 'struct tty_port'. A newly allocated virtual console has refcount 1. Opening it for the first time increments the refcount to 2. Closing it for the last time decrements the refcount (in tty_operations::cleanup() so that it happens late enough), as does VT_DISALLOCATE. Reproducer: #include #include #include #include int main() { if (fork()) { for (;;) close(open("/dev/tty5", O_RDWR)); } else { int fd = open("/dev/tty10", O_RDWR); for (;;) ioctl(fd, VT_DISALLOCATE, 5); } } KASAN report: BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129 CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014 Call Trace: [...] con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514 tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629 tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789 [...] Allocated by task 129: [...] kzalloc include/linux/slab.h:669 [inline] vc_allocate drivers/tty/vt/vt.c:1085 [inline] vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066 con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229 tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline] tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341 tty_open_by_driver drivers/tty/tty_io.c:1987 [inline] tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035 [...] Freed by task 130: [...] kfree+0xbf/0x1e0 mm/slab.c:3757 vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline] vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818 tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660 [...] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 23 ++++++++++++++++++++++- drivers/tty/vt/vt_ioctl.c | 12 ++++-------- 2 files changed, 26 insertions(+), 9 deletions(-) culprit signature: c2821a6ab6fb2165d2366c7206236bb05870f756c1edb2e27c5f39f23dd36ac1 parent signature: 1a34e5b678730b8d0ab7ce6b47b9940f8f0bd66ea6590a33b3b713c0940ff5d0 revisions tested: 10, total time: 2h38m12.432385317s (build: 1h27m11.813978966s, test: 1h9m39.246679184s) first good commit: b9eb60a0ef3971101c94f9cddb09708c2f900b35 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console cc: ["ebiggers@google.com" "gregkh@linuxfoundation.org" "jslaby@suse.cz"]