bisecting fixing commit since c60174717544aa8959683d7e19d568309c3a0c65 building syzkaller on 8b96726707a5846209f943c978ccd7eeb1dd6f5e testing commit c60174717544aa8959683d7e19d568309c3a0c65 with gcc (GCC) 8.1.0 kernel signature: 6cfa1f4c4815a8a81b62be199a432413e7ac679aa0ae90bafc69c62d40962889 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #9: crashed: INFO: task hung in paste_selection testing current HEAD 5ad0ec0b86525d0c5d3d250d3cfad7f183b00cfa testing commit 5ad0ec0b86525d0c5d3d250d3cfad7f183b00cfa with gcc (GCC) 8.1.0 kernel signature: a13ba4089ad1acacd41cb674264784306e9612417377dde812b5255691990c7e all runs: OK # git bisect start 5ad0ec0b86525d0c5d3d250d3cfad7f183b00cfa c60174717544aa8959683d7e19d568309c3a0c65 Bisecting: 7769 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 8ab898ed8108e8c864d58d3bd0645ee2a55294bf64c9f6e968fbfe8791ff540b run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in tty_ldisc_hangup # git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 3884 revisions left to test after this (roughly 12 steps) [2f633d5820e4ed870f408957322acb9263bce2f4] net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter testing commit 2f633d5820e4ed870f408957322acb9263bce2f4 with gcc (GCC) 8.1.0 kernel signature: 8d1c7de51f0b185ff39d345c6f320899c929de848eb70eecf26859b8f5c6220b run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #9: crashed: INFO: task hung in paste_selection # git bisect good 2f633d5820e4ed870f408957322acb9263bce2f4 Bisecting: 1938 revisions left to test after this (roughly 11 steps) [291abfea4746897b821830e0189dc225abd401eb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 291abfea4746897b821830e0189dc225abd401eb with gcc (GCC) 8.1.0 kernel signature: 9b1d90964d34b57c71da08758b46a2aefd423d2b10521210e0e83c5f91dd3700 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good 291abfea4746897b821830e0189dc225abd401eb Bisecting: 968 revisions left to test after this (roughly 10 steps) [7977fed974d60a72733243cf54d7955cd6dccd91] Merge tag 'perf-urgent-for-mingo-5.6-20200228' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent testing commit 7977fed974d60a72733243cf54d7955cd6dccd91 with gcc (GCC) 8.1.0 kernel signature: 4a4a414213d825bb5e15e1861bf5e7b11c8efacb3d5ee72c3da714d68e20bc16 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 7977fed974d60a72733243cf54d7955cd6dccd91 Bisecting: 483 revisions left to test after this (roughly 9 steps) [efe582a137eda93265d880494cb04370afd162f2] Merge tag 'edac_urgent-2020-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras testing commit efe582a137eda93265d880494cb04370afd162f2 with gcc (GCC) 8.1.0 kernel signature: d3c1d8ff1f18567bbe5c813ab3d537954fa5035f5fd312caaee80108836318b1 run #0: boot failed: can't ssh into the instance run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad efe582a137eda93265d880494cb04370afd162f2 Bisecting: 238 revisions left to test after this (roughly 8 steps) [2ac4853e295bba53209917e14af701c45c99ce04] Merge tag 'amd-drm-fixes-5.6-2020-03-05' of git://people.freedesktop.org/~agd5f/linux into drm-fixes testing commit 2ac4853e295bba53209917e14af701c45c99ce04 with gcc (GCC) 8.1.0 kernel signature: 29783140c80db98cf694eb6089a1e3561df69f5b38f81b8e6572aa02c72c4cee all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 2ac4853e295bba53209917e14af701c45c99ce04 Bisecting: 115 revisions left to test after this (roughly 7 steps) [7e6582ef32f6cbd55b9c752727847b0ee6710e78] Merge tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit 7e6582ef32f6cbd55b9c752727847b0ee6710e78 with gcc (GCC) 8.1.0 kernel signature: f34d9ddab6d88f03c1858487646e96a96698aeca381d50b115e6eb775f31710e all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 7e6582ef32f6cbd55b9c752727847b0ee6710e78 Bisecting: 56 revisions left to test after this (roughly 6 steps) [5dfcc13902bfb6d252b84e234bfc4cdba76c1069] Merge tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block testing commit 5dfcc13902bfb6d252b84e234bfc4cdba76c1069 with gcc (GCC) 8.1.0 kernel signature: be9d3e47d5a73040436ccaf0d89bd906df702c9612276eaae216ce29421b4a58 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 5dfcc13902bfb6d252b84e234bfc4cdba76c1069 Bisecting: 20 revisions left to test after this (roughly 5 steps) [fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9] Merge tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9 with gcc (GCC) 8.1.0 kernel signature: d1b483eeffc145840683a880c32e27f25dbc4182d031f1b052f7a3b068190541 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9 Bisecting: 11 revisions left to test after this (roughly 3 steps) [cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2] Merge tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2 with gcc (GCC) 8.1.0 kernel signature: 776698c461abfe420b8cca47cbc50aedc80664a9df269357c6d1a270175abe86 all runs: OK # git bisect bad cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2 Bisecting: 4 revisions left to test after this (roughly 2 steps) [10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab] serial: 8250_exar: add support for ACCES cards testing commit 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab with gcc (GCC) 8.1.0 kernel signature: b69a34b29fee8837dd46d1def16f0b48aa95893fcc8f87696805578cff04dfb1 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab Bisecting: 1 revision left to test after this (roughly 1 step) [e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2] vt: selection, push sel_lock up testing commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 with gcc (GCC) 8.1.0 kernel signature: e3503d751d5cd85926d9bf17a677fa42b91cb5faf2fccf57f7caa54433e3affe all runs: OK # git bisect bad e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4b70dd57a15d2f4685ac6e38056bad93e81e982f] vt: selection, push console lock down testing commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f with gcc (GCC) 8.1.0 kernel signature: 21206583b4bc4560154c6ac4bddd9aa120d18cf3691203d6bb9fccae0e4a1fbc all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 4b70dd57a15d2f4685ac6e38056bad93e81e982f e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 is the first bad commit commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 Author: Jiri Slaby Date: Fri Feb 28 12:54:06 2020 +0100 vt: selection, push sel_lock up sel_lock cannot nest in the console lock. Thanks to syzkaller, the kernel states firmly: > WARNING: possible circular locking dependency detected > 5.6.0-rc3-syzkaller #0 Not tainted > ------------------------------------------------------ > syz-executor.4/20336 is trying to acquire lock: > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > > but task is already holding lock: > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #2 (sel_lock){+.+.}: > mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118 > set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217 > set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181 > tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_SETSEL). Locks held on the path: console_lock -> sel_lock > -> #1 (console_lock){+.+.}: > console_lock+0x46/0x70 kernel/printk/printk.c:2289 > con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223 > n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350 > do_tty_write drivers/tty/tty_io.c:962 [inline] > tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046 This is write(). Locks held on the path: termios_rwsem -> console_lock > -> #0 (&tty->termios_rwsem){++++}: > down_write+0x57/0x140 kernel/locking/rwsem.c:1534 > tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902 > tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465 > paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389 > tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_PASTESEL). Locks held on the path: sel_lock -> termios_rwsem > other info that might help us debug this: > > Chain exists of: > &tty->termios_rwsem --> console_lock --> sel_lock Clearly. From the above, we have: console_lock -> sel_lock sel_lock -> termios_rwsem termios_rwsem -> console_lock Fix this by reversing the console_lock -> sel_lock dependency in ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock. Signed-off-by: Jiri Slaby Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race") Cc: stable Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/selection.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) culprit signature: e3503d751d5cd85926d9bf17a677fa42b91cb5faf2fccf57f7caa54433e3affe parent signature: 21206583b4bc4560154c6ac4bddd9aa120d18cf3691203d6bb9fccae0e4a1fbc revisions tested: 15, total time: 3h18m48.716523569s (build: 1h34m57.408942398s, test: 1h42m28.383131183s) first good commit: e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 vt: selection, push sel_lock up cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org" "okash.khawaja@gmail.com" "samuel.thibault@ens-lyon.org"]