bisecting fixing commit since fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f
building syzkaller on b20883285d2350f5694399287b7f03478a3036c6
testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0
kernel signature: 5230c5af6865b300c8428e7521801cc290f5f629dab074bf848dbbcd3583c6e0
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Read in tty_buffer_cancel_work
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Write in release_tty
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Write in release_tty
run #7: crashed: KASAN: use-after-free Write in release_tty
run #8: crashed: KASAN: use-after-free Write in release_tty
run #9: crashed: KASAN: use-after-free Write in release_tty
testing current HEAD 4520f06b03ae667e442da1ab9351fd28cd7ac598
testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0
kernel signature: 1dbfc95abe32e65e5a1f3475419e807d49e42042b0ac96d22e7c320ccdc90e2e
all runs: OK
# git bisect start 4520f06b03ae667e442da1ab9351fd28cd7ac598 fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f
Bisecting: 1175 revisions left to test after this (roughly 10 steps)
[5cd9f229dd3e4980580406f5a47230ec5ee836d7] iwlwifi: mvm: fix RSS config command
testing commit 5cd9f229dd3e4980580406f5a47230ec5ee836d7 with gcc (GCC) 8.1.0
kernel signature: 6de6573e1bc042e1dd3e81ff65614bbed18452ef393a16ea54fcce253aa494a3
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 5cd9f229dd3e4980580406f5a47230ec5ee836d7
Bisecting: 587 revisions left to test after this (roughly 9 steps)
[cd24510b31c1fb04afcd84847664a76b9033d3c3] arm64: ssbs: Fix context-switch when SSBS is present on all CPUs
testing commit cd24510b31c1fb04afcd84847664a76b9033d3c3 with gcc (GCC) 8.1.0
kernel signature: 7a773d988cbafbe67ee0ef425430c790669b04d75a15202d76738664423c88ad
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good cd24510b31c1fb04afcd84847664a76b9033d3c3
Bisecting: 293 revisions left to test after this (roughly 8 steps)
[ea29d94b09cb7629a7ddd5e1484c00a56ed20a86] net: ks8851-ml: Remove 8-bit bus accessors
testing commit ea29d94b09cb7629a7ddd5e1484c00a56ed20a86 with gcc (GCC) 8.1.0
kernel signature: 6d5b5a0cfeec2f0eccd88d451e2aa2055ef22a59f76d8decc7f23ae9129513dd
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good ea29d94b09cb7629a7ddd5e1484c00a56ed20a86
Bisecting: 146 revisions left to test after this (roughly 7 steps)
[9e92bbac2d92c72fff268e0fe447adc3bcc9e28e] powerpc: Include .BTF section
testing commit 9e92bbac2d92c72fff268e0fe447adc3bcc9e28e with gcc (GCC) 8.1.0
kernel signature: fe6802898688faf57504b645db0e13f777d88baddb2cba90b039e425ce885587
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 9e92bbac2d92c72fff268e0fe447adc3bcc9e28e
Bisecting: 73 revisions left to test after this (roughly 6 steps)
[2c1f4d27781351a85333c267c9a06f41ba526921] cpupower: avoid multiple definition with gcc -fno-common
testing commit 2c1f4d27781351a85333c267c9a06f41ba526921 with gcc (GCC) 8.1.0
kernel signature: 1bd2ef36cdf8623f62f2efe7e0d215f94a6896331be8fc7d04350bc623111d7d
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 2c1f4d27781351a85333c267c9a06f41ba526921
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20] Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()
testing commit c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20 with gcc (GCC) 8.1.0
kernel signature: 83d5e2c8adb16b72c9dab3eddc5e0d38a6a385703392b3696ef08e7d46df6b6b
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Write in release_tty
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Write in release_tty
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Write in release_tty
run #7: crashed: KASAN: use-after-free Read in tty_buffer_cancel_work
run #8: crashed: KASAN: use-after-free Write in release_tty
run #9: crashed: KASAN: use-after-free Write in release_tty
# git bisect good c97a86b9ea96f3c72c1b5288f8b25f21bf7fad20
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[07dc42ff9b9c38eae221b36acda7134ab8670af8] mac80211: Check port authorization in the ieee80211_tx_dequeue() case
testing commit 07dc42ff9b9c38eae221b36acda7134ab8670af8 with gcc (GCC) 8.1.0
kernel signature: 32607fb3beb2ad60290901c9ff5ce6ebae60ce45619f34004cae2e865eb6bbb1
run #0: crashed: KASAN: use-after-free Write in release_tty
run #1: crashed: KASAN: use-after-free Write in release_tty
run #2: crashed: KASAN: use-after-free Write in release_tty
run #3: crashed: KASAN: use-after-free Write in release_tty
run #4: crashed: KASAN: use-after-free Read in get_work_pool
run #5: crashed: KASAN: use-after-free Write in release_tty
run #6: crashed: KASAN: use-after-free Read in get_work_pool
run #7: crashed: KASAN: use-after-free Write in release_tty
run #8: crashed: KASAN: use-after-free Write in release_tty
run #9: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 07dc42ff9b9c38eae221b36acda7134ab8670af8
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[ba1ebf3aef04922bfbe549bb5254765379d62f77] bpf: Explicitly memset the bpf_attr structure
testing commit ba1ebf3aef04922bfbe549bb5254765379d62f77 with gcc (GCC) 8.1.0
kernel signature: c81d56353b5c50a89b2f0b81c08eacc8dfd74a96e6d96ee06cd95a3aac8db272
all runs: OK
# git bisect bad ba1ebf3aef04922bfbe549bb5254765379d62f77
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[56a5db17b2985e01e0fa425b119bb7586c0ece28] vt: switch vt_dont_switch to bool
testing commit 56a5db17b2985e01e0fa425b119bb7586c0ece28 with gcc (GCC) 8.1.0
kernel signature: ecd8e3247f550ac50277490249e9ad02a4da24ee25f66df910b26917a8af0b2a
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 56a5db17b2985e01e0fa425b119bb7586c0ece28
Bisecting: 2 revisions left to test after this (roughly 1 step)
[b9eb60a0ef3971101c94f9cddb09708c2f900b35] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
testing commit b9eb60a0ef3971101c94f9cddb09708c2f900b35 with gcc (GCC) 8.1.0
kernel signature: 4144721891fbc5a1d66b6af1623b60c473ab4128aede2aa2301a86aa75b31d3b
all runs: OK
# git bisect bad b9eb60a0ef3971101c94f9cddb09708c2f900b35
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ac7136b9f15740d5f17a017a5febdf875239a3ea] vt: vt_ioctl: remove unnecessary console allocation checks
testing commit ac7136b9f15740d5f17a017a5febdf875239a3ea with gcc (GCC) 8.1.0
kernel signature: a425316c9cafd47465045f1714890b04fdd690c8543e25190523c8a5714a180f
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good ac7136b9f15740d5f17a017a5febdf875239a3ea
b9eb60a0ef3971101c94f9cddb09708c2f900b35 is the first bad commit
commit b9eb60a0ef3971101c94f9cddb09708c2f900b35
Author: Eric Biggers <ebiggers@google.com>
Date:   Sat Mar 21 20:43:04 2020 -0700

    vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
    
    commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream.
    
    The VT_DISALLOCATE ioctl can free a virtual console while tty_release()
    is still running, causing a use-after-free in con_shutdown().  This
    occurs because VT_DISALLOCATE considers a virtual console's
    'struct vc_data' to be unused as soon as the corresponding tty's
    refcount hits 0.  But actually it may be still being closed.
    
    Fix this by making vc_data be reference-counted via the embedded
    'struct tty_port'.  A newly allocated virtual console has refcount 1.
    Opening it for the first time increments the refcount to 2.  Closing it
    for the last time decrements the refcount (in tty_operations::cleanup()
    so that it happens late enough), as does VT_DISALLOCATE.
    
    Reproducer:
            #include <fcntl.h>
            #include <linux/vt.h>
            #include <sys/ioctl.h>
            #include <unistd.h>
    
            int main()
            {
                    if (fork()) {
                            for (;;)
                                    close(open("/dev/tty5", O_RDWR));
                    } else {
                            int fd = open("/dev/tty10", O_RDWR);
    
                            for (;;)
                                    ioctl(fd, VT_DISALLOCATE, 5);
                    }
            }
    
    KASAN report:
            BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
            Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129
    
            CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11
            Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
            Call Trace:
             [...]
             con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
             release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514
             tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629
             tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789
             [...]
    
            Allocated by task 129:
             [...]
             kzalloc include/linux/slab.h:669 [inline]
             vc_allocate drivers/tty/vt/vt.c:1085 [inline]
             vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066
             con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229
             tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]
             tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341
             tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]
             tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035
             [...]
    
            Freed by task 130:
             [...]
             kfree+0xbf/0x1e0 mm/slab.c:3757
             vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]
             vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818
             tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660
             [...]
    
    Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle")
    Cc: <stable@vger.kernel.org> # v3.4+
    Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com
    Acked-by: Jiri Slaby <jslaby@suse.cz>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c       | 23 ++++++++++++++++++++++-
 drivers/tty/vt/vt_ioctl.c | 12 ++++--------
 2 files changed, 26 insertions(+), 9 deletions(-)
culprit signature: 4144721891fbc5a1d66b6af1623b60c473ab4128aede2aa2301a86aa75b31d3b
parent  signature: a425316c9cafd47465045f1714890b04fdd690c8543e25190523c8a5714a180f
revisions tested: 13, total time: 2h53m36.627505987s (build: 1h50m7.977027251s, test: 1h2m17.331854993s)
first good commit: b9eb60a0ef3971101c94f9cddb09708c2f900b35 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
cc: ["ebiggers@google.com" "gregkh@linuxfoundation.org" "jslaby@suse.cz"]