bisecting fixing commit since 672481c2deffb371d8a7dfdc009e44c09864a869 building syzkaller on bc5869180f69e2ad6c6b823e129e08a8e523d800 testing commit 672481c2deffb371d8a7dfdc009e44c09864a869 with gcc (GCC) 8.1.0 kernel signature: 381eee393a32910a3b771840a062d3d7b5e2dc635448a3ec1327114354fe3729 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing current HEAD 5692097116094a4a7045abcc1dbc172dbdc5657e testing commit 5692097116094a4a7045abcc1dbc172dbdc5657e with gcc (GCC) 8.1.0 kernel signature: efd1c85ad79da05de01b2998cc13c7cfec4bb2e96cd2882387566308e5c72227 all runs: OK # git bisect start 5692097116094a4a7045abcc1dbc172dbdc5657e 672481c2deffb371d8a7dfdc009e44c09864a869 Bisecting: 1182 revisions left to test after this (roughly 10 steps) [2ca113011d9c28c0f7b55b0dd408eaab04d6d49c] iommu/vt-d: Duplicate iommu_resv_region objects per device list testing commit 2ca113011d9c28c0f7b55b0dd408eaab04d6d49c with gcc (GCC) 8.1.0 kernel signature: e4a9886ea9251071d37699d53690ba514b3638cdd305e7ce5266ae6702ef4caf run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #9: crashed: INFO: task hung in paste_selection # git bisect good 2ca113011d9c28c0f7b55b0dd408eaab04d6d49c Bisecting: 591 revisions left to test after this (roughly 9 steps) [1ea8b55d8dbfc64f010377a652857c35c3d92d25] powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize testing commit 1ea8b55d8dbfc64f010377a652857c35c3d92d25 with gcc (GCC) 8.1.0 kernel signature: 24ab928e1e4e93163fc0186abafaba9a7fa0f5f497ef252f9e260433627be6ec run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #9: crashed: INFO: task hung in paste_selection # git bisect good 1ea8b55d8dbfc64f010377a652857c35c3d92d25 Bisecting: 295 revisions left to test after this (roughly 8 steps) [43266deb775f6cb8b3b596f72743e3cc87f492f5] ARM: 8951/1: Fix Kexec compilation issue. testing commit 43266deb775f6cb8b3b596f72743e3cc87f492f5 with gcc (GCC) 8.1.0 kernel signature: 024f7cbcb8901b2bdb77fdd2f79339b9436f907fb0810db09c872f912abea821 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in paste_selection # git bisect good 43266deb775f6cb8b3b596f72743e3cc87f492f5 Bisecting: 147 revisions left to test after this (roughly 7 steps) [0fb31bd53a5e27394916758173eb748c5e0dbd47] cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE testing commit 0fb31bd53a5e27394916758173eb748c5e0dbd47 with gcc (GCC) 8.1.0 kernel signature: 189f056bfe175220ea1beb23dc72ba2b11dae38e362ab60fada179ee92de4ea9 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good 0fb31bd53a5e27394916758173eb748c5e0dbd47 Bisecting: 73 revisions left to test after this (roughly 6 steps) [dcfc1ec7bb6dccedcc5b017284ff0b21f895a35f] usb: gadget: serial: fix Tx stall after buffer overflow testing commit dcfc1ec7bb6dccedcc5b017284ff0b21f895a35f with gcc (GCC) 8.1.0 kernel signature: 7eef8a8029b36e3b5d195babb601eed2593a7619eb7a3c95c008d6d83b47ad25 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good dcfc1ec7bb6dccedcc5b017284ff0b21f895a35f Bisecting: 36 revisions left to test after this (roughly 5 steps) [efaef8463e1a9c20aa19c3de2b2d19f885e0315e] vt: selection, push console lock down testing commit efaef8463e1a9c20aa19c3de2b2d19f885e0315e with gcc (GCC) 8.1.0 kernel signature: eb3e943a96a263f869aa75e3f126b6c686dbc50713e80c68dfc03e35c2a1ab9c all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good efaef8463e1a9c20aa19c3de2b2d19f885e0315e Bisecting: 18 revisions left to test after this (roughly 4 steps) [61edc9cc7b15e657f5395a8c30fbdd0be2507bc7] ASoC: dapm: Correct DAPM handling of active widgets during shutdown testing commit 61edc9cc7b15e657f5395a8c30fbdd0be2507bc7 with gcc (GCC) 8.1.0 kernel signature: 3b05a5323d1ac3d8769c3c6f25b5c13756239feb3a806aac8c8acac06ab3e120 all runs: OK # git bisect bad 61edc9cc7b15e657f5395a8c30fbdd0be2507bc7 Bisecting: 8 revisions left to test after this (roughly 3 steps) [94712c05ec8ca472d1c28a7e33522ab67dda8bdc] ARM: dts: ls1021a: Restore MDIO compatible to gianfar testing commit 94712c05ec8ca472d1c28a7e33522ab67dda8bdc with gcc (GCC) 8.1.0 kernel signature: 07a4a8183de334a163cb218e1050ccc2c9caa15218cdb893d47c8f2b88974b06 all runs: OK # git bisect bad 94712c05ec8ca472d1c28a7e33522ab67dda8bdc Bisecting: 4 revisions left to test after this (roughly 2 steps) [b0c95d336123de55faf3528c97718a4e7607b54c] dmaengine: tegra-apb: Fix use-after-free testing commit b0c95d336123de55faf3528c97718a4e7607b54c with gcc (GCC) 8.1.0 kernel signature: 22b694a00a4c17cb5b24492d9771c557be47c4a817a7d3fa40d14faf486e8386 all runs: OK # git bisect bad b0c95d336123de55faf3528c97718a4e7607b54c Bisecting: 1 revision left to test after this (roughly 1 step) [7e46d9838ff8d445618428dc5852953629c44b4f] media: v4l2-mem2mem.c: fix broken links testing commit 7e46d9838ff8d445618428dc5852953629c44b4f with gcc (GCC) 8.1.0 kernel signature: bab246957824c05e76536ff6298e95363c4846331bbb907df9b398d8ec56d681 all runs: OK # git bisect bad 7e46d9838ff8d445618428dc5852953629c44b4f Bisecting: 0 revisions left to test after this (roughly 0 steps) [b4492f1e7456bd162714c0ec2815c2749d930844] vt: selection, push sel_lock up testing commit b4492f1e7456bd162714c0ec2815c2749d930844 with gcc (GCC) 8.1.0 kernel signature: da329c0328c02aa5056b0e500e2d670e1de9464a072f454162d539c56f003e63 all runs: OK # git bisect bad b4492f1e7456bd162714c0ec2815c2749d930844 b4492f1e7456bd162714c0ec2815c2749d930844 is the first bad commit commit b4492f1e7456bd162714c0ec2815c2749d930844 Author: Jiri Slaby Date: Fri Feb 28 12:54:06 2020 +0100 vt: selection, push sel_lock up commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream. sel_lock cannot nest in the console lock. Thanks to syzkaller, the kernel states firmly: > WARNING: possible circular locking dependency detected > 5.6.0-rc3-syzkaller #0 Not tainted > ------------------------------------------------------ > syz-executor.4/20336 is trying to acquire lock: > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > > but task is already holding lock: > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #2 (sel_lock){+.+.}: > mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118 > set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217 > set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181 > tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_SETSEL). Locks held on the path: console_lock -> sel_lock > -> #1 (console_lock){+.+.}: > console_lock+0x46/0x70 kernel/printk/printk.c:2289 > con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223 > n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350 > do_tty_write drivers/tty/tty_io.c:962 [inline] > tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046 This is write(). Locks held on the path: termios_rwsem -> console_lock > -> #0 (&tty->termios_rwsem){++++}: > down_write+0x57/0x140 kernel/locking/rwsem.c:1534 > tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902 > tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465 > paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389 > tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_PASTESEL). Locks held on the path: sel_lock -> termios_rwsem > other info that might help us debug this: > > Chain exists of: > &tty->termios_rwsem --> console_lock --> sel_lock Clearly. From the above, we have: console_lock -> sel_lock sel_lock -> termios_rwsem termios_rwsem -> console_lock Fix this by reversing the console_lock -> sel_lock dependency in ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock. Signed-off-by: Jiri Slaby Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race") Cc: stable Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/selection.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) culprit signature: da329c0328c02aa5056b0e500e2d670e1de9464a072f454162d539c56f003e63 parent signature: eb3e943a96a263f869aa75e3f126b6c686dbc50713e80c68dfc03e35c2a1ab9c revisions tested: 13, total time: 3h48m45.011949957s (build: 2h8m52.849938625s, test: 1h37m41.560161227s) first good commit: b4492f1e7456bd162714c0ec2815c2749d930844 vt: selection, push sel_lock up cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org"]