bisecting fixing commit since e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b building syzkaller on bc5869180f69e2ad6c6b823e129e08a8e523d800 testing commit e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b with gcc (GCC) 8.1.0 kernel signature: 6d1d34facecd36fa900073e9e1b94ad70583fe2cca8af5586f3b8435952047c3 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing current HEAD 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 testing commit 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 with gcc (GCC) 8.1.0 kernel signature: c1060960fc8c7405499a0f345a8dc6ca4153094bed686aadc8d3953dfd532c40 all runs: OK # git bisect start 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b Bisecting: 789 revisions left to test after this (roughly 10 steps) [9360b13308b085c57430e8b28fa5ea1ecf6e6645] signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig testing commit 9360b13308b085c57430e8b28fa5ea1ecf6e6645 with gcc (GCC) 8.1.0 kernel signature: d17f3b4ca881df4883e9161663ac37d9c5ec5fb0ad7f6976b88933cb9bcd09fb run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #9: crashed: INFO: task hung in tty_ldisc_hangup # git bisect good 9360b13308b085c57430e8b28fa5ea1ecf6e6645 Bisecting: 394 revisions left to test after this (roughly 9 steps) [c7d57b1fd0f77ccd0def6893c02f3babe96e37ef] ASoC: pcm: update FE/BE trigger order based on the command testing commit c7d57b1fd0f77ccd0def6893c02f3babe96e37ef with gcc (GCC) 8.1.0 kernel signature: 84ac6edd14fe61d3dfc4974e98b2fcb8f9dd452188ed44f15ef9285656e78653 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup # git bisect good c7d57b1fd0f77ccd0def6893c02f3babe96e37ef Bisecting: 197 revisions left to test after this (roughly 8 steps) [2329f0eded07c62dbe40d8b523001525e91b99b4] help_next should increase position index testing commit 2329f0eded07c62dbe40d8b523001525e91b99b4 with gcc (GCC) 8.1.0 kernel signature: d1e29740b2e709c56222308a8309c407abeecaa7cc118ccc058fafb178162b0a run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup # git bisect good 2329f0eded07c62dbe40d8b523001525e91b99b4 Bisecting: 98 revisions left to test after this (roughly 7 steps) [a1229fc80189667f6f5e6bf4a8c271ed3b973958] nfc: pn544: Fix occasional HW initialization failure testing commit a1229fc80189667f6f5e6bf4a8c271ed3b973958 with gcc (GCC) 8.1.0 kernel signature: 4d748823e74ea699f16fc2d315d8042fcf3b43c8c32415c2de3c648959cdd181 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good a1229fc80189667f6f5e6bf4a8c271ed3b973958 Bisecting: 49 revisions left to test after this (roughly 6 steps) [e476b55da6d22cb29ac50f5b585a16d37854c312] usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags testing commit e476b55da6d22cb29ac50f5b585a16d37854c312 with gcc (GCC) 8.1.0 kernel signature: 2396585b34fe1c742c932ce83b7446e8fa008d578127f2eccd4e04281c6a2bef all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good e476b55da6d22cb29ac50f5b585a16d37854c312 Bisecting: 24 revisions left to test after this (roughly 5 steps) [7336a80aebc633d75c09d8dad09cd467807c787a] serial: 8250_exar: add support for ACCES cards testing commit 7336a80aebc633d75c09d8dad09cd467807c787a with gcc (GCC) 8.1.0 kernel signature: 0768768533f7a9c693847277f67d99af9b6df6cfd068ae9374fd436616a1e1e4 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good 7336a80aebc633d75c09d8dad09cd467807c787a Bisecting: 12 revisions left to test after this (roughly 4 steps) [6dfcfe0c07fa24f6d601feb3499746c8a4f6102b] ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output testing commit 6dfcfe0c07fa24f6d601feb3499746c8a4f6102b with gcc (GCC) 8.1.0 kernel signature: 48f6f24ab086f01b84f9302651811a6ef0305f701340cfcdb7effe0c674feed1 all runs: OK # git bisect bad 6dfcfe0c07fa24f6d601feb3499746c8a4f6102b Bisecting: 5 revisions left to test after this (roughly 3 steps) [3e4c735e6ba9a5add132c8bcad8700029fbdb609] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list testing commit 3e4c735e6ba9a5add132c8bcad8700029fbdb609 with gcc (GCC) 8.1.0 kernel signature: 5be9f27f5ffda08b229776350597630bad99e15e4eddca93d4c477ad71b5a5fb all runs: OK # git bisect bad 3e4c735e6ba9a5add132c8bcad8700029fbdb609 Bisecting: 2 revisions left to test after this (roughly 2 steps) [a4719f6d07b2c63223f7452c435c5f578f105cfe] vt: selection, push sel_lock up testing commit a4719f6d07b2c63223f7452c435c5f578f105cfe with gcc (GCC) 8.1.0 kernel signature: 783b090434dfc329d4ce8ea81fad0313aac6e206f961bb1cfae5622ae60d5f0e all runs: OK # git bisect bad a4719f6d07b2c63223f7452c435c5f578f105cfe Bisecting: 0 revisions left to test after this (roughly 1 step) [64489a229bbf902244d8407b02015f30e2cd4651] vt: selection, push console lock down testing commit 64489a229bbf902244d8407b02015f30e2cd4651 with gcc (GCC) 8.1.0 kernel signature: d131b461ac763579fcd4a6b577ef88e18eeb93171a3f1d0972d0bf9d37f44852 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 64489a229bbf902244d8407b02015f30e2cd4651 a4719f6d07b2c63223f7452c435c5f578f105cfe is the first bad commit commit a4719f6d07b2c63223f7452c435c5f578f105cfe Author: Jiri Slaby Date: Fri Feb 28 12:54:06 2020 +0100 vt: selection, push sel_lock up commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream. sel_lock cannot nest in the console lock. Thanks to syzkaller, the kernel states firmly: > WARNING: possible circular locking dependency detected > 5.6.0-rc3-syzkaller #0 Not tainted > ------------------------------------------------------ > syz-executor.4/20336 is trying to acquire lock: > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > > but task is already holding lock: > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #2 (sel_lock){+.+.}: > mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118 > set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217 > set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181 > tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_SETSEL). Locks held on the path: console_lock -> sel_lock > -> #1 (console_lock){+.+.}: > console_lock+0x46/0x70 kernel/printk/printk.c:2289 > con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223 > n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350 > do_tty_write drivers/tty/tty_io.c:962 [inline] > tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046 This is write(). Locks held on the path: termios_rwsem -> console_lock > -> #0 (&tty->termios_rwsem){++++}: > down_write+0x57/0x140 kernel/locking/rwsem.c:1534 > tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902 > tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465 > paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389 > tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_PASTESEL). Locks held on the path: sel_lock -> termios_rwsem > other info that might help us debug this: > > Chain exists of: > &tty->termios_rwsem --> console_lock --> sel_lock Clearly. From the above, we have: console_lock -> sel_lock sel_lock -> termios_rwsem termios_rwsem -> console_lock Fix this by reversing the console_lock -> sel_lock dependency in ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock. Signed-off-by: Jiri Slaby Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race") Cc: stable Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/selection.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) culprit signature: 783b090434dfc329d4ce8ea81fad0313aac6e206f961bb1cfae5622ae60d5f0e parent signature: d131b461ac763579fcd4a6b577ef88e18eeb93171a3f1d0972d0bf9d37f44852 revisions tested: 12, total time: 3h12m27.033639217s (build: 1h46m11.394663861s, test: 1h24m42.217475507s) first good commit: a4719f6d07b2c63223f7452c435c5f578f105cfe vt: selection, push sel_lock up cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org"]