bisecting cause commit starting from 07c4b9e9f71aa4bc74009f710fc5a745e10981bf building syzkaller on eef6e5808d6507716d331b9eff67fdd991be891a testing commit 07c4b9e9f71aa4bc74009f710fc5a745e10981bf with gcc (GCC) 8.1.0 kernel signature: 9ba96277d7e67e481b5f979952e7c168c4b48030 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 7d7a17c687eaf7030f2f9d2ecb0c8f6e6c2c1474 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 3d2e88aa71c66e49e04bf32bfe0dfdd779ad9212 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #9: crashed: INFO: task hung in paste_selection testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 500f619685300e0ce2f8a0dc885a973105d9ff5e all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: c01053f6366859c3ac1a2e6510da27b0d7d5d091 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 452ddd91d0a66c1aba3cf454597aaf6edc522586 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 1cfad1ef3409845e450be36367b291bdf603490c all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 0a7327c58b1aef93976cf49ebced55f9a3fb74ed all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: a21c21e1a81503ebf663ab813ed40a90c899a2ef all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: 3627d135cec0079273dd0c8a0523772c1348e21d run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in flush_to_ldisc run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in flush_to_ldisc testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 kernel signature: ad668f3a4b531f6ec291acd484c5e7aebf0c87f6 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in paste_selection testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: 9373ee979078977e2280f8ee54837fc1a4fb9c30 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: INFO: task hung in tty_ldisc_hangup run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in flush_to_ldisc run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: 0a33d4b6d81f305076377648b5e1d72bf37ad32b run #0: crashed: INFO: task hung in tty_ldisc_hangup run #1: crashed: INFO: task hung in tty_ldisc_hangup run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in paste_selection run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in flush_to_ldisc run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 kernel signature: 54f71cc15425195fd4490e521e853dd75d9883d1 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in paste_selection testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 kernel signature: 33d002d8574ef336571d150b52b30cf043ddab85 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in paste_selection run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 kernel signature: c1741aaec610b8219ef61d0de4030ceeb71e944b run #0: crashed: INFO: task hung in paste_selection run #1: crashed: INFO: task hung in tty_ldisc_hangup run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 kernel signature: 3fd70c6ce44fe2cd5dbacd3700b972fb28abb0ed run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: INFO: task hung in tty_ldisc_hangup run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 kernel signature: 9931a72b1d9ac60a865c5cbd985a3af98c57c8e4 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: INFO: task hung in flush_to_ldisc run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 kernel signature: feb57d4ec513b494bde781bedbae92d15785e21a run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: INFO: task hung in tty_ldisc_hangup run #2: crashed: INFO: task hung in paste_selection run #3: crashed: INFO: task hung in paste_selection run #4: crashed: INFO: task hung in paste_selection run #5: crashed: INFO: task hung in tty_ldisc_hangup run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in paste_selection testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 kernel signature: 201ebb5cb4cbd72917a5e424e54b74bb76256cad run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: INFO: task hung in tty_ldisc_hangup run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in paste_selection run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in tty_ldisc_hangup run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup testing release v4.6 testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0 kernel signature: b60c18ce3c549419b5c2008c7ed72e75c59a49d2 run #0: crashed: INFO: task hung in tty_ldisc_hangup run #1: crashed: INFO: task hung in flush_to_ldisc run #2: crashed: INFO: task hung in tty_ldisc_hangup run #3: crashed: INFO: task hung in tty_ldisc_hangup run #4: crashed: INFO: task hung in tty_ldisc_hangup run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in tty_ldisc_hangup run #8: crashed: INFO: task hung in tty_ldisc_hangup run #9: crashed: INFO: task hung in tty_ldisc_hangup revisions tested: 21, total time: 3h49m51.671492788s (build: 1h47m40.050330521s, test: 1h59m26.633923618s) the crash already happened on the oldest tested release commit msg: Linux 4.6 crash: INFO: task hung in tty_ldisc_hangup IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready INFO: task login:6903 blocked for more than 140 seconds. Not tainted 4.6.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. login D ffff8800b45ef968 25776 6903 1 0x00000002 ffff8800b45ef968 ffffed0000000001 ffff88012c120d90 ffff88012c120d68 ffff88012c120418 ffff8801298ca048 ffff880100000000 ffff8800b104c7c0 ffff8801298ca040 ffff8800b45e8000 ffffed00168bd001 ffff8800b45e8008 Call Trace: [] schedule+0x9a/0x1c0 kernel/sched/core.c:3250 [] schedule_timeout+0x457/0x670 kernel/time/timer.c:1508 [] down_write_failed drivers/tty/tty_ldsem.c:299 [inline] [] __ldsem_down_write_nested+0x1be/0x370 drivers/tty/tty_ldsem.c:351 [] ldsem_down_write+0x2d/0x32 drivers/tty/tty_ldsem.c:393 [] __tty_ldisc_lock drivers/tty/tty_ldisc.c:321 [inline] [] tty_ldisc_lock+0x11/0x30 drivers/tty/tty_ldisc.c:340 [] tty_ldisc_hangup+0x173/0x540 drivers/tty/tty_ldisc.c:728 [] __tty_hangup+0x596/0xab0 drivers/tty/tty_io.c:739 [] tty_vhangup_session drivers/tty/tty_io.c:848 [inline] [] disassociate_ctty.part.23+0x8f/0x6c0 drivers/tty/tty_io.c:901 [] disassociate_ctty+0x6e/0x90 drivers/tty/tty_io.c:895 [] do_exit+0x18f3/0x2dc0 kernel/exit.c:746 [] do_group_exit+0xf4/0x2f0 kernel/exit.c:878 [] SYSC_exit_group kernel/exit.c:889 [inline] [] SyS_exit_group+0x18/0x20 kernel/exit.c:887 [] entry_SYSCALL_64_fastpath+0x23/0xc1 2 locks held by login/6903: #0: (&tty->legacy_mutex){+.+.+.}, at: [] tty_lock+0x55/0xb0 drivers/tty/tty_mutex.c:18 #1: (&tty->ldisc_sem){++++++}, at: [] ldsem_down_write+0x2d/0x32 drivers/tty/tty_ldsem.c:393 Sending NMI to all CPUs: NMI backtrace for cpu 0 CPU: 0 PID: 6813 Comm: rsyslogd Not tainted 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800b44dc7c0 ti: ffff8800b4e28000 task.ti: ffff8800b4e28000 RIP: 0010:[] [] is_module_text_address+0x0/0x50 kernel/module.c:4021 RSP: 0018:ffff8800b4e2f798 EFLAGS: 00000202 RAX: 0000000000000001 RBX: ffffffff86ff9900 RCX: ffffffff85c52ea0 RDX: 0000000000000000 RSI: ffff8800b4e2f858 RDI: ffffffff86ff9900 RBP: ffff8800b4e2f7a8 R08: ffff8800b4e2f8b0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800b4e2f888 R13: ffff8800b4e2f858 R14: ffffffff85c52ea0 R15: ffffffff86ff9900 FS: 00007fb8be059700(0000) GS:ffff88012c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f24f853adb8 CR3: 00000000b78f4000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8139f131 0000000000000000 ffff8800b4e2f808 ffffffff811e569b ffff8800b4e2fff8 ffff8800b4e28000 ffff8800b4e2f888 ffffffffffff8000 ffff8800b4e2f8b0 ffff8800b44dc7c0 ffff8800b4e2f858 ffff8800b4e2f8b0 Call Trace: [] print_context_stack+0x7b/0xc0 arch/x86/kernel/dumpstack.c:107 [] dump_trace+0x11d/0x320 arch/x86/kernel/dumpstack_64.c:243 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [] slab_post_alloc_hook mm/slab.h:408 [inline] [] slab_alloc mm/slab.c:3232 [inline] [] kmem_cache_alloc_trace+0x12b/0x6b0 mm/slab.c:3445 [] kmalloc include/linux/slab.h:478 [inline] [] syslog_print kernel/printk/printk.c:1150 [inline] [] do_syslog+0x47b/0x980 kernel/printk/printk.c:1327 [] kmsg_read+0x65/0x80 fs/proc/kmsg.c:39 [] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203 [] __vfs_read+0xdb/0x4e0 fs/read_write.c:472 [] vfs_read+0xd9/0x2c0 fs/read_write.c:494 [] SYSC_read fs/read_write.c:609 [inline] [] SyS_read+0xcb/0x1a0 fs/read_write.c:602 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Code: e8 d6 9d ec ff 65 8b 05 af 92 b2 7e 85 c0 74 05 89 d8 5b 5d c3 e8 63 6e b1 ff 89 d8 5b 5d c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 <55> 48 89 e5 53 48 89 fb bf 01 00 00 00 e8 6e 82 ec ff 48 89 df NMI backtrace for cpu 1 CPU: 1 PID: 948 Comm: khungtaskd Not tainted 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800bbb70700 ti: ffff88012b318000 task.ti: ffff88012b318000 RIP: 0010:[] [] native_write_msr_safe+0x6/0x40 arch/x86/include/asm/msr.h:124 RSP: 0018:ffff88012b31fc48 EFLAGS: 00000086 RAX: 0000000000000400 RBX: 0000000100000400 RCX: 0000000000000830 RDX: 0000000000000001 RSI: 0000000000000400 RDI: 0000000000000830 RBP: ffff88012b31fc60 R08: 0000000000000400 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: fffffbfff0eca430 R13: ffffffff876551c0 R14: 0000000000080000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff88012c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f988e56c008 CR3: 00000000b78f4000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff81254bc0 ffff88012b31fc60 0000000000000007 ffff88012b31fcc8 ffffffff81254d7a ffff88012b31fd20 ffffffff00000010 0000000000000286 000000022b31fcb8 0000000000000001 0000000000000001 ffffffff86ca7e80 Call Trace: [] __x2apic_send_IPI_mask+0x19a/0x2d0 arch/x86/kernel/apic/x2apic_phys.c:62 [] x2apic_send_IPI_mask+0xe/0x10 arch/x86/kernel/apic/x2apic_cluster.c:87 [] nmi_raise_cpu_backtrace+0x5b/0x70 arch/x86/kernel/apic/hw_nmi.c:33 [] nmi_trigger_all_cpu_backtrace+0x4d6/0x640 lib/nmi_backtrace.c:85 [] arch_trigger_all_cpu_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 [] trigger_all_cpu_backtrace include/linux/nmi.h:41 [inline] [] check_hung_task kernel/hung_task.c:125 [inline] [] check_hung_uninterruptible_tasks kernel/hung_task.c:182 [inline] [] watchdog+0x661/0xa00 kernel/hung_task.c:239 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Code: 5b 5d c3 48 c1 e2 20 48 89 d3 31 d2 48 09 c3 48 89 de e8 1e 62 ab 01 48 89 d8 5b 5d c3 0f 1f 84 00 00 00 00 00 89 f0 89 f9 0f 30 <31> c0 0f 1f 44 00 00 c3 41 89 f0 48 89 d6 55 89 c2 48 c1 e6 20