bisecting fixing commit since 07c4b9e9f71aa4bc74009f710fc5a745e10981bf
building syzkaller on eef6e5808d6507716d331b9eff67fdd991be891a
testing commit 07c4b9e9f71aa4bc74009f710fc5a745e10981bf with gcc (GCC) 8.1.0
kernel signature: ea7d282c78494066fabf9127ac54db0fb22177f67da31bde62646e4cdd447d89
run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #9: crashed: INFO: task hung in paste_selection
testing current HEAD fb33c6510d5595144d585aa194d377cf74d31911
testing commit fb33c6510d5595144d585aa194d377cf74d31911 with gcc (GCC) 8.1.0
kernel signature: 42f0b8f135592a9c3da409ba0db503bc9eaaf7974532d590f18ee4a147f087b4
all runs: OK
# git bisect start fb33c6510d5595144d585aa194d377cf74d31911 07c4b9e9f71aa4bc74009f710fc5a745e10981bf
Bisecting: 7654 revisions left to test after this (roughly 13 steps)
[4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0
kernel signature: 885fb7885b10afe6916d127cbe99d19d7498464df684b6720ea64cac96ae319f
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
# git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb
Bisecting: 3817 revisions left to test after this (roughly 12 steps)
[33b40134e5cfbbccad7f3040d1919889537a3df7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 33b40134e5cfbbccad7f3040d1919889537a3df7 with gcc (GCC) 8.1.0
kernel signature: bcc9efbcf2c266f34ae76ad3b05ed6831d35038800856d7b4798876c12e7d0b1
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
# git bisect good 33b40134e5cfbbccad7f3040d1919889537a3df7
Bisecting: 1917 revisions left to test after this (roughly 11 steps)
[d4f309ca411887cd61ea389c7abfb70c2eb1e532] Merge tag 'powerpc-5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
testing commit d4f309ca411887cd61ea389c7abfb70c2eb1e532 with gcc (GCC) 8.1.0
kernel signature: 1752130fdbd5ac5daa60fd61fdada01e959331d359e0c5936f80874b1fcbd7d4
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
# git bisect good d4f309ca411887cd61ea389c7abfb70c2eb1e532
Bisecting: 963 revisions left to test after this (roughly 10 steps)
[dca132a60f226f4cbaa98807518a5ca6cff112ce] Merge tag 'ras-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit dca132a60f226f4cbaa98807518a5ca6cff112ce with gcc (GCC) 8.1.0
kernel signature: 93b2307722598dfe494ef48b68c6e7aa291014c0b096e47a3b65c764c144274a
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good dca132a60f226f4cbaa98807518a5ca6cff112ce
Bisecting: 482 revisions left to test after this (roughly 9 steps)
[63849c8f410717eb2e6662f3953ff674727303e7] Merge tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
testing commit 63849c8f410717eb2e6662f3953ff674727303e7 with gcc (GCC) 8.1.0
kernel signature: e3b7dc85c44de6de9bb177cd3d47016709923007cc79c3a7dd4b1109d5128644
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good 63849c8f410717eb2e6662f3953ff674727303e7
Bisecting: 261 revisions left to test after this (roughly 8 steps)
[807f030b44ccbb26a346df6f6438628315d9ad98] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
testing commit 807f030b44ccbb26a346df6f6438628315d9ad98 with gcc (GCC) 8.1.0
kernel signature: 6da7442b8031422d2a124b98d405eb0b74b013de5bc8bedff423f45a39220fd1
all runs: OK
# git bisect bad 807f030b44ccbb26a346df6f6438628315d9ad98
Bisecting: 108 revisions left to test after this (roughly 7 steps)
[378fee2e6b12f31ab3749e0aa4ed0a63be23e822] Merge tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit 378fee2e6b12f31ab3749e0aa4ed0a63be23e822 with gcc (GCC) 8.1.0
kernel signature: 37bfa369f95f57913d26c2c70a06cb98b62e5b7da176c08b74630e48382db631
all runs: OK
# git bisect bad 378fee2e6b12f31ab3749e0aa4ed0a63be23e822
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[5dfcc13902bfb6d252b84e234bfc4cdba76c1069] Merge tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block
testing commit 5dfcc13902bfb6d252b84e234bfc4cdba76c1069 with gcc (GCC) 8.1.0
kernel signature: a1807d27e128374e47928292e58af153d9690fbb0c80faea7a2bd91592279886
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good 5dfcc13902bfb6d252b84e234bfc4cdba76c1069
Bisecting: 18 revisions left to test after this (roughly 5 steps)
[fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9] Merge tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
testing commit fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9 with gcc (GCC) 8.1.0
kernel signature: cc9acdf09815e169f681463b8e715437594ada92725bdf25e235b0281a3f0ae4
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2] Merge tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
testing commit cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2 with gcc (GCC) 8.1.0
kernel signature: 999d042d5117201faffbd7baa8600ffe546cc13c7a89e9f2baec4efbc0072b9e
all runs: OK
# git bisect bad cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab] serial: 8250_exar: add support for ACCES cards
testing commit 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab with gcc (GCC) 8.1.0
kernel signature: 07bdf951052a3657c8427a744d9e3f0b52a8e0010fd5812826d8878fe1749ca4
all runs: OK
# git bisect bad 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab
Bisecting: 1 revision left to test after this (roughly 1 step)
[e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2] vt: selection, push sel_lock up
testing commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 with gcc (GCC) 8.1.0
kernel signature: ebb0eb387d9bc5b2bab1723deff901504b230e62e36d8baceb1a7af84c48c607
all runs: OK
# git bisect bad e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[4b70dd57a15d2f4685ac6e38056bad93e81e982f] vt: selection, push console lock down
testing commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f with gcc (GCC) 8.1.0
kernel signature: 418310269aa057763f5cd931e7b3b61a568d85dc53160b274106dfd17610216a
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good 4b70dd57a15d2f4685ac6e38056bad93e81e982f
e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 is the first bad commit
commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 28 12:54:06 2020 +0100

    vt: selection, push sel_lock up
    
    sel_lock cannot nest in the console lock. Thanks to syzkaller, the
    kernel states firmly:
    
    > WARNING: possible circular locking dependency detected
    > 5.6.0-rc3-syzkaller #0 Not tainted
    > ------------------------------------------------------
    > syz-executor.4/20336 is trying to acquire lock:
    > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
    >
    > but task is already holding lock:
    > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374
    >
    > which lock already depends on the new lock.
    >
    > the existing dependency chain (in reverse order) is:
    >
    > -> #2 (sel_lock){+.+.}:
    >        mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118
    >        set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217
    >        set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181
    >        tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050
    >        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364
    
    This is ioctl(TIOCL_SETSEL).
    Locks held on the path: console_lock -> sel_lock
    
    > -> #1 (console_lock){+.+.}:
    >        console_lock+0x46/0x70 kernel/printk/printk.c:2289
    >        con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223
    >        n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350
    >        do_tty_write drivers/tty/tty_io.c:962 [inline]
    >        tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046
    
    This is write().
    Locks held on the path: termios_rwsem -> console_lock
    
    > -> #0 (&tty->termios_rwsem){++++}:
    >        down_write+0x57/0x140 kernel/locking/rwsem.c:1534
    >        tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
    >        mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902
    >        tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465
    >        paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389
    >        tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055
    >        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364
    
    This is ioctl(TIOCL_PASTESEL).
    Locks held on the path: sel_lock -> termios_rwsem
    
    > other info that might help us debug this:
    >
    > Chain exists of:
    >   &tty->termios_rwsem --> console_lock --> sel_lock
    
    Clearly. From the above, we have:
     console_lock -> sel_lock
     sel_lock -> termios_rwsem
     termios_rwsem -> console_lock
    
    Fix this by reversing the console_lock -> sel_lock dependency in
    ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com
    Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/selection.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
culprit signature: ebb0eb387d9bc5b2bab1723deff901504b230e62e36d8baceb1a7af84c48c607
parent  signature: 418310269aa057763f5cd931e7b3b61a568d85dc53160b274106dfd17610216a
revisions tested: 15, total time: 3h22m37.461470974s (build: 1h39m58.692211432s, test: 1h41m31.261027096s)
first good commit: e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 vt: selection, push sel_lock up
cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org" "okash.khawaja@gmail.com" "samuel.thibault@ens-lyon.org"]