bisecting fixing commit since 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796
building syzkaller on 251aabb77ec4d86b9374b6f999fbb8e1ea70963f
testing commit 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 with gcc (GCC) 8.1.0
kernel signature: f42592aedbe0c6140c6215e575f3d7235722f47b2016c85f69c7918c02994be3
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
testing current HEAD 01364dad1d4577e27a57729d41053f661bb8a5b9
testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0
kernel signature: aea3890b92a8ac03d0f5bad581c0e53f6ec8c863e9a7f8c9a5c0d68a78827228
all runs: OK
# git bisect start 01364dad1d4577e27a57729d41053f661bb8a5b9 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796
Bisecting: 230 revisions left to test after this (roughly 8 steps)
[a86265edeb3314f9c3270a5bf18b4e72ebc65beb] netfilter: xt_hashlimit: limit the max size of hashtable
testing commit a86265edeb3314f9c3270a5bf18b4e72ebc65beb with gcc (GCC) 8.1.0
kernel signature: 6bc3b2c37363d12beaa5361a0a1c2e96df5ea607abe076b9b7c35cb2ad5fb8e4
run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #6: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #7: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #8: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
run #9: OK
# git bisect good a86265edeb3314f9c3270a5bf18b4e72ebc65beb
Bisecting: 115 revisions left to test after this (roughly 7 steps)
[c40c33a8936174dcd78268e619960c2ed421d43b] ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
testing commit c40c33a8936174dcd78268e619960c2ed421d43b with gcc (GCC) 8.1.0
kernel signature: b42c779953f47cb11798cd25382fe4cf9cb220a601fc511c09c41892e1d1f3e5
all runs: OK
# git bisect bad c40c33a8936174dcd78268e619960c2ed421d43b
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[31909a6e9d6866dbe6590c4492b99d8875bba2dc] net: atlantic: fix potential error handling
testing commit 31909a6e9d6866dbe6590c4492b99d8875bba2dc with gcc (GCC) 8.1.0
kernel signature: a31e9faf8e0014364dcba3bc5f1bce1e3eb3c86d7bdfef5fabb6e69af6e6383f
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
# git bisect good 31909a6e9d6866dbe6590c4492b99d8875bba2dc
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[ea29d94b09cb7629a7ddd5e1484c00a56ed20a86] net: ks8851-ml: Remove 8-bit bus accessors
testing commit ea29d94b09cb7629a7ddd5e1484c00a56ed20a86 with gcc (GCC) 8.1.0
kernel signature: b22ac29b2b492bb2adec13334b5d2e583af6d1c1469aa74e49bcbbc03789db6b
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
# git bisect good ea29d94b09cb7629a7ddd5e1484c00a56ed20a86
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[8389c9d75e0867064eb5699251da3836191d0420] usb: core: port: do error out if usb_autopm_get_interface() fails
testing commit 8389c9d75e0867064eb5699251da3836191d0420 with gcc (GCC) 8.1.0
kernel signature: 566ce299735f64957a4e5fcc30f8b7edd32d5c0e652797fb7d5cdff21cc4a248
all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common
# git bisect good 8389c9d75e0867064eb5699251da3836191d0420
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[432ef54c0444e7cab85a291347bfc1f69ee6257a] vt: selection, close sel_buffer race
testing commit 432ef54c0444e7cab85a291347bfc1f69ee6257a with gcc (GCC) 8.1.0
kernel signature: 53b5056fdd62e12a551c7a74adfa8df1cc2d0a5001f24f697bd1facb991ce312
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good 432ef54c0444e7cab85a291347bfc1f69ee6257a
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[04b31630d500a14e64090470b7d5adf58b2be4fd] dmaengine: tegra-apb: Fix use-after-free
testing commit 04b31630d500a14e64090470b7d5adf58b2be4fd with gcc (GCC) 8.1.0
kernel signature: 28ba135b996990bbd7a0b0f5701ae3518753c92fc2b34d80ebb13ddacb79cacc
all runs: OK
# git bisect bad 04b31630d500a14e64090470b7d5adf58b2be4fd
Bisecting: 1 revision left to test after this (roughly 1 step)
[a4719f6d07b2c63223f7452c435c5f578f105cfe] vt: selection, push sel_lock up
testing commit a4719f6d07b2c63223f7452c435c5f578f105cfe with gcc (GCC) 8.1.0
kernel signature: 07636fbca373f8f64f85ed7bfbcbad5d4c102aeb35cc8539e79c0f791bd2e62c
all runs: OK
# git bisect bad a4719f6d07b2c63223f7452c435c5f578f105cfe
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[64489a229bbf902244d8407b02015f30e2cd4651] vt: selection, push console lock down
testing commit 64489a229bbf902244d8407b02015f30e2cd4651 with gcc (GCC) 8.1.0
kernel signature: 44d16aa178c9c85fe56764e64abf62ec0c3cd2b188f6e15f0a09e5ea836c3d20
all runs: crashed: possible deadlock in n_tty_receive_buf_common
# git bisect good 64489a229bbf902244d8407b02015f30e2cd4651
a4719f6d07b2c63223f7452c435c5f578f105cfe is the first bad commit
commit a4719f6d07b2c63223f7452c435c5f578f105cfe
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Feb 28 12:54:06 2020 +0100

    vt: selection, push sel_lock up
    
    commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream.
    
    sel_lock cannot nest in the console lock. Thanks to syzkaller, the
    kernel states firmly:
    
    > WARNING: possible circular locking dependency detected
    > 5.6.0-rc3-syzkaller #0 Not tainted
    > ------------------------------------------------------
    > syz-executor.4/20336 is trying to acquire lock:
    > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
    >
    > but task is already holding lock:
    > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374
    >
    > which lock already depends on the new lock.
    >
    > the existing dependency chain (in reverse order) is:
    >
    > -> #2 (sel_lock){+.+.}:
    >        mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118
    >        set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217
    >        set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181
    >        tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050
    >        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364
    
    This is ioctl(TIOCL_SETSEL).
    Locks held on the path: console_lock -> sel_lock
    
    > -> #1 (console_lock){+.+.}:
    >        console_lock+0x46/0x70 kernel/printk/printk.c:2289
    >        con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223
    >        n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350
    >        do_tty_write drivers/tty/tty_io.c:962 [inline]
    >        tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046
    
    This is write().
    Locks held on the path: termios_rwsem -> console_lock
    
    > -> #0 (&tty->termios_rwsem){++++}:
    >        down_write+0x57/0x140 kernel/locking/rwsem.c:1534
    >        tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136
    >        mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902
    >        tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465
    >        paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389
    >        tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055
    >        vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364
    
    This is ioctl(TIOCL_PASTESEL).
    Locks held on the path: sel_lock -> termios_rwsem
    
    > other info that might help us debug this:
    >
    > Chain exists of:
    >   &tty->termios_rwsem --> console_lock --> sel_lock
    
    Clearly. From the above, we have:
     console_lock -> sel_lock
     sel_lock -> termios_rwsem
     termios_rwsem -> console_lock
    
    Fix this by reversing the console_lock -> sel_lock dependency in
    ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com
    Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/selection.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
culprit signature: 07636fbca373f8f64f85ed7bfbcbad5d4c102aeb35cc8539e79c0f791bd2e62c
parent  signature: 44d16aa178c9c85fe56764e64abf62ec0c3cd2b188f6e15f0a09e5ea836c3d20
revisions tested: 11, total time: 2h48m0.875983689s (build: 1h31m40.948549841s, test: 1h15m12.641906791s)
first good commit: a4719f6d07b2c63223f7452c435c5f578f105cfe vt: selection, push sel_lock up
cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org"]