bisecting fixing commit since 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 building syzkaller on 5d7b90f1af2e3bf33992b75e7fcf0bab6bf49bd6 testing commit 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 with gcc (GCC) 8.1.0 kernel signature: 07a8d8f0880a170050ec1ee69857809afa5c535cf79847f985624dd45b5d81c1 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common testing current HEAD dda0e2920330128e0dbdeb11c8f25031aa40b11c testing commit dda0e2920330128e0dbdeb11c8f25031aa40b11c with gcc (GCC) 8.1.0 kernel signature: 76522d9da249ad11eb9142daa330b702a63b7a841ff2f5f7df99facdc04a7859 all runs: OK # git bisect start dda0e2920330128e0dbdeb11c8f25031aa40b11c 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 Bisecting: 432 revisions left to test after this (roughly 9 steps) [5c0237e8d6acb872098d06e8bf19b61ea470dc48] usb: charger: assign specific number for enum value testing commit 5c0237e8d6acb872098d06e8bf19b61ea470dc48 with gcc (GCC) 8.1.0 kernel signature: 22536325882d7e175f1983c03f3b55374f8bcf68d1a6e804cf74884bb75c24a3 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good 5c0237e8d6acb872098d06e8bf19b61ea470dc48 Bisecting: 216 revisions left to test after this (roughly 8 steps) [90d77cff14fe51aff4a99846655e3988a9a2aa09] net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch testing commit 90d77cff14fe51aff4a99846655e3988a9a2aa09 with gcc (GCC) 8.1.0 kernel signature: 7682342bbb4e6e6616c079e5ef23c0ba052a442874543359a57ac589079db604 all runs: OK # git bisect bad 90d77cff14fe51aff4a99846655e3988a9a2aa09 Bisecting: 107 revisions left to test after this (roughly 7 steps) [8fb8f0931dceab928206771eb0ffaf197e94641f] dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() testing commit 8fb8f0931dceab928206771eb0ffaf197e94641f with gcc (GCC) 8.1.0 kernel signature: 36ce1176d33639b149e5d8616fa1313d0071e54909960fa90048a606c925b1e3 all runs: OK # git bisect bad 8fb8f0931dceab928206771eb0ffaf197e94641f Bisecting: 53 revisions left to test after this (roughly 6 steps) [d71f8bd18cdfd8b5ea94acbd6248951d51e3770b] x86/boot/compressed: Don't declare __force_order in kaslr_64.c testing commit d71f8bd18cdfd8b5ea94acbd6248951d51e3770b with gcc (GCC) 8.1.0 kernel signature: 79f264b51b3cc172952091cc9aa0c4337e2a9e6ff0a7022ffda83fc046608f4c all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good d71f8bd18cdfd8b5ea94acbd6248951d51e3770b Bisecting: 26 revisions left to test after this (roughly 5 steps) [b0c95d336123de55faf3528c97718a4e7607b54c] dmaengine: tegra-apb: Fix use-after-free testing commit b0c95d336123de55faf3528c97718a4e7607b54c with gcc (GCC) 8.1.0 kernel signature: 1e100b9f7c21cebccb93ac79df75994b020b2b99d218c03fb0d68590b88bc9d0 all runs: OK # git bisect bad b0c95d336123de55faf3528c97718a4e7607b54c Bisecting: 13 revisions left to test after this (roughly 4 steps) [c23ad063f6fd0a0ab7b2aa1768e2d981e320b830] usb: core: hub: do error out if usb_autopm_get_interface() fails testing commit c23ad063f6fd0a0ab7b2aa1768e2d981e320b830 with gcc (GCC) 8.1.0 kernel signature: 14fc96b192bc8ce0752c4aa4452691c3ee14fd03acf6c8e20036d2097818551f all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good c23ad063f6fd0a0ab7b2aa1768e2d981e320b830 Bisecting: 6 revisions left to test after this (roughly 3 steps) [6c1f86b2e5ec2c74f7165caca6e9c2e7c3714dfd] tty:serial:mvebu-uart:fix a wrong return testing commit 6c1f86b2e5ec2c74f7165caca6e9c2e7c3714dfd with gcc (GCC) 8.1.0 kernel signature: 8cf3c17462ae6e7344a1e816cfdacfd500fe2ea76c6a1565f17dc2c7cdd0cdc9 all runs: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common # git bisect good 6c1f86b2e5ec2c74f7165caca6e9c2e7c3714dfd Bisecting: 3 revisions left to test after this (roughly 2 steps) [efaef8463e1a9c20aa19c3de2b2d19f885e0315e] vt: selection, push console lock down testing commit efaef8463e1a9c20aa19c3de2b2d19f885e0315e with gcc (GCC) 8.1.0 kernel signature: a6ee8fd29e5956e8adac5abbba4c154f708fa946eead434566813eb0906bfdf1 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good efaef8463e1a9c20aa19c3de2b2d19f885e0315e Bisecting: 1 revision left to test after this (roughly 1 step) [7e46d9838ff8d445618428dc5852953629c44b4f] media: v4l2-mem2mem.c: fix broken links testing commit 7e46d9838ff8d445618428dc5852953629c44b4f with gcc (GCC) 8.1.0 kernel signature: 4d117aaa6a9f63bc415114650f555e6499b70cbdf5ca732a96363803c9cd2e87 all runs: OK # git bisect bad 7e46d9838ff8d445618428dc5852953629c44b4f Bisecting: 0 revisions left to test after this (roughly 0 steps) [b4492f1e7456bd162714c0ec2815c2749d930844] vt: selection, push sel_lock up testing commit b4492f1e7456bd162714c0ec2815c2749d930844 with gcc (GCC) 8.1.0 kernel signature: fbff9f365b8b158a8ac685542443df502efe0024263adf6d3200c6b65b683315 all runs: OK # git bisect bad b4492f1e7456bd162714c0ec2815c2749d930844 b4492f1e7456bd162714c0ec2815c2749d930844 is the first bad commit commit b4492f1e7456bd162714c0ec2815c2749d930844 Author: Jiri Slaby Date: Fri Feb 28 12:54:06 2020 +0100 vt: selection, push sel_lock up commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 upstream. sel_lock cannot nest in the console lock. Thanks to syzkaller, the kernel states firmly: > WARNING: possible circular locking dependency detected > 5.6.0-rc3-syzkaller #0 Not tainted > ------------------------------------------------------ > syz-executor.4/20336 is trying to acquire lock: > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > > but task is already holding lock: > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #2 (sel_lock){+.+.}: > mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118 > set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217 > set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181 > tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_SETSEL). Locks held on the path: console_lock -> sel_lock > -> #1 (console_lock){+.+.}: > console_lock+0x46/0x70 kernel/printk/printk.c:2289 > con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223 > n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350 > do_tty_write drivers/tty/tty_io.c:962 [inline] > tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046 This is write(). Locks held on the path: termios_rwsem -> console_lock > -> #0 (&tty->termios_rwsem){++++}: > down_write+0x57/0x140 kernel/locking/rwsem.c:1534 > tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902 > tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465 > paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389 > tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_PASTESEL). Locks held on the path: sel_lock -> termios_rwsem > other info that might help us debug this: > > Chain exists of: > &tty->termios_rwsem --> console_lock --> sel_lock Clearly. From the above, we have: console_lock -> sel_lock sel_lock -> termios_rwsem termios_rwsem -> console_lock Fix this by reversing the console_lock -> sel_lock dependency in ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock. Signed-off-by: Jiri Slaby Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race") Cc: stable Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/selection.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) culprit signature: fbff9f365b8b158a8ac685542443df502efe0024263adf6d3200c6b65b683315 parent signature: a6ee8fd29e5956e8adac5abbba4c154f708fa946eead434566813eb0906bfdf1 revisions tested: 12, total time: 3h14m3.226552296s (build: 1h49m0.20068504s, test: 1h23m14.024951012s) first good commit: b4492f1e7456bd162714c0ec2815c2749d930844 vt: selection, push sel_lock up cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org"]