bisecting fixing commit since 54b4fa6d39551639cb10664f6ac78b01993a1d7e building syzkaller on f1ebdfba7dc69d1934e89c2613ab7b4ec300016b testing commit 54b4fa6d39551639cb10664f6ac78b01993a1d7e with gcc (GCC) 8.1.0 kernel signature: fb0a8333bae90b183cb401b08cebc93a9614e0af54524004b8577afed84549a4 run #0: crashed: KASAN: use-after-free Write in release_tty run #1: crashed: KASAN: use-after-free Write in release_tty run #2: crashed: KASAN: use-after-free Write in release_tty run #3: crashed: KASAN: use-after-free Read in get_work_pool run #4: crashed: KASAN: use-after-free Write in release_tty run #5: crashed: KASAN: use-after-free Write in release_tty run #6: crashed: KASAN: use-after-free Write in release_tty run #7: crashed: KASAN: use-after-free Write in release_tty run #8: crashed: KASAN: use-after-free Write in release_tty run #9: crashed: KASAN: use-after-free Write in release_tty testing current HEAD 7edd66cf61670d2d0c31f89cb3a247016e489a8a testing commit 7edd66cf61670d2d0c31f89cb3a247016e489a8a with gcc (GCC) 8.1.0 kernel signature: 82acad854b045c249c9520e7ea327fe9040e4578c6a6343bf35277db74de1feb all runs: OK # git bisect start 7edd66cf61670d2d0c31f89cb3a247016e489a8a 54b4fa6d39551639cb10664f6ac78b01993a1d7e Bisecting: 213 revisions left to test after this (roughly 8 steps) [dce1622d540119b9643c19ccb8b3953c37107582] IB/mlx5: Replace tunnel mpls capability bits for tunnel_offloads testing commit dce1622d540119b9643c19ccb8b3953c37107582 with gcc (GCC) 8.1.0 kernel signature: a35cd688a112e7a73fc4ce2e951bcf09458df17e6070d153485063b273ab8c8d all runs: OK # git bisect bad dce1622d540119b9643c19ccb8b3953c37107582 Bisecting: 106 revisions left to test after this (roughly 7 steps) [638d8c748e9d8f14a1574202fd754f90dbce28c1] bpf: Explicitly memset some bpf info structures declared on the stack testing commit 638d8c748e9d8f14a1574202fd754f90dbce28c1 with gcc (GCC) 8.1.0 kernel signature: ac4ef1c1615f7410b50f648ad00b86572adcedb4b7b33f1f297b2fa1d5be7406 all runs: OK # git bisect bad 638d8c748e9d8f14a1574202fd754f90dbce28c1 Bisecting: 52 revisions left to test after this (roughly 6 steps) [8da3ffaafeb6a16ae8abb02b0fdaff772bc686a1] ARM: dts: omap5: Add bus_dma_limit for L3 bus testing commit 8da3ffaafeb6a16ae8abb02b0fdaff772bc686a1 with gcc (GCC) 8.1.0 kernel signature: 2caacf13264e160729ef86cf97711ad812ae34d4e9a8ddd0326614ec93e34803 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 8da3ffaafeb6a16ae8abb02b0fdaff772bc686a1 Bisecting: 26 revisions left to test after this (roughly 5 steps) [583965eaec37fce852cff7184c01312a5e0a0eb4] USB: serial: option: add support for ASKEY WWHC050 testing commit 583965eaec37fce852cff7184c01312a5e0a0eb4 with gcc (GCC) 8.1.0 kernel signature: 10e306acf055eadd6e040ec9ccf8ca838dc8a01504d5ccaa2917cdab717b26ab all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 583965eaec37fce852cff7184c01312a5e0a0eb4 Bisecting: 13 revisions left to test after this (roughly 4 steps) [747a7431661ab3c22ad1e721558bdf9e3d53d4a6] media: ov519: add missing endpoint sanity checks testing commit 747a7431661ab3c22ad1e721558bdf9e3d53d4a6 with gcc (GCC) 8.1.0 kernel signature: 01d599acbb1e6e1ef81bfa6b38c417d2f46c70f685e01dd7dbf1c172752b8c99 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 747a7431661ab3c22ad1e721558bdf9e3d53d4a6 Bisecting: 6 revisions left to test after this (roughly 3 steps) [7de934f4099b037b04c08761b77588ea9a805cdf] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines testing commit 7de934f4099b037b04c08761b77588ea9a805cdf with gcc (GCC) 8.1.0 kernel signature: e7a291e564fc2d8d808ad584a29e72bac8171f2303dca9891c12c52876703a35 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 7de934f4099b037b04c08761b77588ea9a805cdf Bisecting: 3 revisions left to test after this (roughly 2 steps) [54584f79579b9f6ed49b93cadcd2361223ecce28] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console testing commit 54584f79579b9f6ed49b93cadcd2361223ecce28 with gcc (GCC) 8.1.0 kernel signature: bb4e6017b8e817cee350cb631182d81713dfdf31ba352eab53a1f95d6324de62 all runs: OK # git bisect bad 54584f79579b9f6ed49b93cadcd2361223ecce28 Bisecting: 0 revisions left to test after this (roughly 1 step) [9fbd55e4f951cdd9491ee7d07220f8ee58d77f33] vt: vt_ioctl: remove unnecessary console allocation checks testing commit 9fbd55e4f951cdd9491ee7d07220f8ee58d77f33 with gcc (GCC) 8.1.0 kernel signature: 97834fbda096a23e3c879cf8734f6dd6c30fa3e350ff6357bb37f65880699f71 all runs: crashed: KASAN: use-after-free Write in release_tty # git bisect good 9fbd55e4f951cdd9491ee7d07220f8ee58d77f33 54584f79579b9f6ed49b93cadcd2361223ecce28 is the first bad commit commit 54584f79579b9f6ed49b93cadcd2361223ecce28 Author: Eric Biggers Date: Sat Mar 21 20:43:04 2020 -0700 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream. The VT_DISALLOCATE ioctl can free a virtual console while tty_release() is still running, causing a use-after-free in con_shutdown(). This occurs because VT_DISALLOCATE considers a virtual console's 'struct vc_data' to be unused as soon as the corresponding tty's refcount hits 0. But actually it may be still being closed. Fix this by making vc_data be reference-counted via the embedded 'struct tty_port'. A newly allocated virtual console has refcount 1. Opening it for the first time increments the refcount to 2. Closing it for the last time decrements the refcount (in tty_operations::cleanup() so that it happens late enough), as does VT_DISALLOCATE. Reproducer: #include #include #include #include int main() { if (fork()) { for (;;) close(open("/dev/tty5", O_RDWR)); } else { int fd = open("/dev/tty10", O_RDWR); for (;;) ioctl(fd, VT_DISALLOCATE, 5); } } KASAN report: BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129 CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014 Call Trace: [...] con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278 release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514 tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629 tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789 [...] Allocated by task 129: [...] kzalloc include/linux/slab.h:669 [inline] vc_allocate drivers/tty/vt/vt.c:1085 [inline] vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066 con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229 tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline] tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341 tty_open_by_driver drivers/tty/tty_io.c:1987 [inline] tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035 [...] Freed by task 130: [...] kfree+0xbf/0x1e0 mm/slab.c:3757 vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline] vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818 tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660 [...] Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle") Cc: # v3.4+ Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com Acked-by: Jiri Slaby Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 23 ++++++++++++++++++++++- drivers/tty/vt/vt_ioctl.c | 12 ++++-------- 2 files changed, 26 insertions(+), 9 deletions(-) culprit signature: bb4e6017b8e817cee350cb631182d81713dfdf31ba352eab53a1f95d6324de62 parent signature: 97834fbda096a23e3c879cf8734f6dd6c30fa3e350ff6357bb37f65880699f71 revisions tested: 10, total time: 2h36m48.652897004s (build: 1h32m16.344625983s, test: 1h3m14.333762549s) first good commit: 54584f79579b9f6ed49b93cadcd2361223ecce28 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console cc: ["ebiggers@google.com" "gregkh@linuxfoundation.org" "jslaby@suse.cz"]