bisecting fixing commit since ae4b064e2a616b545acf02b8f50cc513b32c7522 building syzkaller on 08003f6440deafc4e193b159c4acece64f7864b1 testing commit ae4b064e2a616b545acf02b8f50cc513b32c7522 with gcc (GCC) 8.1.0 kernel signature: cadbbc47cac91b0e0a241bd3e2a35fd373501bd91898bfb4d298d75b14ea9e87 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in paste_selection testing current HEAD fb33c6510d5595144d585aa194d377cf74d31911 testing commit fb33c6510d5595144d585aa194d377cf74d31911 with gcc (GCC) 8.1.0 kernel signature: fa073b2f98eb5bdc96070bdd5bb180a258685b0efcd90e2ad10fd8a145b2de20 all runs: OK # git bisect start fb33c6510d5595144d585aa194d377cf74d31911 ae4b064e2a616b545acf02b8f50cc513b32c7522 Bisecting: 7654 revisions left to test after this (roughly 13 steps) [4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb] Merge tag 'for-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb with gcc (GCC) 8.1.0 kernel signature: 7494ade272399d69e24bdbce891becba74d86724b33a2d67111dd43fa32c1500 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: INFO: task hung in paste_selection run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in paste_selection # git bisect good 4cadc60d6bcfee9c626d4b55e9dc1475d21ad3bb Bisecting: 3817 revisions left to test after this (roughly 12 steps) [33b40134e5cfbbccad7f3040d1919889537a3df7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 33b40134e5cfbbccad7f3040d1919889537a3df7 with gcc (GCC) 8.1.0 kernel signature: 6f2cfccc1652bc834b4c353a45c9066e1196c0c7db310aa8803ec36776cd163a run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: INFO: task hung in paste_selection run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in paste_selection # git bisect good 33b40134e5cfbbccad7f3040d1919889537a3df7 Bisecting: 1917 revisions left to test after this (roughly 11 steps) [d4f309ca411887cd61ea389c7abfb70c2eb1e532] Merge tag 'powerpc-5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit d4f309ca411887cd61ea389c7abfb70c2eb1e532 with gcc (GCC) 8.1.0 kernel signature: c34b8a551177d14b2be8f5487018ebede3a0f8d2a5b0bce420a920cb92c05601 run #0: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #1: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #2: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #3: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #4: crashed: KASAN: use-after-free Read in n_tty_receive_buf_common run #5: crashed: INFO: task hung in paste_selection run #6: crashed: INFO: task hung in paste_selection run #7: crashed: INFO: task hung in paste_selection run #8: crashed: INFO: task hung in paste_selection run #9: crashed: INFO: task hung in paste_selection # git bisect good d4f309ca411887cd61ea389c7abfb70c2eb1e532 Bisecting: 963 revisions left to test after this (roughly 10 steps) [dca132a60f226f4cbaa98807518a5ca6cff112ce] Merge tag 'ras-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit dca132a60f226f4cbaa98807518a5ca6cff112ce with gcc (GCC) 8.1.0 kernel signature: fe18a6c3c22df8163ac5efa8235acff474a6f9d0e72d48f6a89aaede79c53f9c all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good dca132a60f226f4cbaa98807518a5ca6cff112ce Bisecting: 482 revisions left to test after this (roughly 9 steps) [63849c8f410717eb2e6662f3953ff674727303e7] Merge tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit 63849c8f410717eb2e6662f3953ff674727303e7 with gcc (GCC) 8.1.0 kernel signature: 0afa133f7265b643bc1fb71afdb784860e9e1d5d4248135282b863158cbec7e1 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 63849c8f410717eb2e6662f3953ff674727303e7 Bisecting: 261 revisions left to test after this (roughly 8 steps) [807f030b44ccbb26a346df6f6438628315d9ad98] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 807f030b44ccbb26a346df6f6438628315d9ad98 with gcc (GCC) 8.1.0 kernel signature: eda5407d998ae3fb4243a5ce107b91210407003a8b2cdf26c9bff9b510c398a0 all runs: OK # git bisect bad 807f030b44ccbb26a346df6f6438628315d9ad98 Bisecting: 108 revisions left to test after this (roughly 7 steps) [378fee2e6b12f31ab3749e0aa4ed0a63be23e822] Merge tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 378fee2e6b12f31ab3749e0aa4ed0a63be23e822 with gcc (GCC) 8.1.0 kernel signature: 481fabf770cbaf37ecfd36c2ea919a6252c9b90f4b885dc70e39ac96777e6499 all runs: OK # git bisect bad 378fee2e6b12f31ab3749e0aa4ed0a63be23e822 Bisecting: 54 revisions left to test after this (roughly 6 steps) [5dfcc13902bfb6d252b84e234bfc4cdba76c1069] Merge tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block testing commit 5dfcc13902bfb6d252b84e234bfc4cdba76c1069 with gcc (GCC) 8.1.0 kernel signature: ade38eefc85fc95ccdffd8511769ebcab02e393c071711024b3be9256f540916 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 5dfcc13902bfb6d252b84e234bfc4cdba76c1069 Bisecting: 18 revisions left to test after this (roughly 5 steps) [fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9] Merge tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9 with gcc (GCC) 8.1.0 kernel signature: 9a5abd6a8f646ec4a47de568fcec04c08874438163e23d5e54cd7d134eae25ec run #0: crashed: possible deadlock in n_tty_receive_buf_common run #1: crashed: possible deadlock in n_tty_receive_buf_common run #2: crashed: possible deadlock in n_tty_receive_buf_common run #3: crashed: WARNING: possible circular locking dependency detected run #4: crashed: possible deadlock in n_tty_receive_buf_common run #5: crashed: possible deadlock in n_tty_receive_buf_common run #6: crashed: possible deadlock in n_tty_receive_buf_common run #7: crashed: possible deadlock in n_tty_receive_buf_common run #8: crashed: possible deadlock in n_tty_receive_buf_common run #9: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good fd3f6cc9806c2f10b886f3ad78c9e192fb1bffd9 Bisecting: 9 revisions left to test after this (roughly 3 steps) [cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2] Merge tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2 with gcc (GCC) 8.1.0 kernel signature: 90d3cf3aa8098af5f63cd612a41b40d24d72fdae4f0bd61b904571c8256a95be all runs: OK # git bisect bad cc432aee7d5a5cd6c8ae4dd9f5bae56428d1fca2 Bisecting: 4 revisions left to test after this (roughly 2 steps) [10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab] serial: 8250_exar: add support for ACCES cards testing commit 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab with gcc (GCC) 8.1.0 kernel signature: 446014b2fd4d6c349cb89b3f8a9e103d6d45c8eb0e19aa024d6edcc9c7f92e18 all runs: OK # git bisect bad 10c5ccc3c6d32f3d7d6c07de1d3f0f4b52f3e3ab Bisecting: 1 revision left to test after this (roughly 1 step) [e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2] vt: selection, push sel_lock up testing commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 with gcc (GCC) 8.1.0 kernel signature: 0d352cfc9572688e190d9c8fa69ad7a6cd144353d497fa1e8471b19c6011711a all runs: OK # git bisect bad e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4b70dd57a15d2f4685ac6e38056bad93e81e982f] vt: selection, push console lock down testing commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f with gcc (GCC) 8.1.0 kernel signature: c69fb7bf8cf75710f93db1c5cb60d6a9f2b5c233b70d9422b86ec2da98a73567 all runs: crashed: possible deadlock in n_tty_receive_buf_common # git bisect good 4b70dd57a15d2f4685ac6e38056bad93e81e982f e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 is the first bad commit commit e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 Author: Jiri Slaby Date: Fri Feb 28 12:54:06 2020 +0100 vt: selection, push sel_lock up sel_lock cannot nest in the console lock. Thanks to syzkaller, the kernel states firmly: > WARNING: possible circular locking dependency detected > 5.6.0-rc3-syzkaller #0 Not tainted > ------------------------------------------------------ > syz-executor.4/20336 is trying to acquire lock: > ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > > but task is already holding lock: > ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #2 (sel_lock){+.+.}: > mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118 > set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217 > set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181 > tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_SETSEL). Locks held on the path: console_lock -> sel_lock > -> #1 (console_lock){+.+.}: > console_lock+0x46/0x70 kernel/printk/printk.c:2289 > con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223 > n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350 > do_tty_write drivers/tty/tty_io.c:962 [inline] > tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046 This is write(). Locks held on the path: termios_rwsem -> console_lock > -> #0 (&tty->termios_rwsem){++++}: > down_write+0x57/0x140 kernel/locking/rwsem.c:1534 > tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 > mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902 > tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465 > paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389 > tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055 > vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 This is ioctl(TIOCL_PASTESEL). Locks held on the path: sel_lock -> termios_rwsem > other info that might help us debug this: > > Chain exists of: > &tty->termios_rwsem --> console_lock --> sel_lock Clearly. From the above, we have: console_lock -> sel_lock sel_lock -> termios_rwsem termios_rwsem -> console_lock Fix this by reversing the console_lock -> sel_lock dependency in ioctl(TIOCL_SETSEL). First, lock sel_lock, then console_lock. Signed-off-by: Jiri Slaby Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race") Cc: stable Link: https://lore.kernel.org/r/20200228115406.5735-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/selection.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) culprit signature: 0d352cfc9572688e190d9c8fa69ad7a6cd144353d497fa1e8471b19c6011711a parent signature: c69fb7bf8cf75710f93db1c5cb60d6a9f2b5c233b70d9422b86ec2da98a73567 revisions tested: 15, total time: 3h40m55.66862594s (build: 1h37m52.495514645s, test: 2h1m57.950043367s) first good commit: e8c75a30a23c6ba63f4ef6895cbf41fd42f21aa2 vt: selection, push sel_lock up cc: ["gregkh@linuxfoundation.org" "jslaby@suse.com" "jslaby@suse.cz" "linux-kernel@vger.kernel.org" "okash.khawaja@gmail.com" "samuel.thibault@ens-lyon.org"]