bisecting fixing commit since a844dc4c544291470aa69edbe2434b040794e269
building syzkaller on 1508f45368a309a3b1196a342b3d64ce7be4cc43
testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0
kernel signature: b1f5bf709481e8a1e6fc96a6086d0c608685eba1c940765e8729d3389c180fa0
all runs: crashed: KASAN: use-after-free Write in release_tty
testing current HEAD 4520f06b03ae667e442da1ab9351fd28cd7ac598
testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0
kernel signature: 6aecc69ea1aa7efc4d722fc0263e426a968e61dd3edbba476764dc83ee814316
all runs: OK
# git bisect start 4520f06b03ae667e442da1ab9351fd28cd7ac598 a844dc4c544291470aa69edbe2434b040794e269
Bisecting: 1069 revisions left to test after this (roughly 10 steps)
[acab21ffa8c0951f2180f80184c921fa4799c786] mmc: core: fix possible use after free of host
testing commit acab21ffa8c0951f2180f80184c921fa4799c786 with gcc (GCC) 8.1.0
kernel signature: 9d92782a5f4d69e6a1d1f0e1835bb09bd6c86acb3bef75dbc55d1f02f6d7d4d7
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good acab21ffa8c0951f2180f80184c921fa4799c786
Bisecting: 534 revisions left to test after this (roughly 9 steps)
[4aea4f02dc85136a45f943ea2ba2b111d553017a] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().
testing commit 4aea4f02dc85136a45f943ea2ba2b111d553017a with gcc (GCC) 8.1.0
kernel signature: 168ddf701c37c2dc0afbd9749d32b43e7a3de38d09d71729226a0b1ea65498f9
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 4aea4f02dc85136a45f943ea2ba2b111d553017a
Bisecting: 267 revisions left to test after this (roughly 8 steps)
[3e4c735e6ba9a5add132c8bcad8700029fbdb609] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
testing commit 3e4c735e6ba9a5add132c8bcad8700029fbdb609 with gcc (GCC) 8.1.0
kernel signature: 1c440b7ae03700bd4922e2e502f3ac9a35f95df4703bef175768325b76a82c39
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 3e4c735e6ba9a5add132c8bcad8700029fbdb609
Bisecting: 133 revisions left to test after this (roughly 7 steps)
[0481655a2f4ed5fe5744b57c1dbe13f47738b92e] USB: Disable LPM on WD19's Realtek Hub
testing commit 0481655a2f4ed5fe5744b57c1dbe13f47738b92e with gcc (GCC) 8.1.0
kernel signature: a625626e32f33afd6f2d80d90dca29533cdcdf3f9d65a7e25e0d2ee6fb30af8d
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 0481655a2f4ed5fe5744b57c1dbe13f47738b92e
Bisecting: 66 revisions left to test after this (roughly 6 steps)
[584051f19b982ef1934dce74c31679d6c977c0cc] mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
testing commit 584051f19b982ef1934dce74c31679d6c977c0cc with gcc (GCC) 8.1.0
kernel signature: af0fa1f878a201fa4ce8754fc2897743714431bd9bdadc0fac6c6ec2d9e9fefe
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 584051f19b982ef1934dce74c31679d6c977c0cc
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[5c30e53bf3f524df0b5313df3986885e71134990] USB: serial: option: add BroadMobi BM806U
testing commit 5c30e53bf3f524df0b5313df3986885e71134990 with gcc (GCC) 8.1.0
kernel signature: d6e94e0900bf7682e6b330af1069efdca3d8b47019141a6a21f917334e423d0b
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 5c30e53bf3f524df0b5313df3986885e71134990
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[56676fb5e9e61aa216759cf05fb55edd45a67c14] vt: selection, introduce vc_is_sel
testing commit 56676fb5e9e61aa216759cf05fb55edd45a67c14 with gcc (GCC) 8.1.0
kernel signature: ccc7dd28832efba429b1a1005a02e1f113a88a76825a2bf9ff739c9f9bd6cd47
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 56676fb5e9e61aa216759cf05fb55edd45a67c14
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[7855a721d9db4a2c0a64758ac08e73aa627fcecd] bpf: Explicitly memset some bpf info structures declared on the stack
testing commit 7855a721d9db4a2c0a64758ac08e73aa627fcecd with gcc (GCC) 8.1.0
kernel signature: 98d7058c537d7e689f289347ec100125519760e8d7ff811340e2925bf9792d91
all runs: OK
# git bisect bad 7855a721d9db4a2c0a64758ac08e73aa627fcecd
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[b9eb60a0ef3971101c94f9cddb09708c2f900b35] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
testing commit b9eb60a0ef3971101c94f9cddb09708c2f900b35 with gcc (GCC) 8.1.0
kernel signature: c7766f887e7b091f9dbb2cd45e7d86fcafb19c7b4ac262e711935c69cace23b3
all runs: OK
# git bisect bad b9eb60a0ef3971101c94f9cddb09708c2f900b35
Bisecting: 1 revision left to test after this (roughly 1 step)
[56a5db17b2985e01e0fa425b119bb7586c0ece28] vt: switch vt_dont_switch to bool
testing commit 56a5db17b2985e01e0fa425b119bb7586c0ece28 with gcc (GCC) 8.1.0
kernel signature: e3b8a6cca76f3654ec50220523be09c011aed6369c133578b5874219f4b5f48a
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good 56a5db17b2985e01e0fa425b119bb7586c0ece28
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ac7136b9f15740d5f17a017a5febdf875239a3ea] vt: vt_ioctl: remove unnecessary console allocation checks
testing commit ac7136b9f15740d5f17a017a5febdf875239a3ea with gcc (GCC) 8.1.0
kernel signature: 3dc8829fba84fe3d2bc3a6df6d335527c493e5aa89320a090cad59101d0348bb
all runs: crashed: KASAN: use-after-free Write in release_tty
# git bisect good ac7136b9f15740d5f17a017a5febdf875239a3ea
b9eb60a0ef3971101c94f9cddb09708c2f900b35 is the first bad commit
commit b9eb60a0ef3971101c94f9cddb09708c2f900b35
Author: Eric Biggers <ebiggers@google.com>
Date:   Sat Mar 21 20:43:04 2020 -0700

    vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
    
    commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 upstream.
    
    The VT_DISALLOCATE ioctl can free a virtual console while tty_release()
    is still running, causing a use-after-free in con_shutdown().  This
    occurs because VT_DISALLOCATE considers a virtual console's
    'struct vc_data' to be unused as soon as the corresponding tty's
    refcount hits 0.  But actually it may be still being closed.
    
    Fix this by making vc_data be reference-counted via the embedded
    'struct tty_port'.  A newly allocated virtual console has refcount 1.
    Opening it for the first time increments the refcount to 2.  Closing it
    for the last time decrements the refcount (in tty_operations::cleanup()
    so that it happens late enough), as does VT_DISALLOCATE.
    
    Reproducer:
            #include <fcntl.h>
            #include <linux/vt.h>
            #include <sys/ioctl.h>
            #include <unistd.h>
    
            int main()
            {
                    if (fork()) {
                            for (;;)
                                    close(open("/dev/tty5", O_RDWR));
                    } else {
                            int fd = open("/dev/tty10", O_RDWR);
    
                            for (;;)
                                    ioctl(fd, VT_DISALLOCATE, 5);
                    }
            }
    
    KASAN report:
            BUG: KASAN: use-after-free in con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
            Write of size 8 at addr ffff88806a4ec108 by task syz_vt/129
    
            CPU: 0 PID: 129 Comm: syz_vt Not tainted 5.6.0-rc2 #11
            Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014
            Call Trace:
             [...]
             con_shutdown+0x76/0x80 drivers/tty/vt/vt.c:3278
             release_tty+0xa8/0x410 drivers/tty/tty_io.c:1514
             tty_release_struct+0x34/0x50 drivers/tty/tty_io.c:1629
             tty_release+0x984/0xed0 drivers/tty/tty_io.c:1789
             [...]
    
            Allocated by task 129:
             [...]
             kzalloc include/linux/slab.h:669 [inline]
             vc_allocate drivers/tty/vt/vt.c:1085 [inline]
             vc_allocate+0x1ac/0x680 drivers/tty/vt/vt.c:1066
             con_install+0x4d/0x3f0 drivers/tty/vt/vt.c:3229
             tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]
             tty_init_dev+0x94/0x350 drivers/tty/tty_io.c:1341
             tty_open_by_driver drivers/tty/tty_io.c:1987 [inline]
             tty_open+0x3ca/0xb30 drivers/tty/tty_io.c:2035
             [...]
    
            Freed by task 130:
             [...]
             kfree+0xbf/0x1e0 mm/slab.c:3757
             vt_disallocate drivers/tty/vt/vt_ioctl.c:300 [inline]
             vt_ioctl+0x16dc/0x1e30 drivers/tty/vt/vt_ioctl.c:818
             tty_ioctl+0x9db/0x11b0 drivers/tty/tty_io.c:2660
             [...]
    
    Fixes: 4001d7b7fc27 ("vt: push down the tty lock so we can see what is left to tackle")
    Cc: <stable@vger.kernel.org> # v3.4+
    Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com
    Acked-by: Jiri Slaby <jslaby@suse.cz>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Link: https://lore.kernel.org/r/20200322034305.210082-2-ebiggers@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c       | 23 ++++++++++++++++++++++-
 drivers/tty/vt/vt_ioctl.c | 12 ++++--------
 2 files changed, 26 insertions(+), 9 deletions(-)
culprit signature: c7766f887e7b091f9dbb2cd45e7d86fcafb19c7b4ac262e711935c69cace23b3
parent  signature: 3dc8829fba84fe3d2bc3a6df6d335527c493e5aa89320a090cad59101d0348bb
revisions tested: 13, total time: 2h53m28.375718086s (build: 1h49m50.742004268s, test: 1h1m56.490808418s)
first good commit: b9eb60a0ef3971101c94f9cddb09708c2f900b35 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
cc: ["ebiggers@google.com" "gregkh@linuxfoundation.org" "jslaby@suse.cz"]