bisecting fixing commit since e5a54aa2d312e75fe4bc66c7b84400b02266e946 building syzkaller on b0947553167615d7bb1b67b22d2d080e5a5ab2cd testing commit e5a54aa2d312e75fe4bc66c7b84400b02266e946 with gcc (GCC) 8.1.0 kernel signature: 445aba4a343debf3f4efe24502188406dae1628b5f3ff2270e70d21fb3ae1135 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #2: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #3: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #4: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #5: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #6: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #9: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port testing current HEAD d7e78d08fa77acdea351c8f628f49ca9a0e1029a testing commit d7e78d08fa77acdea351c8f628f49ca9a0e1029a with gcc (GCC) 8.1.0 kernel signature: cd21a329f73c500a6b1bc41ced280209d64703e0c4f4a7f04d43e59656afccd9 all runs: OK # git bisect start d7e78d08fa77acdea351c8f628f49ca9a0e1029a e5a54aa2d312e75fe4bc66c7b84400b02266e946 Bisecting: 174 revisions left to test after this (roughly 8 steps) [9b0d455389e53f264a601423b6fbc92b11a41a84] drm: panel: simple: Fix bpc for LG LB070WV8 panel testing commit 9b0d455389e53f264a601423b6fbc92b11a41a84 with gcc (GCC) 8.1.0 kernel signature: a4064bb2fffb3890de6245e3735272dad383af3e33c5aac5e449c5f90da3260f all runs: OK # git bisect bad 9b0d455389e53f264a601423b6fbc92b11a41a84 Bisecting: 86 revisions left to test after this (roughly 7 steps) [dbe4aa36c940dc309133e5d10a5771f3d0bf2d28] leds: wm831x-status: fix use-after-free on unbind testing commit dbe4aa36c940dc309133e5d10a5771f3d0bf2d28 with gcc (GCC) 8.1.0 kernel signature: 024479899420283399216f185e6d96edd5439797039ef008ab405dfd85b75675 all runs: OK # git bisect bad dbe4aa36c940dc309133e5d10a5771f3d0bf2d28 Bisecting: 43 revisions left to test after this (roughly 6 steps) [a4bdf2cd63b5f14e16791e69927a92232523e1a3] mlx4: disable device on shutdown testing commit a4bdf2cd63b5f14e16791e69927a92232523e1a3 with gcc (GCC) 8.1.0 kernel signature: 4ab3f45a56b6a09448a186ec1f19f8b32dd51a64e50e2c7f6fe0ce226d03e7e7 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #6: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #7: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #8: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good a4bdf2cd63b5f14e16791e69927a92232523e1a3 Bisecting: 21 revisions left to test after this (roughly 5 steps) [583bcbc024f6bf8daa266f4f71b99e9d6e78c40b] random32: update the net random state on interrupt and activity testing commit 583bcbc024f6bf8daa266f4f71b99e9d6e78c40b with gcc (GCC) 8.1.0 kernel signature: a05c39dd2ac9272cc9259c8a6f5ae5afabc220ae0f72e1e7325964e24edaf4b5 run #0: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #1: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #2: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #3: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #6: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #7: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #8: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good 583bcbc024f6bf8daa266f4f71b99e9d6e78c40b Bisecting: 10 revisions left to test after this (roughly 4 steps) [5eed80ea8f60cc3935f46ec848fa1677b5e1a31a] usb: xhci: define IDs for various ASMedia host controllers testing commit 5eed80ea8f60cc3935f46ec848fa1677b5e1a31a with gcc (GCC) 8.1.0 kernel signature: 9c7ace7530c183ef538f1b2bcfd88b060b9f3926d8c0c53e18438405d38c6a23 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #6: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good 5eed80ea8f60cc3935f46ec848fa1677b5e1a31a Bisecting: 5 revisions left to test after this (roughly 3 steps) [8b0861f956f65f063662f9553a4dcad574a95b37] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() testing commit 8b0861f956f65f063662f9553a4dcad574a95b37 with gcc (GCC) 8.1.0 kernel signature: 1ff5f9a521be3b59d34ea84c8c9fc8e954cd9e95e1f5facacc75d8ac5ba528d6 all runs: OK # git bisect bad 8b0861f956f65f063662f9553a4dcad574a95b37 Bisecting: 2 revisions left to test after this (roughly 1 step) [ccafbed8b2f6a9d9298534b39e76da9cb40ff717] ALSA: seq: oss: Serialize ioctls testing commit ccafbed8b2f6a9d9298534b39e76da9cb40ff717 with gcc (GCC) 8.1.0 kernel signature: 504942ddbad37f3f68e89bd3b97d3663baec32d6b27595a8718e0be94d2e2e32 all runs: OK # git bisect bad ccafbed8b2f6a9d9298534b39e76da9cb40ff717 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c5021d4fa888ad248b4168947eb1e569de75fdb1] usb: xhci: Fix ASMedia ASM1142 DMA addressing testing commit c5021d4fa888ad248b4168947eb1e569de75fdb1 with gcc (GCC) 8.1.0 kernel signature: a231e5324e73dcf38656051c2372e46f47514d44537232c7a5251bcfe19af3ba run #0: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #1: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #5: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #6: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #7: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #8: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #9: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port # git bisect good c5021d4fa888ad248b4168947eb1e569de75fdb1 ccafbed8b2f6a9d9298534b39e76da9cb40ff717 is the first bad commit commit ccafbed8b2f6a9d9298534b39e76da9cb40ff717 Author: Takashi Iwai Date: Tue Aug 4 20:58:15 2020 +0200 ALSA: seq: oss: Serialize ioctls commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) culprit signature: 504942ddbad37f3f68e89bd3b97d3663baec32d6b27595a8718e0be94d2e2e32 parent signature: a231e5324e73dcf38656051c2372e46f47514d44537232c7a5251bcfe19af3ba revisions tested: 10, total time: 2h44m5.317678352s (build: 1h37m36.550281734s, test: 1h4m36.485577571s) first good commit: ccafbed8b2f6a9d9298534b39e76da9cb40ff717 ALSA: seq: oss: Serialize ioctls recipients (to): ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"] recipients (cc): ["gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org"]