bisecting fixing commit since c1141b3aab36eb0d9b2bcae4aff69e77d0554386 building syzkaller on 8eda0b957e5b39c0c525e74f51d6b39ab8c5b1ac testing commit c1141b3aab36eb0d9b2bcae4aff69e77d0554386 with gcc (GCC) 8.1.0 kernel signature: cbfaa02ef80a317618138298cd462ed7a36b726854c3aab168ea5833c2b8aee8 all runs: crashed: KASAN: use-after-free Read in snd_timer_resolution testing current HEAD 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 testing commit 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 with gcc (GCC) 8.1.0 kernel signature: 25b482c5f2c2d8f1dd7b8bdd3575b40cf986792d10188b8a81bf75396fe7472d all runs: OK # git bisect start 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 c1141b3aab36eb0d9b2bcae4aff69e77d0554386 Bisecting: 357 revisions left to test after this (roughly 9 steps) [0d479ec44e1c4257e69b400bf9ba429105d9e7aa] Btrfs: fix hang when loading existing inode cache off disk testing commit 0d479ec44e1c4257e69b400bf9ba429105d9e7aa with gcc (GCC) 8.1.0 kernel signature: c219c2fdc5cb7d01e4f463f2008af96f6bbc62147a2eb6a5c9ac32f769b057da all runs: OK # git bisect bad 0d479ec44e1c4257e69b400bf9ba429105d9e7aa Bisecting: 178 revisions left to test after this (roughly 8 steps) [2797d17a7a22aa4480733df4b983bd8cc94aac0a] regulator: pv88090: Fix array out-of-bounds access testing commit 2797d17a7a22aa4480733df4b983bd8cc94aac0a with gcc (GCC) 8.1.0 kernel signature: 0db042cf49a2f011544b29047b5e857983572dc456ea6c386ae9e0dcb1e0707f all runs: OK # git bisect bad 2797d17a7a22aa4480733df4b983bd8cc94aac0a Bisecting: 89 revisions left to test after this (roughly 7 steps) [fc27e03fc4769daeeb17947f99001eb94221922c] drm/dp_mst: Skip validating ports during destruction, just ref testing commit fc27e03fc4769daeeb17947f99001eb94221922c with gcc (GCC) 8.1.0 kernel signature: 1a7f2caf25291cc2089588c991d82e7ba374353b66e300952dd2eb218a38b046 all runs: OK # git bisect bad fc27e03fc4769daeeb17947f99001eb94221922c Bisecting: 44 revisions left to test after this (roughly 6 steps) [56cffa965c195cf64f8c1f40ac8f3f897d59f08c] net: hns: fix soft lockup when there is not enough memory testing commit 56cffa965c195cf64f8c1f40ac8f3f897d59f08c with gcc (GCC) 8.1.0 kernel signature: 58d42442bbda31718fd73958aed654fe4fa776f1fe31fb3aa32526109aed9584 all runs: OK # git bisect bad 56cffa965c195cf64f8c1f40ac8f3f897d59f08c Bisecting: 21 revisions left to test after this (roughly 5 steps) [bf76318ed06c298d8464923dce81edf6ef349931] x86/resctrl: Fix an imbalance in domain_remove_cpu() testing commit bf76318ed06c298d8464923dce81edf6ef349931 with gcc (GCC) 8.1.0 kernel signature: af94100badce00e519df12925e11b3571bbc90212787c3a8b5d1c2dbc423143d all runs: OK # git bisect bad bf76318ed06c298d8464923dce81edf6ef349931 Bisecting: 10 revisions left to test after this (roughly 4 steps) [7f61deb9c4d54dff9e005f18f319a2c356041ab6] USB: serial: opticon: fix control-message timeouts testing commit 7f61deb9c4d54dff9e005f18f319a2c356041ab6 with gcc (GCC) 8.1.0 kernel signature: c9b763e6ca0cc5891e4ddfb76668e3db3733822961924b1799cf33e67756cf3b all runs: OK # git bisect bad 7f61deb9c4d54dff9e005f18f319a2c356041ab6 Bisecting: 5 revisions left to test after this (roughly 3 steps) [8085d56065edc52628efb502e5fc03c7230c8fe2] Fix built-in early-load Intel microcode alignment testing commit 8085d56065edc52628efb502e5fc03c7230c8fe2 with gcc (GCC) 8.1.0 kernel signature: dedeb2ec1e6bdbeb22c004f2930e1419d130594df81263788f011bb1bde26b2b all runs: OK # git bisect bad 8085d56065edc52628efb502e5fc03c7230c8fe2 Bisecting: 2 revisions left to test after this (roughly 1 step) [692dcea72e4aaf1d25833a1f42663bf83efd344c] clk: Don't try to enable critical clocks if prepare failed testing commit 692dcea72e4aaf1d25833a1f42663bf83efd344c with gcc (GCC) 8.1.0 kernel signature: 58d8f67fdbd56aeb13c3c46ad6b8a4665f06b27dd417e7796f77318caf20a4c2 all runs: crashed: KASAN: use-after-free Read in snd_timer_resolution # git bisect good 692dcea72e4aaf1d25833a1f42663bf83efd344c Bisecting: 0 revisions left to test after this (roughly 1 step) [43bb0a16b25d5030193935b5c292648fa9abc0fc] ALSA: seq: Fix racy access for queue timer in proc read testing commit 43bb0a16b25d5030193935b5c292648fa9abc0fc with gcc (GCC) 8.1.0 kernel signature: cb19a3cf8648977bf50b662a0a581ddcf502c0d55a9f7528ad95266cf0514cf4 all runs: OK # git bisect bad 43bb0a16b25d5030193935b5c292648fa9abc0fc Bisecting: 0 revisions left to test after this (roughly 0 steps) [00bbc127415f104ed0f195a994fc3892f2d5383e] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 testing commit 00bbc127415f104ed0f195a994fc3892f2d5383e with gcc (GCC) 8.1.0 kernel signature: 065386a7107952d4d957effad85735e44188c902aa04873d8b5b562868669c7c all runs: crashed: KASAN: use-after-free Read in snd_timer_resolution # git bisect good 00bbc127415f104ed0f195a994fc3892f2d5383e 43bb0a16b25d5030193935b5c292648fa9abc0fc is the first bad commit commit 43bb0a16b25d5030193935b5c292648fa9abc0fc Author: Takashi Iwai Date: Wed Jan 15 21:37:33 2020 +0100 ALSA: seq: Fix racy access for queue timer in proc read commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream. snd_seq_info_timer_read() reads the information of the timer assigned for each queue, but it's done in a racy way which may lead to UAF as spotted by syzkaller. This patch applies the missing q->timer_mutex lock while accessing the timer object as well as a slight code change to adapt the standard coding style. Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman sound/core/seq/seq_timer.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) culprit signature: cb19a3cf8648977bf50b662a0a581ddcf502c0d55a9f7528ad95266cf0514cf4 parent signature: 065386a7107952d4d957effad85735e44188c902aa04873d8b5b562868669c7c revisions tested: 12, total time: 3h39m42.255880334s (build: 1h48m17.424614174s, test: 1h50m4.955044265s) first good commit: 43bb0a16b25d5030193935b5c292648fa9abc0fc ALSA: seq: Fix racy access for queue timer in proc read cc: ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]