bisecting fixing commit since fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f building syzkaller on 0ecb9746a701be4544b845514a31a21cce92cc79 testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: d3c3a52c8a02199b6253521253b7f8bbee292060 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer testing current HEAD b0cdffaa546e24acf92ab3b0d4e917a51aff6a82 testing commit b0cdffaa546e24acf92ab3b0d4e917a51aff6a82 with gcc (GCC) 8.1.0 kernel signature: ce353828af0233ed51b34cf4867eac6208b6be3d all runs: OK # git bisect start b0cdffaa546e24acf92ab3b0d4e917a51aff6a82 fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f Bisecting: 424 revisions left to test after this (roughly 9 steps) [735ef8110f629226d61f393e8254bef46e69d6c2] intel_th: pci: Add Ice Lake CPU support testing commit 735ef8110f629226d61f393e8254bef46e69d6c2 with gcc (GCC) 8.1.0 kernel signature: e7a864c80f2b815ba54612b828a1cfe7c6fb531f all runs: OK # git bisect bad 735ef8110f629226d61f393e8254bef46e69d6c2 Bisecting: 211 revisions left to test after this (roughly 8 steps) [0d8b2921af273b9545e16ad21375fabcb647c56e] rsi: release skb if rsi_prepare_beacon fails testing commit 0d8b2921af273b9545e16ad21375fabcb647c56e with gcc (GCC) 8.1.0 kernel signature: 1d022aa1ff859dd0ae4f48ceb20d1072021081d8 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect good 0d8b2921af273b9545e16ad21375fabcb647c56e Bisecting: 105 revisions left to test after this (roughly 7 steps) [b7b8d8e667d0e5b4074bdb68e0faed2218b764de] nfsd: Return EPERM, not EACCES, in some SETATTR cases testing commit b7b8d8e667d0e5b4074bdb68e0faed2218b764de with gcc (GCC) 8.1.0 kernel signature: 4e7ea164b280109950337a1a7742f5c89170aca7 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect good b7b8d8e667d0e5b4074bdb68e0faed2218b764de Bisecting: 52 revisions left to test after this (roughly 6 steps) [6c8957279aabecdcfaad925a465f02a9b469603d] media: venus: remove invalid compat_ioctl32 handler testing commit 6c8957279aabecdcfaad925a465f02a9b469603d with gcc (GCC) 8.1.0 kernel signature: 40c3671a0e765b7cc17aba40f77cb8d168c51745 all runs: OK # git bisect bad 6c8957279aabecdcfaad925a465f02a9b469603d Bisecting: 26 revisions left to test after this (roughly 5 steps) [defbcd1f8e852b403985a6e12abea2909fbbdbaa] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks testing commit defbcd1f8e852b403985a6e12abea2909fbbdbaa with gcc (GCC) 8.1.0 kernel signature: a6a9626d355ec0bcf074b100cd705c7d5c815f74 all runs: OK # git bisect bad defbcd1f8e852b403985a6e12abea2909fbbdbaa Bisecting: 12 revisions left to test after this (roughly 4 steps) [c294780a80b0fb2e92ab4e2fd584029ced994186] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision testing commit c294780a80b0fb2e92ab4e2fd584029ced994186 with gcc (GCC) 8.1.0 kernel signature: 4762b3c0c6c0879301f2b0748dec8d48fd4e5d71 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect good c294780a80b0fb2e92ab4e2fd584029ced994186 Bisecting: 6 revisions left to test after this (roughly 3 steps) [5ddcd540fba9b774d9f220b844f930de8f72a1b8] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus testing commit 5ddcd540fba9b774d9f220b844f930de8f72a1b8 with gcc (GCC) 8.1.0 kernel signature: c59a99dcf35af3e2b4306e01335e5f34d405c070 all runs: OK # git bisect bad 5ddcd540fba9b774d9f220b844f930de8f72a1b8 Bisecting: 2 revisions left to test after this (roughly 2 steps) [c9437a4c887bfc2f4bcf8eb0c28eb1e4019acbb3] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 testing commit c9437a4c887bfc2f4bcf8eb0c28eb1e4019acbb3 with gcc (GCC) 8.1.0 kernel signature: 6168b562299a99d7dcac2f243580a61c0e0c0c04 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect good c9437a4c887bfc2f4bcf8eb0c28eb1e4019acbb3 Bisecting: 0 revisions left to test after this (roughly 1 step) [eed584fbd956d25ee8bf5b515d750a94537e4a38] ALSA: hda - Add mute led support for HP ProBook 645 G4 testing commit eed584fbd956d25ee8bf5b515d750a94537e4a38 with gcc (GCC) 8.1.0 kernel signature: 84e2f48698027d554c02dd0f1812d19f313fc218 all runs: OK # git bisect bad eed584fbd956d25ee8bf5b515d750a94537e4a38 Bisecting: 0 revisions left to test after this (roughly 0 steps) [2a76606d8a830a02ea3a7aef6f5362ceccb8749f] ALSA: pcm: oss: Avoid potential buffer overflows testing commit 2a76606d8a830a02ea3a7aef6f5362ceccb8749f with gcc (GCC) 8.1.0 kernel signature: e4e290bf0a33df95cb49f612afddbcfe2d0ab43d all runs: OK # git bisect bad 2a76606d8a830a02ea3a7aef6f5362ceccb8749f 2a76606d8a830a02ea3a7aef6f5362ceccb8749f is the first bad commit commit 2a76606d8a830a02ea3a7aef6f5362ceccb8749f Author: Takashi Iwai Date: Wed Dec 4 15:48:24 2019 +0100 ALSA: pcm: oss: Avoid potential buffer overflows commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. syzkaller reported an invalid access in PCM OSS read, and this seems to be an overflow of the internal buffer allocated for a plugin. Since the rate plugin adjusts its transfer size dynamically, the calculation for the chained plugin might be bigger than the given buffer size in some extreme cases, which lead to such an buffer overflow as caught by KASAN. Fix it by limiting the max transfer size properly by checking against the destination size in each plugin transfer callback. Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman sound/core/oss/linear.c | 2 ++ sound/core/oss/mulaw.c | 2 ++ sound/core/oss/route.c | 2 ++ 3 files changed, 6 insertions(+) culprit signature: e4e290bf0a33df95cb49f612afddbcfe2d0ab43d parent signature: 6168b562299a99d7dcac2f243580a61c0e0c0c04 revisions tested: 12, total time: 3h22m42.699352517s (build: 1h47m15.047245998s, test: 1h33m54.518777474s) first good commit: 2a76606d8a830a02ea3a7aef6f5362ceccb8749f ALSA: pcm: oss: Avoid potential buffer overflows cc: ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]