bisecting cause commit starting from 6c83d0d5eb62846b8591884e246ab67d70b651ef building syzkaller on bab43553a904660266fdcd8fb974c7bdd96b3f58 testing commit 6c83d0d5eb62846b8591884e246ab67d70b651ef with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #7: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #8: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #9: OK testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.20 v4.19 Bisecting: 7499 revisions left to test after this (roughly 13 steps) [ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0 all runs: OK # git bisect good ec9c166434595382be3babf266febf876327774d Bisecting: 3610 revisions left to test after this (roughly 12 steps) [93335e5911dbffccd3b74c4d214268c0fd2bc1b0] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 Bisecting: 1804 revisions left to test after this (roughly 11 steps) [e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0] Merge tag 'kbuild-fixes-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 Bisecting: 900 revisions left to test after this (roughly 10 steps) [d8f190ee836a4581ba906731835d735cb97948f5] Merge branch 'akpm' (patches from Andrew) testing commit d8f190ee836a4581ba906731835d735cb97948f5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #7: OK run #8: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #9: OK # git bisect bad d8f190ee836a4581ba906731835d735cb97948f5 Bisecting: 469 revisions left to test after this (roughly 9 steps) [abe72ff4134028ff2189d29629c40a40bee0a989] Merge tag 'xfs-4.20-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit abe72ff4134028ff2189d29629c40a40bee0a989 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #7: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #8: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "28225" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/image/key" "/tmp/syz-executor483887963" "root@localhost:/syz-executor483887963"] Warning: Permanently added '[localhost]:28225' (ECDSA) to the list of known hosts. Connection to localhost closed by remote host. run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "50685" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/image/key" "/tmp/syz-executor192597246" "root@localhost:/syz-executor192597246"] Warning: Permanently added '[localhost]:50685' (ECDSA) to the list of known hosts. # git bisect bad abe72ff4134028ff2189d29629c40a40bee0a989 Bisecting: 215 revisions left to test after this (roughly 8 steps) [25e19c1fe421280a47f37c3571aa379e6e67966c] Merge tag 'libnvdimm-fixes-4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit 25e19c1fe421280a47f37c3571aa379e6e67966c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 25e19c1fe421280a47f37c3571aa379e6e67966c Bisecting: 109 revisions left to test after this (roughly 7 steps) [ef4d6f2c0c659922856bb48cbb7a83ac97941e01] Merge tag 'mtd/fixes-for-4.20-rc4' of git://git.infradead.org/linux-mtd testing commit ef4d6f2c0c659922856bb48cbb7a83ac97941e01 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ef4d6f2c0c659922856bb48cbb7a83ac97941e01 Bisecting: 46 revisions left to test after this (roughly 6 steps) [9b7c880c834c0a1c80a1dc6b8a0b19155361321f] Merge tag 'drm-fixes-2018-11-23' of git://anongit.freedesktop.org/drm/drm testing commit 9b7c880c834c0a1c80a1dc6b8a0b19155361321f with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect bad 9b7c880c834c0a1c80a1dc6b8a0b19155361321f Bisecting: 28 revisions left to test after this (roughly 5 steps) [52465bce85a2d28bcec5cba5a645bb610367ab1b] Merge tag 'char-misc-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 52465bce85a2d28bcec5cba5a645bb610367ab1b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 52465bce85a2d28bcec5cba5a645bb610367ab1b Bisecting: 12 revisions left to test after this (roughly 4 steps) [8cf6f361eb76bf7fca85bde15a0a9316fa124c0c] Merge branch 'drm-fixes-4.20' of git://people.freedesktop.org/~agd5f/linux into drm-fixes testing commit 8cf6f361eb76bf7fca85bde15a0a9316fa124c0c with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "32732" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/image/key" "/tmp/syz-executor796013485" "root@localhost:/syz-executor796013485"]: exit status 1 ssh: connect to host localhost port 32732: Connection timed out lost connection run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 8cf6f361eb76bf7fca85bde15a0a9316fa124c0c Bisecting: 6 revisions left to test after this (roughly 3 steps) [edeca3a769ad28a9477798c3b1d8e0701db728e4] Merge tag 'sound-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit edeca3a769ad28a9477798c3b1d8e0701db728e4 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect bad edeca3a769ad28a9477798c3b1d8e0701db728e4 Bisecting: 2 revisions left to test after this (roughly 2 steps) [d99501b8575dc1248bacf1b58d2241cb4b265d49] ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap() testing commit d99501b8575dc1248bacf1b58d2241cb4b265d49 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect bad d99501b8575dc1248bacf1b58d2241cb4b265d49 Bisecting: 0 revisions left to test after this (roughly 1 step) [563785edfcef02b566e64fb5292c74c1600808aa] ALSA: hda/realtek - Add quirk entry for HP Pavilion 15 testing commit 563785edfcef02b566e64fb5292c74c1600808aa with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect bad 563785edfcef02b566e64fb5292c74c1600808aa Bisecting: 0 revisions left to test after this (roughly 0 steps) [65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476] ALSA: oss: Use kvzalloc() for local buffer allocations testing commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect bad 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 is the first bad commit commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Author: Takashi Iwai Date: Fri Nov 9 11:59:45 2018 +0100 ALSA: oss: Use kvzalloc() for local buffer allocations PCM OSS layer may allocate a few temporary buffers, one for the core read/write and another for the conversions via plugins. Currently both are allocated via vmalloc(). But as the allocation size is equivalent with the PCM period size, the required size might be quite small, depending on the application. This patch replaces these vmalloc() calls with kvzalloc() for covering small period sizes better. Also, we use "z"-alloc variant here for addressing the possible uninitialized access reported by syzkaller. Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai sound/core/oss/pcm_oss.c | 6 +++--- sound/core/oss/pcm_plugin.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) revisions tested: 18, total time: 16h21m9.322111829s (build: 1h32m15.178094314s, test: 14h44m25.374380499s) first bad commit: 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 ALSA: oss: Use kvzalloc() for local buffer allocations cc: ["alsa-devel@alsa-project.org" "dan.carpenter@oracle.com" "gustavo@embeddedor.com" "joe@perches.com" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de" "vkoul@kernel.org"] crash: KASAN: slab-out-of-bounds Read in linear_transfer ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:352 [inline] BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48 [inline] BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81 [inline] BUG: KASAN: slab-out-of-bounds in linear_transfer+0x578/0x960 sound/core/oss/linear.c:110 Read of size 1 at addr ffff8800745c6ef8 by task syz-executor.5/5705 CPU: 1 PID: 5705 Comm: syz-executor.5 Not tainted 4.20.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16b/0x224 lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:352 [inline] do_convert sound/core/oss/linear.c:48 [inline] convert sound/core/oss/linear.c:81 [inline] linear_transfer+0x578/0x960 sound/core/oss/linear.c:110 snd_pcm_plug_read_transfer+0x15b/0x2a0 sound/core/oss/pcm_plugin.c:651 snd_pcm_oss_read2+0x1a9/0x470 sound/core/oss/pcm_oss.c:1474 snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1531 [inline] snd_pcm_oss_read+0x416/0x610 sound/core/oss/pcm_oss.c:2752 __vfs_read+0xe6/0x890 fs/read_write.c:416 vfs_read+0xf5/0x2f0 fs/read_write.c:452 ksys_read+0xcd/0x1b0 fs/read_write.c:578 __do_sys_read fs/read_write.c:588 [inline] __se_sys_read fs/read_write.c:586 [inline] __x64_sys_read+0x6e/0xb0 fs/read_write.c:586 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457799 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fec8adc7c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799 RDX: 0000000000001000 RSI: 00000000200012c0 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000006ec1a8 R14: 00000000004abd2f R15: 00007fec8adc86d4 Allocated by task 5705: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3684 [inline] __kmalloc_node+0x50/0x70 mm/slab.c:3691 kmalloc_node include/linux/slab.h:589 [inline] kvmalloc_node+0x68/0x70 mm/util.c:416 kvmalloc include/linux/mm.h:577 [inline] kvzalloc include/linux/mm.h:585 [inline] snd_pcm_plugin_alloc+0x445/0x8d0 sound/core/oss/pcm_plugin.c:70 snd_pcm_plug_alloc+0x106/0x280 sound/core/oss/pcm_plugin.c:129 snd_pcm_oss_change_params_locked+0x1a82/0x3170 sound/core/oss/pcm_oss.c:1038 snd_pcm_oss_change_params+0x54/0xa0 sound/core/oss/pcm_oss.c:1101 snd_pcm_oss_get_active_substream.part.28+0xdd/0x160 sound/core/oss/pcm_oss.c:1118 snd_pcm_oss_get_active_substream sound/core/oss/pcm_oss.c:1111 [inline] snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1768 [inline] snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1760 [inline] snd_pcm_oss_ioctl+0x1a40/0x2fb0 sound/core/oss/pcm_oss.c:2608 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x199/0x10d0 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8800745c6340 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3000 bytes inside of 4096-byte region [ffff8800745c6340, ffff8800745c7340) The buggy address belongs to the page: page:ffffea0001d17180 count:1 mapcount:0 mapping:ffff88002d400dc0 index:0x0 compound_mapcount: 0 flags: 0x5fffc0000010200(slab|head) raw: 05fffc0000010200 ffffea0001eeb388 ffffea0001d1d388 ffff88002d400dc0 raw: 0000000000000000 ffff8800745c6340 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8800745c6d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800745c6e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800745c6e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc ^ ffff8800745c6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800745c6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================