bisecting fixing commit since c10b57a567e4333b9fdf60b5ec36de9859263ca2 building syzkaller on 3f3c557402456696073f79aafa65b4d7fa2b8794 testing commit c10b57a567e4333b9fdf60b5ec36de9859263ca2 with gcc (GCC) 8.1.0 kernel signature: b21274e7a447ac9f1b96f8b51272c69f492beee1443f5f5d8262b3536cc83136 run #0: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #1: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #2: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #3: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #4: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #6: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #7: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #9: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 testing current HEAD b850307b279cbd12ab8c654d1a3dfe55319cc475 testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0 kernel signature: 9d752850c4489f2608e0873c343fa4a5b3181b6aa1093955e117e0f09d35f2a2 all runs: OK # git bisect start b850307b279cbd12ab8c654d1a3dfe55319cc475 c10b57a567e4333b9fdf60b5ec36de9859263ca2 Bisecting: 332 revisions left to test after this (roughly 8 steps) [2b6131e8316df2235dc0f63c03008376e027cee8] RDMA/mlx5: Set GRH fields in query QP on RoCE testing commit 2b6131e8316df2235dc0f63c03008376e027cee8 with gcc (GCC) 8.1.0 kernel signature: eb7efb689ea9c290a8fac05490ec3e7c7c88c2b41d4cbd2e2a60884ffd2467fd run #0: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #1: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #2: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #3: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #4: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #6: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #9: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 # git bisect good 2b6131e8316df2235dc0f63c03008376e027cee8 Bisecting: 166 revisions left to test after this (roughly 7 steps) [486a24502c9ac33bb3bc05ba598fb3b43134e3ab] vhost/vsock: fix packet delivery order to monitoring devices testing commit 486a24502c9ac33bb3bc05ba598fb3b43134e3ab with gcc (GCC) 8.1.0 kernel signature: d42dfec80984455737d5200525e92db9161be94ed6f6c57511517c30e0fa6e9b all runs: OK # git bisect bad 486a24502c9ac33bb3bc05ba598fb3b43134e3ab Bisecting: 82 revisions left to test after this (roughly 6 steps) [5bb1c0f27e8b3c83c1ccb249d812545a3b5cfc8b] shmem: fix possible deadlocks on shmlock_user_lock testing commit 5bb1c0f27e8b3c83c1ccb249d812545a3b5cfc8b with gcc (GCC) 8.1.0 kernel signature: 652e71aadde8db94952618254863658416c52334139d2154723b766b6cc14f02 run #0: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #1: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #2: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #3: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #4: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #5: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #6: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #9: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 # git bisect good 5bb1c0f27e8b3c83c1ccb249d812545a3b5cfc8b Bisecting: 41 revisions left to test after this (roughly 5 steps) [4971520cd762ce9e4cad5ce16b30098c3ee4c0af] ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 testing commit 4971520cd762ce9e4cad5ce16b30098c3ee4c0af with gcc (GCC) 8.1.0 kernel signature: 13b257aaba6b514f244d485903402afdd5d90c50e300b7cc0dae6906fe945bb1 run #0: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #1: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #2: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #3: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #4: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #6: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #7: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #9: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 # git bisect good 4971520cd762ce9e4cad5ce16b30098c3ee4c0af Bisecting: 20 revisions left to test after this (roughly 4 steps) [c174fac21ef3c099ef8d7a896ba459cfdba412a8] ARM: dts: r8a73a4: Add missing CMT1 interrupts testing commit c174fac21ef3c099ef8d7a896ba459cfdba412a8 with gcc (GCC) 8.1.0 kernel signature: fb15143387ebfef303d0658f64fa7125e11a0dc70690c5bdb9240fbed9ee8b3d all runs: OK # git bisect bad c174fac21ef3c099ef8d7a896ba459cfdba412a8 Bisecting: 10 revisions left to test after this (roughly 3 steps) [e550fa72dd92d8ef757e1dff2cbdf73bf67fd4db] usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list testing commit e550fa72dd92d8ef757e1dff2cbdf73bf67fd4db with gcc (GCC) 8.1.0 kernel signature: 09c315e7b29f353efb262f7e6f1763a7a011804c065b725df933cbed7f39db6b all runs: OK # git bisect bad e550fa72dd92d8ef757e1dff2cbdf73bf67fd4db Bisecting: 4 revisions left to test after this (roughly 2 steps) [60753dc8290192714003b0a38269e2f7342810c9] x86: Fix early boot crash on gcc-10, third try testing commit 60753dc8290192714003b0a38269e2f7342810c9 with gcc (GCC) 8.1.0 kernel signature: 8fee8ed0d89b51b21f442fa7b733b1cdb9f9fdd4fb7aa6effaa9297f78885fe5 all runs: OK # git bisect bad 60753dc8290192714003b0a38269e2f7342810c9 Bisecting: 2 revisions left to test after this (roughly 1 step) [8645ac3684a70e4e8a21c7c407c07a1a4316beec] ALSA: rawmidi: Fix racy buffer resize under concurrent accesses testing commit 8645ac3684a70e4e8a21c7c407c07a1a4316beec with gcc (GCC) 8.1.0 kernel signature: d0433df13a38dfd41aa86e9ea449b0c2785b62dcc336a1000cb57d1b8c22687b all runs: OK # git bisect bad 8645ac3684a70e4e8a21c7c407c07a1a4316beec Bisecting: 0 revisions left to test after this (roughly 0 steps) [e8e3fcbc66f608d38a72fc716ff45e31b7f3d123] ALSA: rawmidi: Initialize allocated buffers testing commit e8e3fcbc66f608d38a72fc716ff45e31b7f3d123 with gcc (GCC) 8.1.0 kernel signature: 9c37e03b95a8c08767fb6d00f60f9afc2ee76d4ac05f9b8c4816fdbe5bb8f999 run #0: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #1: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #2: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #3: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #4: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #6: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 run #8: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1 run #9: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1 # git bisect good e8e3fcbc66f608d38a72fc716ff45e31b7f3d123 8645ac3684a70e4e8a21c7c407c07a1a4316beec is the first bad commit commit 8645ac3684a70e4e8a21c7c407c07a1a4316beec Author: Takashi Iwai Date: Thu May 7 13:44:56 2020 +0200 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses commit c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d upstream. The rawmidi core allows user to resize the runtime buffer via ioctl, and this may lead to UAF when performed during concurrent reads or writes: the read/write functions unlock the runtime lock temporarily during copying form/to user-space, and that's the race window. This patch fixes the hole by introducing a reference counter for the runtime buffer read/write access and returns -EBUSY error when the resize is performed concurrently against read/write. Note that the ref count field is a simple integer instead of refcount_t here, since the all contexts accessing the buffer is basically protected with a spinlock, hence we need no expensive atomic ops. Also, note that this busy check is needed only against read / write functions, and not in receive/transmit callbacks; the race can happen only at the spinlock hole mentioned in the above, while the whole function is protected for receive / transmit callbacks. Reported-by: butt3rflyh4ck Cc: Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman include/sound/rawmidi.h | 1 + sound/core/rawmidi.c | 31 +++++++++++++++++++++++++++---- 2 files changed, 28 insertions(+), 4 deletions(-) culprit signature: d0433df13a38dfd41aa86e9ea449b0c2785b62dcc336a1000cb57d1b8c22687b parent signature: 9c37e03b95a8c08767fb6d00f60f9afc2ee76d4ac05f9b8c4816fdbe5bb8f999 revisions tested: 11, total time: 3h6m11.902329157s (build: 1h33m13.158324768s, test: 1h31m38.62980771s) first good commit: 8645ac3684a70e4e8a21c7c407c07a1a4316beec ALSA: rawmidi: Fix racy buffer resize under concurrent accesses cc: ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]