bisecting cause commit starting from abb8d6ecbd8f7801c048f6543f79d22d24cead7b building syzkaller on dcf836b12d34be9fd7766104dfea168b76b4212e testing commit abb8d6ecbd8f7801c048f6543f79d22d24cead7b with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: OK # git bisect start abb8d6ecbd8f7801c048f6543f79d22d24cead7b v4.19 Bisecting: 7146 revisions left to test after this (roughly 13 steps) [7abe849315c870c1d3f3cb4b302e827aaa28348e] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md testing commit 7abe849315c870c1d3f3cb4b302e827aaa28348e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7abe849315c870c1d3f3cb4b302e827aaa28348e Bisecting: 3669 revisions left to test after this (roughly 12 steps) [c38239b4be1ac7e4bcf5bbd971353bae51525b8f] Merge branch 'parisc-4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux testing commit c38239b4be1ac7e4bcf5bbd971353bae51525b8f with gcc (GCC) 8.1.0 all runs: OK # git bisect good c38239b4be1ac7e4bcf5bbd971353bae51525b8f Bisecting: 1833 revisions left to test after this (roughly 11 steps) [34c7685a177a7bc98066f7e5daa42eef621d0bdb] Merge tag 'devicetree-fixes-for-4.20-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 34c7685a177a7bc98066f7e5daa42eef621d0bdb with gcc (GCC) 8.1.0 all runs: OK # git bisect good 34c7685a177a7bc98066f7e5daa42eef621d0bdb Bisecting: 911 revisions left to test after this (roughly 10 steps) [4efd34602fc0da31f87dca8669388edcafba622d] Merge tag 'drm-fixes-2018-11-16' of git://anongit.freedesktop.org/drm/drm testing commit 4efd34602fc0da31f87dca8669388edcafba622d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4efd34602fc0da31f87dca8669388edcafba622d Bisecting: 427 revisions left to test after this (roughly 9 steps) [60b548237fed4b4164bab13c994dd9615f6c4323] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 60b548237fed4b4164bab13c994dd9615f6c4323 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel # git bisect bad 60b548237fed4b4164bab13c994dd9615f6c4323 Bisecting: 241 revisions left to test after this (roughly 8 steps) [a03bac580ae743d5900af626ac63f7f8cd85def9] Merge tag 'acpi-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit a03bac580ae743d5900af626ac63f7f8cd85def9 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel # git bisect bad a03bac580ae743d5900af626ac63f7f8cd85def9 Bisecting: 122 revisions left to test after this (roughly 7 steps) [f2ce1065e767fc7da106a5f5381d1e8f842dc6f4] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit f2ce1065e767fc7da106a5f5381d1e8f842dc6f4 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f2ce1065e767fc7da106a5f5381d1e8f842dc6f4 Bisecting: 64 revisions left to test after this (roughly 6 steps) [4cd731953d620b7e4e999a90d13db58b88c5e95b] Merge tag 'usb-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 4cd731953d620b7e4e999a90d13db58b88c5e95b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4cd731953d620b7e4e999a90d13db58b88c5e95b Bisecting: 22 revisions left to test after this (roughly 5 steps) [9b7c880c834c0a1c80a1dc6b8a0b19155361321f] Merge tag 'drm-fixes-2018-11-23' of git://anongit.freedesktop.org/drm/drm testing commit 9b7c880c834c0a1c80a1dc6b8a0b19155361321f with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel # git bisect bad 9b7c880c834c0a1c80a1dc6b8a0b19155361321f Bisecting: 19 revisions left to test after this (roughly 4 steps) [98c9cdfd34fbb62886e4c5a07e33661aa3352ef5] Merge tag 'drm-intel-fixes-2018-11-22' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes testing commit 98c9cdfd34fbb62886e4c5a07e33661aa3352ef5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 98c9cdfd34fbb62886e4c5a07e33661aa3352ef5 Bisecting: 9 revisions left to test after this (roughly 3 steps) [5082a7df5251b361be8f8edc1f0a148d07999820] Merge tag 'gnss-4.20-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/gnss into char-misc-linus testing commit 5082a7df5251b361be8f8edc1f0a148d07999820 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5082a7df5251b361be8f8edc1f0a148d07999820 Bisecting: 4 revisions left to test after this (roughly 2 steps) [a6b0961b39896a9f9f1350d26d202f078a7d9dbc] ALSA: hda/ca0132 - fix AE-5 pincfg testing commit a6b0961b39896a9f9f1350d26d202f078a7d9dbc with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel # git bisect bad a6b0961b39896a9f9f1350d26d202f078a7d9dbc Bisecting: 2 revisions left to test after this (roughly 1 step) [563785edfcef02b566e64fb5292c74c1600808aa] ALSA: hda/realtek - Add quirk entry for HP Pavilion 15 testing commit 563785edfcef02b566e64fb5292c74c1600808aa with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel run #1: crashed: KASAN: slab-out-of-bounds in default_read_copy_kernel run #2: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel run #3: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel run #4: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel run #5: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel run #6: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel run #7: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel # git bisect bad 563785edfcef02b566e64fb5292c74c1600808aa Bisecting: 0 revisions left to test after this (roughly 0 steps) [65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476] ALSA: oss: Use kvzalloc() for local buffer allocations testing commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Write in default_read_copy_kernel # git bisect bad 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 is the first bad commit commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Author: Takashi Iwai Date: Fri Nov 9 11:59:45 2018 +0100 ALSA: oss: Use kvzalloc() for local buffer allocations PCM OSS layer may allocate a few temporary buffers, one for the core read/write and another for the conversions via plugins. Currently both are allocated via vmalloc(). But as the allocation size is equivalent with the PCM period size, the required size might be quite small, depending on the application. This patch replaces these vmalloc() calls with kvzalloc() for covering small period sizes better. Also, we use "z"-alloc variant here for addressing the possible uninitialized access reported by syzkaller. Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai :040000 040000 2abf9a3d6dba048bb990bb680fc680d4071d5abc c20152eee2fc4678b6b3d3b2af1259de52bf6af9 M sound revisions tested: 16, total time: 3h14m22.019353205s (build: 1h22m21.67817783s, test: 1h48m51.252757343s) first bad commit: 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 ALSA: oss: Use kvzalloc() for local buffer allocations cc: ["alsa-devel@alsa-project.org" "dan.carpenter@oracle.com" "gustavo@embeddedor.com" "joe@perches.com" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de" "vkoul@kernel.org"] crash: KASAN: slab-out-of-bounds Write in default_read_copy_kernel RDX: 0000000000000001 RSI: 0000000020001640 RDI: 0000000000000003 RBP: 00007fed2693eca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fed2693f6d4 R13: 00000000004aab09 R14: 00000000006e8c28 R15: 0000000000000004 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:352 [inline] BUG: KASAN: slab-out-of-bounds in default_read_copy_kernel+0xe1/0x140 sound/core/pcm_lib.c:1988 Write of size 64 at addr ffff880058e03600 by task syz-executor1/7447 CPU: 1 PID: 7447 Comm: syz-executor1 Not tainted 4.20.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:352 [inline] default_read_copy_kernel+0xe1/0x140 sound/core/pcm_lib.c:1988 interleaved_copy+0xd1/0x110 sound/core/pcm_lib.c:2007 __snd_pcm_lib_xfer+0x115f/0x1f23 sound/core/pcm_lib.c:2227 snd_pcm_oss_read3+0x1c8/0x410 sound/core/oss/pcm_oss.c:1274 io_capture_transfer+0x27d/0x310 sound/core/oss/io.c:73 snd_pcm_plug_read_transfer+0x1d7/0x3b0 sound/core/oss/pcm_plugin.c:651 snd_pcm_oss_read2+0x221/0x450 sound/core/oss/pcm_oss.c:1474 snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1531 [inline] snd_pcm_oss_read+0x638/0x830 sound/core/oss/pcm_oss.c:2752 do_loop_readv_writev fs/read_write.c:700 [inline] do_iter_read+0x4a3/0x650 fs/read_write.c:924 vfs_readv+0x175/0x1c0 fs/read_write.c:986 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 do_readv+0x11a/0x310 fs/read_write.c:1019 __do_sys_readv fs/read_write.c:1106 [inline] __se_sys_readv fs/read_write.c:1103 [inline] __x64_sys_readv+0x75/0xb0 fs/read_write.c:1103 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x456fc9 Code: 5d af fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b af fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fed2693ec88 EFLAGS: 00000246 ORIG_RAX: 0000000000000013 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000456fc9 RDX: 0000000000000001 RSI: 0000000020001640 RDI: 0000000000000003 RBP: 00007fed2693eca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fed2693f6d4 R13: 00000000004aab09 R14: 00000000006e8c28 R15: 0000000000000004 CPU: 0 PID: 7470 Comm: syz-executor4 Not tainted 4.20.0-rc1+ #1 Allocated by task 7447: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3684 [inline] __kmalloc_node+0x50/0x70 mm/slab.c:3691 Call Trace: kmalloc_node include/linux/slab.h:589 [inline] kvmalloc_node+0x65/0xf0 mm/util.c:416 kvmalloc include/linux/mm.h:577 [inline] kvzalloc include/linux/mm.h:585 [inline] snd_pcm_plugin_alloc+0x577/0x770 sound/core/oss/pcm_plugin.c:70 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 snd_pcm_plug_alloc+0x149/0x340 sound/core/oss/pcm_plugin.c:129 snd_pcm_oss_change_params_locked+0x2209/0x3c60 sound/core/oss/pcm_oss.c:1038 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold.4+0xa/0x17 lib/fault-inject.c:149 snd_pcm_oss_make_ready_locked+0xbc/0x130 sound/core/oss/pcm_oss.c:1183 snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1507 [inline] snd_pcm_oss_read+0x417/0x830 sound/core/oss/pcm_oss.c:2752 do_loop_readv_writev fs/read_write.c:700 [inline] do_iter_read+0x4a3/0x650 fs/read_write.c:924 vfs_readv+0x175/0x1c0 fs/read_write.c:986 do_readv+0x11a/0x310 fs/read_write.c:1019 __do_sys_readv fs/read_write.c:1106 [inline] __se_sys_readv fs/read_write.c:1103 [inline] __x64_sys_readv+0x75/0xb0 fs/read_write.c:1103 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 16: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3817 kzfree+0x28/0x30 mm/slab_common.c:1564 aa_free_task_ctx security/apparmor/include/task.h:61 [inline] apparmor_task_free+0x13a/0x1e0 security/apparmor/lsm.c:95 security_task_free+0x4a/0x80 security/security.c:1007 __put_task_struct+0x195/0x620 kernel/fork.c:724 __should_failslab+0x124/0x180 mm/failslab.c:32 put_task_struct include/linux/sched/task.h:96 [inline] delayed_put_task_struct+0x2ff/0x4c0 kernel/exit.c:181 should_failslab+0x9/0x14 mm/slab_common.c:1578 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697 __do_softirq+0x308/0xb7e kernel/softirq.c:292 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc mm/slab.c:3378 [inline] __do_kmalloc mm/slab.c:3720 [inline] __kmalloc+0x2e0/0x760 mm/slab.c:3731 The buggy address belongs to the object at ffff880058e03600 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes inside of 32-byte region [ffff880058e03600, ffff880058e03620) kmalloc_array include/linux/slab.h:669 [inline] kcalloc include/linux/slab.h:680 [inline] constrain_params_by_rules+0x149/0x13b0 sound/core/pcm_native.c:371 The buggy address belongs to the page: page:ffffea00016380c0 count:1 mapcount:0 mapping:ffff88006c0001c0 index:0xffff880058e03fc1 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea0001a88508 ffffea0001aaf008 ffff88006c0001c0 raw: ffff880058e03fc1 ffff880058e03000 000000010000003f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880058e03500: 00 06 fc fc fc fc fc fc 00 07 fc fc fc fc fc fc ffff880058e03580: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc >ffff880058e03600: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff880058e03680: 00 00 03 fc fc fc fc fc 00 01 fc fc fc fc fc fc ffff880058e03700: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================