bisecting fixing commit since 174651bdf802a2139065e8e31ce950e2f3fc4a94 building syzkaller on 0ecb9746a701be4544b845514a31a21cce92cc79 testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0 kernel signature: b9555a697803f759594171c4ea9563f15c568953 run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #7: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #8: OK run #9: OK testing current HEAD c7ecf3e3a71c216327980f26b1e895ce9b07ad31 testing commit c7ecf3e3a71c216327980f26b1e895ce9b07ad31 with gcc (GCC) 8.1.0 kernel signature: 0433b51f363a716bd690646cf372ab3f1622e234 all runs: OK # git bisect start c7ecf3e3a71c216327980f26b1e895ce9b07ad31 174651bdf802a2139065e8e31ce950e2f3fc4a94 Bisecting: 500 revisions left to test after this (roughly 9 steps) [b6f4e1caf426b1978c1afdbade18d094aed4e3ce] firmware: qcom: scm: fix compilation error when disabled testing commit b6f4e1caf426b1978c1afdbade18d094aed4e3ce with gcc (GCC) 8.1.0 kernel signature: 8ffe78d9380b3125acb97af64b3502ad85b52468 all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer # git bisect good b6f4e1caf426b1978c1afdbade18d094aed4e3ce Bisecting: 250 revisions left to test after this (roughly 8 steps) [848fd6b17926703648a2c77933a3713163e875e4] mmc: block: Make card_busy_detect() a bit more generic testing commit 848fd6b17926703648a2c77933a3713163e875e4 with gcc (GCC) 8.1.0 kernel signature: ed8817e78243c299f4ce5d5abd0e4eb8928bceff all runs: OK # git bisect bad 848fd6b17926703648a2c77933a3713163e875e4 Bisecting: 124 revisions left to test after this (roughly 7 steps) [7c07d0267364194aae9786ec0b3d70a65c83329b] hwrng: omap - Fix RNG wait loop timeout testing commit 7c07d0267364194aae9786ec0b3d70a65c83329b with gcc (GCC) 8.1.0 kernel signature: c53247e69b55225009b5d979506d55cfe8a9d59a all runs: OK # git bisect bad 7c07d0267364194aae9786ec0b3d70a65c83329b Bisecting: 62 revisions left to test after this (roughly 6 steps) [af0174a63c45bd25c7fd7ece5f93e5f166256d1c] binder: Handle start==NULL in binder_update_page_range() testing commit af0174a63c45bd25c7fd7ece5f93e5f166256d1c with gcc (GCC) 8.1.0 kernel signature: e334eae71e90c5941955f77d5fab0324e06df951 all runs: OK # git bisect bad af0174a63c45bd25c7fd7ece5f93e5f166256d1c Bisecting: 30 revisions left to test after this (roughly 5 steps) [28655c632ee0090ae01576e234118ee983a4afa3] xfrm interface: fix memory leak on creation testing commit 28655c632ee0090ae01576e234118ee983a4afa3 with gcc (GCC) 8.1.0 kernel signature: 15ca17093dbc532d0a63728024a74c65d1232798 all runs: OK # git bisect bad 28655c632ee0090ae01576e234118ee983a4afa3 Bisecting: 15 revisions left to test after this (roughly 4 steps) [742f2319cbd61d9a051f532ad8c83bb33b48f442] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision testing commit 742f2319cbd61d9a051f532ad8c83bb33b48f442 with gcc (GCC) 8.1.0 kernel signature: 1afa5323811aa5da77d1807b96c5e94fc5a2de2d run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #7: OK run #8: OK run #9: OK # git bisect good 742f2319cbd61d9a051f532ad8c83bb33b48f442 Bisecting: 7 revisions left to test after this (roughly 3 steps) [2ef2441c49859001d562b1c40635d4d7bc74f758] Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus testing commit 2ef2441c49859001d562b1c40635d4d7bc74f758 with gcc (GCC) 8.1.0 kernel signature: c2611e1bd0d9bd35e507e4023681e9e9de24dc83 all runs: OK # git bisect bad 2ef2441c49859001d562b1c40635d4d7bc74f758 Bisecting: 3 revisions left to test after this (roughly 2 steps) [fa77bf0cf96c54de226463a6fe9d8dd4be5c115a] ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop testing commit fa77bf0cf96c54de226463a6fe9d8dd4be5c115a with gcc (GCC) 8.1.0 kernel signature: e42cb28eec03889a6f65833597b26fc20f2e741b run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good fa77bf0cf96c54de226463a6fe9d8dd4be5c115a Bisecting: 1 revision left to test after this (roughly 1 step) [c6bebccd3c6293e49a291a3339f1230b3e49630a] ALSA: pcm: oss: Avoid potential buffer overflows testing commit c6bebccd3c6293e49a291a3339f1230b3e49630a with gcc (GCC) 8.1.0 kernel signature: 8ed64b771c947055653c34aa8dd4df0052851cc9 all runs: OK # git bisect bad c6bebccd3c6293e49a291a3339f1230b3e49630a Bisecting: 0 revisions left to test after this (roughly 0 steps) [f9f56eb9c8412fa62131e6ed0ac8cb7ab7d15d77] ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 testing commit f9f56eb9c8412fa62131e6ed0ac8cb7ab7d15d77 with gcc (GCC) 8.1.0 kernel signature: d7ac5d892496087a4674c013ba90d3cd8c5f090b run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer run #7: OK run #8: OK run #9: OK # git bisect good f9f56eb9c8412fa62131e6ed0ac8cb7ab7d15d77 c6bebccd3c6293e49a291a3339f1230b3e49630a is the first bad commit commit c6bebccd3c6293e49a291a3339f1230b3e49630a Author: Takashi Iwai Date: Wed Dec 4 15:48:24 2019 +0100 ALSA: pcm: oss: Avoid potential buffer overflows commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream. syzkaller reported an invalid access in PCM OSS read, and this seems to be an overflow of the internal buffer allocated for a plugin. Since the rate plugin adjusts its transfer size dynamically, the calculation for the chained plugin might be bigger than the given buffer size in some extreme cases, which lead to such an buffer overflow as caught by KASAN. Fix it by limiting the max transfer size properly by checking against the destination size in each plugin transfer callback. Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman sound/core/oss/linear.c | 2 ++ sound/core/oss/mulaw.c | 2 ++ sound/core/oss/route.c | 2 ++ 3 files changed, 6 insertions(+) culprit signature: 8ed64b771c947055653c34aa8dd4df0052851cc9 parent signature: d7ac5d892496087a4674c013ba90d3cd8c5f090b revisions tested: 12, total time: 4h0m47.524975474s (build: 1h47m0.956229173s, test: 2h12m1.807393669s) first good commit: c6bebccd3c6293e49a291a3339f1230b3e49630a ALSA: pcm: oss: Avoid potential buffer overflows cc: ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]