bisecting cause commit starting from 76bb8b05960c3d1668e6bee7624ed886cbd135ba
building syzkaller on ae13a849e613cd929bbcf98bec83e1bdb30a62b1
testing commit 76bb8b05960c3d1668e6bee7624ed886cbd135ba with gcc (GCC) 8.1.0
kernel signature: 12d34dfc93687acfa5ef92c9e2586a39dcc253d0
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 8b97270ff1a43679d78bd38327716d7e7d058773
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: c3a7fa1ab19897d47fd9931e1458acee7a2cc32a
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 4f666ca8009ff7287d83fc46a8f8266cedc38e6c
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 1cc3432e5231e40227b12efe2d6e4f8d02b9146d
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: aeb8dfffe6138554f12a74f183895ce812597a33
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 1ace060cbe57b2e63afd09b8b699a1980c7b9ec1
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: db5d8ab3d7322eb0c4ec4b07ce3c1f4454d986da
all runs: OK
# git bisect start 8fe28cb58bcb235034b64cbbb7550a8a43fd88be 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d
Bisecting: 7499 revisions left to test after this (roughly 13 steps)
[ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0
kernel signature: 67ec74ced624a8ac0e971ed6834168c2ed0361cb
all runs: OK
# git bisect good ec9c166434595382be3babf266febf876327774d
Bisecting: 3610 revisions left to test after this (roughly 12 steps)
[93335e5911dbffccd3b74c4d214268c0fd2bc1b0] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
testing commit 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 with gcc (GCC) 8.1.0
kernel signature: fc926b2f011872791c3f411e28734ed0fd305a27
all runs: OK
# git bisect good 93335e5911dbffccd3b74c4d214268c0fd2bc1b0
Bisecting: 1804 revisions left to test after this (roughly 11 steps)
[e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0] Merge tag 'kbuild-fixes-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
testing commit e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 with gcc (GCC) 8.1.0
kernel signature: 918d7d9c004b8d69acd88573164030a3b60c9907
all runs: OK
# git bisect good e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0
Bisecting: 900 revisions left to test after this (roughly 10 steps)
[d8f190ee836a4581ba906731835d735cb97948f5] Merge branch 'akpm' (patches from Andrew)
testing commit d8f190ee836a4581ba906731835d735cb97948f5 with gcc (GCC) 8.1.0
kernel signature: 0e487e97b0abf9b727c46f87aca776156e5d41c8
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
# git bisect bad d8f190ee836a4581ba906731835d735cb97948f5
Bisecting: 469 revisions left to test after this (roughly 9 steps)
[abe72ff4134028ff2189d29629c40a40bee0a989] Merge tag 'xfs-4.20-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
testing commit abe72ff4134028ff2189d29629c40a40bee0a989 with gcc (GCC) 8.1.0
kernel signature: ae1471b8483856023f2e1db301e4e6098d04f324
run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #7: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #8: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #9: OK
# git bisect bad abe72ff4134028ff2189d29629c40a40bee0a989
Bisecting: 215 revisions left to test after this (roughly 8 steps)
[25e19c1fe421280a47f37c3571aa379e6e67966c] Merge tag 'libnvdimm-fixes-4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
testing commit 25e19c1fe421280a47f37c3571aa379e6e67966c with gcc (GCC) 8.1.0
kernel signature: 2f3aaff6974d3ea8e20432d3179317232e18ada3
all runs: OK
# git bisect good 25e19c1fe421280a47f37c3571aa379e6e67966c
Bisecting: 109 revisions left to test after this (roughly 7 steps)
[ef4d6f2c0c659922856bb48cbb7a83ac97941e01] Merge tag 'mtd/fixes-for-4.20-rc4' of git://git.infradead.org/linux-mtd
testing commit ef4d6f2c0c659922856bb48cbb7a83ac97941e01 with gcc (GCC) 8.1.0
kernel signature: 5f5af5f9f608fa2e5d6fd0efb290c3bcd7ccc9cc
all runs: OK
# git bisect good ef4d6f2c0c659922856bb48cbb7a83ac97941e01
Bisecting: 46 revisions left to test after this (roughly 6 steps)
[9b7c880c834c0a1c80a1dc6b8a0b19155361321f] Merge tag 'drm-fixes-2018-11-23' of git://anongit.freedesktop.org/drm/drm
testing commit 9b7c880c834c0a1c80a1dc6b8a0b19155361321f with gcc (GCC) 8.1.0
kernel signature: 84e46853f399f66f54196afc8c709e15db7e8bc4
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
# git bisect bad 9b7c880c834c0a1c80a1dc6b8a0b19155361321f
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[52465bce85a2d28bcec5cba5a645bb610367ab1b] Merge tag 'char-misc-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit 52465bce85a2d28bcec5cba5a645bb610367ab1b with gcc (GCC) 8.1.0
kernel signature: f3ff115b49aa09b48e51c95cc1e2c85bd8cf0542
all runs: OK
# git bisect good 52465bce85a2d28bcec5cba5a645bb610367ab1b
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[8cf6f361eb76bf7fca85bde15a0a9316fa124c0c] Merge branch 'drm-fixes-4.20' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
testing commit 8cf6f361eb76bf7fca85bde15a0a9316fa124c0c with gcc (GCC) 8.1.0
kernel signature: c4e0dd3854297a2ceddeb89c8aca40969d31b5ca
all runs: OK
# git bisect good 8cf6f361eb76bf7fca85bde15a0a9316fa124c0c
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[edeca3a769ad28a9477798c3b1d8e0701db728e4] Merge tag 'sound-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit edeca3a769ad28a9477798c3b1d8e0701db728e4 with gcc (GCC) 8.1.0
kernel signature: 70c79e4c23b159976fb80853d7a1575f9ee49c52
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
# git bisect bad edeca3a769ad28a9477798c3b1d8e0701db728e4
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[d99501b8575dc1248bacf1b58d2241cb4b265d49] ALSA: hda/ca0132 - Call pci_iounmap() instead of iounmap()
testing commit d99501b8575dc1248bacf1b58d2241cb4b265d49 with gcc (GCC) 8.1.0
kernel signature: a13382bf193664eebc53c9cf5cb0b79be81fca79
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
# git bisect bad d99501b8575dc1248bacf1b58d2241cb4b265d49
Bisecting: 0 revisions left to test after this (roughly 1 step)
[563785edfcef02b566e64fb5292c74c1600808aa] ALSA: hda/realtek - Add quirk entry for HP Pavilion 15
testing commit 563785edfcef02b566e64fb5292c74c1600808aa with gcc (GCC) 8.1.0
kernel signature: a3c75cd76c97b3eb7e44a6aaf4bc5f44e20e0fb1
run #0: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #1: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #2: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #3: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #4: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #5: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #6: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #7: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect bad 563785edfcef02b566e64fb5292c74c1600808aa
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476] ALSA: oss: Use kvzalloc() for local buffer allocations
testing commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 with gcc (GCC) 8.1.0
kernel signature: 54904c9d2a0e2e09cb5fbbfc7b57ddc3898b00c9
all runs: crashed: KASAN: slab-out-of-bounds Read in linear_transfer
# git bisect bad 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476
65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 is the first bad commit
commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Nov 9 11:59:45 2018 +0100

    ALSA: oss: Use kvzalloc() for local buffer allocations
    
    PCM OSS layer may allocate a few temporary buffers, one for the core
    read/write and another for the conversions via plugins.  Currently
    both are allocated via vmalloc().  But as the allocation size is
    equivalent with the PCM period size, the required size might be quite
    small, depending on the application.
    
    This patch replaces these vmalloc() calls with kvzalloc() for covering
    small period sizes better.  Also, we use "z"-alloc variant here for
    addressing the possible uninitialized access reported by syzkaller.
    
    Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/core/oss/pcm_oss.c    | 6 +++---
 sound/core/oss/pcm_plugin.c | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)
revisions tested: 22, total time: 5h2m31.398903368s (build: 2h12m41.669844303s, test: 2h48m11.240834277s)
first bad commit: 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 ALSA: oss: Use kvzalloc() for local buffer allocations
cc: ["alsa-devel@alsa-project.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]
crash: KASAN: slab-out-of-bounds Read in linear_transfer
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:352 [inline]
BUG: KASAN: slab-out-of-bounds in do_convert sound/core/oss/linear.c:48 [inline]
BUG: KASAN: slab-out-of-bounds in convert sound/core/oss/linear.c:81 [inline]
BUG: KASAN: slab-out-of-bounds in linear_transfer+0x578/0x960 sound/core/oss/linear.c:110
Read of size 1 at addr ffff880090f721c0 by task syz-executor.0/14703

CPU: 0 PID: 14703 Comm: syz-executor.0 Not tainted 4.20.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x16b/0x224 lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:352 [inline]
 do_convert sound/core/oss/linear.c:48 [inline]
 convert sound/core/oss/linear.c:81 [inline]
 linear_transfer+0x578/0x960 sound/core/oss/linear.c:110
 snd_pcm_plug_read_transfer+0x151/0x290 sound/core/oss/pcm_plugin.c:651
 snd_pcm_oss_read2+0x1a9/0x470 sound/core/oss/pcm_oss.c:1474
 snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1531 [inline]
 snd_pcm_oss_read+0x416/0x610 sound/core/oss/pcm_oss.c:2752
 __vfs_read+0xe3/0x880 fs/read_write.c:416
 vfs_read+0xf5/0x2f0 fs/read_write.c:452
 ksys_read+0xcd/0x1b0 fs/read_write.c:578
 __do_sys_read fs/read_write.c:588 [inline]
 __se_sys_read fs/read_write.c:586 [inline]
 __x64_sys_read+0x6e/0xb0 fs/read_write.c:586
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a679
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc287d81c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
RDX: 0000000000001000 RSI: 0000000020000380 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc287d826d4
R13: 00000000004c8aa0 R14: 00000000004e0190 R15: 00000000ffffffff

Allocated by task 14703:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3684 [inline]
 __kmalloc_node+0x50/0x70 mm/slab.c:3691
 kmalloc_node include/linux/slab.h:589 [inline]
 kvmalloc_node+0x68/0x70 mm/util.c:416
 kvmalloc include/linux/mm.h:577 [inline]
 kvzalloc include/linux/mm.h:585 [inline]
 snd_pcm_plugin_alloc+0x445/0x8d0 sound/core/oss/pcm_plugin.c:70
 snd_pcm_plug_alloc+0x106/0x270 sound/core/oss/pcm_plugin.c:129
 snd_pcm_oss_change_params_locked+0x1a82/0x3170 sound/core/oss/pcm_oss.c:1038
 snd_pcm_oss_change_params+0x54/0xa0 sound/core/oss/pcm_oss.c:1101
 snd_pcm_oss_get_active_substream.part.28+0xdd/0x160 sound/core/oss/pcm_oss.c:1118
 snd_pcm_oss_get_active_substream sound/core/oss/pcm_oss.c:1111 [inline]
 snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1768 [inline]
 snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1760 [inline]
 snd_pcm_oss_ioctl+0x1a40/0x2fb0 sound/core/oss/pcm_oss.c:2608
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 13204:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x220 mm/slab.c:3817
 load_elf_binary+0x1b57/0x4e00 fs/binfmt_elf.c:1117
 search_binary_handler+0x12b/0x630 fs/exec.c:1653
 exec_binprm fs/exec.c:1695 [inline]
 __do_execve_file.isra.32+0x1167/0x1e60 fs/exec.c:1819
 do_execveat_common fs/exec.c:1866 [inline]
 do_execve fs/exec.c:1883 [inline]
 __do_sys_execve fs/exec.c:1964 [inline]
 __se_sys_execve fs/exec.c:1959 [inline]
 __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff880090f72040
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 384 bytes inside of
 512-byte region [ffff880090f72040, ffff880090f72240)
The buggy address belongs to the page:
page:ffffea000243dc80 count:1 mapcount:0 mapping:ffff88012c2a0940 index:0xffff880090f72a40
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000240f608 ffffea000242d7c8 ffff88012c2a0940
raw: ffff880090f72a40 ffff880090f72040 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880090f72080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880090f72100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff880090f72180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff880090f72200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880090f72280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================