bisecting fixing commit since e5a54aa2d312e75fe4bc66c7b84400b02266e946 building syzkaller on 233283a191b3c32a48c56928985c8e2cfc004aeb testing commit e5a54aa2d312e75fe4bc66c7b84400b02266e946 with gcc (GCC) 8.1.0 kernel signature: 648976cba9c182bb07aee9bb65dc927b439dc6435506916e6dd45caa61369c39 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #6: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect testing current HEAD d7e78d08fa77acdea351c8f628f49ca9a0e1029a testing commit d7e78d08fa77acdea351c8f628f49ca9a0e1029a with gcc (GCC) 8.1.0 kernel signature: 8866efd5705b16b237ae6ef0e78434ecbae1cc02aeb12b831b9e476624026ae8 all runs: OK # git bisect start d7e78d08fa77acdea351c8f628f49ca9a0e1029a e5a54aa2d312e75fe4bc66c7b84400b02266e946 Bisecting: 174 revisions left to test after this (roughly 8 steps) [9b0d455389e53f264a601423b6fbc92b11a41a84] drm: panel: simple: Fix bpc for LG LB070WV8 panel testing commit 9b0d455389e53f264a601423b6fbc92b11a41a84 with gcc (GCC) 8.1.0 kernel signature: 91535e302481bf16996b39a272dae3b98e24e89077fc04d2c4c97e79ffb85c26 all runs: OK # git bisect bad 9b0d455389e53f264a601423b6fbc92b11a41a84 Bisecting: 86 revisions left to test after this (roughly 7 steps) [dbe4aa36c940dc309133e5d10a5771f3d0bf2d28] leds: wm831x-status: fix use-after-free on unbind testing commit dbe4aa36c940dc309133e5d10a5771f3d0bf2d28 with gcc (GCC) 8.1.0 kernel signature: 70f3d50327e2294835ca153a6669272acd131932c8db8df6db3ce85491e5ba0d all runs: OK # git bisect bad dbe4aa36c940dc309133e5d10a5771f3d0bf2d28 Bisecting: 43 revisions left to test after this (roughly 6 steps) [a4bdf2cd63b5f14e16791e69927a92232523e1a3] mlx4: disable device on shutdown testing commit a4bdf2cd63b5f14e16791e69927a92232523e1a3 with gcc (GCC) 8.1.0 kernel signature: 39cef103f151e852b1550e26c6969c8104abf5dd44efd186eb6b7b05345d7383 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #6: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good a4bdf2cd63b5f14e16791e69927a92232523e1a3 Bisecting: 21 revisions left to test after this (roughly 5 steps) [583bcbc024f6bf8daa266f4f71b99e9d6e78c40b] random32: update the net random state on interrupt and activity testing commit 583bcbc024f6bf8daa266f4f71b99e9d6e78c40b with gcc (GCC) 8.1.0 kernel signature: 116f1163d5a7f2df0e418c92256ce0844c6da20cbfdd13543e9b85c89005c81d run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #6: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good 583bcbc024f6bf8daa266f4f71b99e9d6e78c40b Bisecting: 10 revisions left to test after this (roughly 4 steps) [5eed80ea8f60cc3935f46ec848fa1677b5e1a31a] usb: xhci: define IDs for various ASMedia host controllers testing commit 5eed80ea8f60cc3935f46ec848fa1677b5e1a31a with gcc (GCC) 8.1.0 kernel signature: 141455190669028c62fee80345b8a0f74b20c6df517447c43f487a8103cf9ec7 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #2: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #5: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #6: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good 5eed80ea8f60cc3935f46ec848fa1677b5e1a31a Bisecting: 5 revisions left to test after this (roughly 3 steps) [8b0861f956f65f063662f9553a4dcad574a95b37] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() testing commit 8b0861f956f65f063662f9553a4dcad574a95b37 with gcc (GCC) 8.1.0 kernel signature: ba3356bea5772ae5c31a4154a747ed9d678ae9b04e2d9294122755eb66dae198 all runs: OK # git bisect bad 8b0861f956f65f063662f9553a4dcad574a95b37 Bisecting: 2 revisions left to test after this (roughly 1 step) [ccafbed8b2f6a9d9298534b39e76da9cb40ff717] ALSA: seq: oss: Serialize ioctls testing commit ccafbed8b2f6a9d9298534b39e76da9cb40ff717 with gcc (GCC) 8.1.0 kernel signature: e255276e45dccbac413e67c82cf40aab6d44783e1b1fd4a23832dc814171988c all runs: OK # git bisect bad ccafbed8b2f6a9d9298534b39e76da9cb40ff717 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c5021d4fa888ad248b4168947eb1e569de75fdb1] usb: xhci: Fix ASMedia ASM1142 DMA addressing testing commit c5021d4fa888ad248b4168947eb1e569de75fdb1 with gcc (GCC) 8.1.0 kernel signature: 9e50c22d3e84395ec06e61e93b14c256a3604923e41d562010633b82ca5821b4 run #0: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #1: crashed: KASAN: use-after-free Read in delete_and_unsubscribe_port run #2: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #3: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #4: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #5: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #6: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #7: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #8: crashed: KASAN: invalid-free in snd_seq_port_disconnect run #9: crashed: KASAN: invalid-free in snd_seq_port_disconnect # git bisect good c5021d4fa888ad248b4168947eb1e569de75fdb1 ccafbed8b2f6a9d9298534b39e76da9cb40ff717 is the first bad commit commit ccafbed8b2f6a9d9298534b39e76da9cb40ff717 Author: Takashi Iwai Date: Tue Aug 4 20:58:15 2020 +0200 ALSA: seq: oss: Serialize ioctls commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) culprit signature: e255276e45dccbac413e67c82cf40aab6d44783e1b1fd4a23832dc814171988c parent signature: 9e50c22d3e84395ec06e61e93b14c256a3604923e41d562010633b82ca5821b4 revisions tested: 10, total time: 2h42m7.85004363s (build: 1h37m8.439267116s, test: 1h3m4.322310167s) first good commit: ccafbed8b2f6a9d9298534b39e76da9cb40ff717 ALSA: seq: oss: Serialize ioctls recipients (to): ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"] recipients (cc): ["gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org"]