bisecting cause commit starting from 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7
building syzkaller on c88c7b75a4e022b758f4b0f1bf3db8ebb2fb25e6
testing commit 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7 with gcc (GCC) 8.1.0
kernel signature: c77d983384690a568369304862bd7e24965bcee59f3f9ee88189df4955fd503e
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: a943c8169f930b15f583f74facd670538d47aae81e1613d3eab784cbd8c60e30
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 2d3da993e4b44e3f07cd545821d71e90d46a083b3456d1690c8ab589d4797794
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: dd298225ac080d080331c4bf7f63733fcb966ad76dc9b1a795b23fa46141fe77
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 0d2112ff99db533a2466a4f5bc3c7599d72c89350dd761a003d3969eefc90e57
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 561f932824d90078f3eb93049c417dfa3d27686203fa041f3e7613bf6eb35bbd
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 5e70bf8856487cf90673705d57525f079d6d899f814ebf5b0063aa50417a3a97
all runs: OK
# git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783
Bisecting: 7074 revisions left to test after this (roughly 13 steps)
[b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew)
testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0
kernel signature: 413be7e876dab27f24f920f028e7b0e5d16dd1d77fd1c8a1e3b7c33e8a22e060
all runs: OK
# git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c
Bisecting: 3573 revisions left to test after this (roughly 12 steps)
[4f0237062ca70c8e34e16e518aee4b84c30d1832] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
testing commit 4f0237062ca70c8e34e16e518aee4b84c30d1832 with gcc (GCC) 8.1.0
kernel signature: a29fa2727440f76b0334e80eee2ce90d4aab3f3345e34550c421d8d228a3480b
all runs: OK
# git bisect good 4f0237062ca70c8e34e16e518aee4b84c30d1832
Bisecting: 1796 revisions left to test after this (roughly 11 steps)
[345077c8e172c255ea0707214303ccd099e5656b] KVM: PPC: Book3S: Protect memslots while validating user address
testing commit 345077c8e172c255ea0707214303ccd099e5656b with gcc (GCC) 8.1.0
kernel signature: a6d9796e2e5301b25e9d5956fd1dffd4917cba46f6fd9928f59f4aede807bbed
all runs: OK
# git bisect good 345077c8e172c255ea0707214303ccd099e5656b
Bisecting: 898 revisions left to test after this (roughly 10 steps)
[8065a779f17e94536a1c4dcee4f9d88011672f97] failover: allow name change on IFF_UP slave interfaces
testing commit 8065a779f17e94536a1c4dcee4f9d88011672f97 with gcc (GCC) 8.1.0
kernel signature: 7796aa2e9a036f1ecc32d2c4b0ef5b9272a9b6b4797749293ba1095d96bc23cf
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
# git bisect bad 8065a779f17e94536a1c4dcee4f9d88011672f97
Bisecting: 444 revisions left to test after this (roughly 9 steps)
[32faca66bd3f6aa7ec4212d20c7b2d45657fab10] Merge tag 'staging-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
testing commit 32faca66bd3f6aa7ec4212d20c7b2d45657fab10 with gcc (GCC) 8.1.0
kernel signature: f6f06fd4684b9405b020b4ed502c076b8d0a406d280ac9d8d00b54c6de7aabec
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
# git bisect bad 32faca66bd3f6aa7ec4212d20c7b2d45657fab10
Bisecting: 219 revisions left to test after this (roughly 8 steps)
[97c41a6bdce506bad1cce623378656a5cb956a18] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 97c41a6bdce506bad1cce623378656a5cb956a18 with gcc (GCC) 8.1.0
kernel signature: de8f729136200b6469359d42938488ece2876734d210a741dd8d5bcf14f50194
all runs: OK
# git bisect good 97c41a6bdce506bad1cce623378656a5cb956a18
Bisecting: 111 revisions left to test after this (roughly 7 steps)
[3467b90737e1551dbaa5b71fd5a54425fd4a72b2] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 3467b90737e1551dbaa5b71fd5a54425fd4a72b2 with gcc (GCC) 8.1.0
kernel signature: ee818582f7fec765380446fd5fba45dd9080fc2ce94dbf78b38db7c4e28b6458
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
# git bisect bad 3467b90737e1551dbaa5b71fd5a54425fd4a72b2
Bisecting: 55 revisions left to test after this (roughly 6 steps)
[7376e39ad96583545faefa2e7798bcb6a2a212a7] Merge tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client
testing commit 7376e39ad96583545faefa2e7798bcb6a2a212a7 with gcc (GCC) 8.1.0
kernel signature: 3ef1872858dcd6902dc33ed7feee1d66d23e2bb6b2926a81e1bd679d258c58c3
all runs: OK
# git bisect good 7376e39ad96583545faefa2e7798bcb6a2a212a7
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[0e40da3efeb02ab0333d01abae20d421841db30a] Merge tag 'kbuild-fixes-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
testing commit 0e40da3efeb02ab0333d01abae20d421841db30a with gcc (GCC) 8.1.0
kernel signature: 957b71620c12ba89119782efdde49dda7c86609d977923cf4510c0456dfc8815
all runs: OK
# git bisect good 0e40da3efeb02ab0333d01abae20d421841db30a
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[4ad528360cf6455bfaaf9164350ed74cbfadc7c5] Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
testing commit 4ad528360cf6455bfaaf9164350ed74cbfadc7c5 with gcc (GCC) 8.1.0
kernel signature: 16416ed9adf1f8c50251186ababe1b5205da63169db9d34c2d8d68f67b61bb47
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
# git bisect bad 4ad528360cf6455bfaaf9164350ed74cbfadc7c5
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[4fc90fb883fcb72d6bfbf84d554a3e820a05ef62] ALSA: hda/ca0132 - Simplify alt firmware loading code
testing commit 4fc90fb883fcb72d6bfbf84d554a3e820a05ef62 with gcc (GCC) 8.1.0
kernel signature: 49995615c95466d5e0991e49401d694409fcac56d13de1cd59a5ff879c6558b0
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
# git bisect bad 4fc90fb883fcb72d6bfbf84d554a3e820a05ef62
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[c7531e31c8a440b5fe6bd62664def5bcb6262f96] ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic
testing commit c7531e31c8a440b5fe6bd62664def5bcb6262f96 with gcc (GCC) 8.1.0
kernel signature: 17a7302b3e590f630e61103f56d2a6db1ea5c4d3b997c1fbc1aa6ed2412f5502
all runs: OK
# git bisect good c7531e31c8a440b5fe6bd62664def5bcb6262f96
Bisecting: 2 revisions left to test after this (roughly 1 step)
[a806ef1cf3bbc0baadc6cdeb11f12b5dd27e91c2] ALSA: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256
testing commit a806ef1cf3bbc0baadc6cdeb11f12b5dd27e91c2 with gcc (GCC) 8.1.0
kernel signature: 1e7e962a75de06a344f2680b35860fe590062f0c02eac7835dc9dd2286063d80
all runs: OK
# git bisect good a806ef1cf3bbc0baadc6cdeb11f12b5dd27e91c2
Bisecting: 0 revisions left to test after this (roughly 1 step)
[ca0214ee2802dd47239a4e39fb21c5b00ef61b22] ALSA: pcm: Fix possible OOB access in PCM oss plugins
testing commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22 with gcc (GCC) 8.1.0
kernel signature: 12635c42202fb558655a8c70fad371852f89703f4a2dacc120db89be1ec41f18
all runs: crashed: KASAN: slab-out-of-bounds Read in resample_shrink
# git bisect bad ca0214ee2802dd47239a4e39fb21c5b00ef61b22
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6ac371aa1a74240fb910c98aa3484d5ece8473d3] ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK with ALC256
testing commit 6ac371aa1a74240fb910c98aa3484d5ece8473d3 with gcc (GCC) 8.1.0
kernel signature: 993f6540fe46412d3bf541eac10e5bec6ebc44ac88790e6e0118793c9013dcd8
all runs: OK
# git bisect good 6ac371aa1a74240fb910c98aa3484d5ece8473d3
ca0214ee2802dd47239a4e39fb21c5b00ef61b22 is the first bad commit
commit ca0214ee2802dd47239a4e39fb21c5b00ef61b22
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Mar 22 16:00:54 2019 +0100

    ALSA: pcm: Fix possible OOB access in PCM oss plugins
    
    The PCM OSS emulation converts and transfers the data on the fly via
    "plugins".  The data is converted over the dynamically allocated
    buffer for each plugin, and recently syzkaller caught OOB in this
    flow.
    
    Although the bisection by syzbot pointed out to the commit
    65766ee0bf7f ("ALSA: oss: Use kvzalloc() for local buffer
    allocations"), this is merely a commit to replace vmalloc() with
    kvmalloc(), hence it can't be the cause.  The further debug action
    revealed that this happens in the case where a slave PCM doesn't
    support only the stereo channels while the OSS stream is set up for a
    mono channel.  Below is a brief explanation:
    
    At each OSS parameter change, the driver sets up the PCM hw_params
    again in snd_pcm_oss_change_params_lock().  This is also the place
    where plugins are created and local buffers are allocated.  The
    problem is that the plugins are created before the final hw_params is
    determined.  Namely, two snd_pcm_hw_param_near() calls for setting the
    period size and periods may influence on the final result of channels,
    rates, etc, too, while the current code has already created plugins
    beforehand with the premature values.  So, the plugin believes that
    channels=1, while the actual I/O is with channels=2, which makes the
    driver reading/writing over the allocated buffer size.
    
    The fix is simply to move the plugin allocation code after the final
    hw_params call.
    
    Reported-by: syzbot+d4503ae45b65c5bc1194@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

 sound/core/oss/pcm_oss.c | 43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)
culprit signature: 12635c42202fb558655a8c70fad371852f89703f4a2dacc120db89be1ec41f18
parent  signature: 993f6540fe46412d3bf541eac10e5bec6ebc44ac88790e6e0118793c9013dcd8
revisions tested: 22, total time: 4h54m25.468522384s (build: 2h15m25.323785662s, test: 2h37m21.587253781s)
first bad commit: ca0214ee2802dd47239a4e39fb21c5b00ef61b22 ALSA: pcm: Fix possible OOB access in PCM oss plugins
cc: ["alsa-devel@alsa-project.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]
crash: KASAN: slab-out-of-bounds Read in resample_shrink
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
==================================================================
BUG: KASAN: slab-out-of-bounds in resample_shrink+0x4fb/0x900 sound/core/oss/rate.c:160
Read of size 2 at addr ffff88808c8e8c40 by task syz-executor.2/7387

CPU: 1 PID: 7387 Comm: syz-executor.2 Not tainted 5.0.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:133
 resample_shrink+0x4fb/0x900 sound/core/oss/rate.c:160
 rate_transfer+0x209/0x310 sound/core/oss/rate.c:279
 snd_pcm_plug_read_transfer+0x151/0x290 sound/core/oss/pcm_plugin.c:651
 snd_pcm_oss_read2+0x1a9/0x470 sound/core/oss/pcm_oss.c:1475
 snd_pcm_oss_read1 sound/core/oss/pcm_oss.c:1532 [inline]
 snd_pcm_oss_read+0x416/0x600 sound/core/oss/pcm_oss.c:2752
 do_loop_readv_writev fs/read_write.c:700 [inline]
 do_iter_read+0x366/0x560 fs/read_write.c:921
 vfs_readv+0xc9/0x130 fs/read_write.c:983
 do_readv+0xda/0x260 fs/read_write.c:1016
 __do_sys_readv fs/read_write.c:1103 [inline]
 __se_sys_readv fs/read_write.c:1100 [inline]
 __x64_sys_readv+0x70/0xb0 fs/read_write.c:1100
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa448c4fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: ffffffffffffffda RBX: 00007fa448c506d4 RCX: 000000000045c479
RDX: 0000000000000001 RSI: 0000000020395000 RDI: 0000000000000003
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000887 R14: 00000000004cada6 R15: 000000000076bf2c

Allocated by task 7387:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.13+0xcb/0xd0 mm/kasan/common.c:495
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509
 __do_kmalloc_node mm/slab.c:3678 [inline]
 __kmalloc_node+0x4d/0x70 mm/slab.c:3685
 kmalloc_node include/linux/slab.h:588 [inline]
 kvmalloc_node+0x68/0x70 mm/util.c:416
 kvmalloc include/linux/mm.h:604 [inline]
 kvzalloc include/linux/mm.h:612 [inline]
 snd_pcm_plugin_alloc+0x445/0x8d0 sound/core/oss/pcm_plugin.c:70
 snd_pcm_plug_alloc+0x106/0x270 sound/core/oss/pcm_plugin.c:129
 snd_pcm_oss_change_params_locked+0x199b/0x3160 sound/core/oss/pcm_oss.c:1039
 snd_pcm_oss_change_params+0x54/0xa0 sound/core/oss/pcm_oss.c:1102
 snd_pcm_oss_get_active_substream.part.28+0xdd/0x160 sound/core/oss/pcm_oss.c:1119
 snd_pcm_oss_get_active_substream sound/core/oss/pcm_oss.c:1112 [inline]
 snd_pcm_oss_get_rate sound/core/oss/pcm_oss.c:1769 [inline]
 snd_pcm_oss_set_rate sound/core/oss/pcm_oss.c:1761 [inline]
 snd_pcm_oss_ioctl+0x1a40/0x2fb0 sound/core/oss/pcm_oss.c:2608
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88808c8e8a40
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes to the right of
 512-byte region [ffff88808c8e8a40, ffff88808c8e8c40)
The buggy address belongs to the page:
page:ffffea0002323a00 count:1 mapcount:0 mapping:ffff88812c3f6940 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00022509c8 ffffea0002439608 ffff88812c3f6940
raw: 0000000000000000 ffff88808c8e8040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808c8e8b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88808c8e8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808c8e8c00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff88808c8e8c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88808c8e8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================