bisecting cause commit starting from 7c98a42618271210c60b79128b220107d35938d9 building syzkaller on ecc7c8709106080bdf3dd84baffe353c00163fb0 testing commit 7c98a42618271210c60b79128b220107d35938d9 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in default_write_copy_kernel testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: OK # git bisect start 7c98a42618271210c60b79128b220107d35938d9 v4.19 Bisecting: 6714 revisions left to test after this (roughly 13 steps) [18d0eae30e6a4f8644d589243d7ac1d70d29203d] Merge tag 'char-misc-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 18d0eae30e6a4f8644d589243d7ac1d70d29203d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 18d0eae30e6a4f8644d589243d7ac1d70d29203d Bisecting: 3343 revisions left to test after this (roughly 12 steps) [5bd4af34a09a381a0f8b1552684650698937e6b0] Merge tag 'tty-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 5bd4af34a09a381a0f8b1552684650698937e6b0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5bd4af34a09a381a0f8b1552684650698937e6b0 Bisecting: 1657 revisions left to test after this (roughly 11 steps) [b3491d8430dd25f0a4e00c33d60da22a9bd9d052] Merge tag 'media/v4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit b3491d8430dd25f0a4e00c33d60da22a9bd9d052 with gcc (GCC) 8.1.0 all runs: OK # git bisect good b3491d8430dd25f0a4e00c33d60da22a9bd9d052 Bisecting: 796 revisions left to test after this (roughly 10 steps) [01897f3e05ede4d66c0f9df465fde1d67a1d733f] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 01897f3e05ede4d66c0f9df465fde1d67a1d733f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 01897f3e05ede4d66c0f9df465fde1d67a1d733f Bisecting: 419 revisions left to test after this (roughly 9 steps) [e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0] Merge tag 'kbuild-fixes-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 Bisecting: 205 revisions left to test after this (roughly 8 steps) [c67a98c00ea3c1fad14833f440fcd770232d24e7] Merge branch 'akpm' (patches from Andrew) testing commit c67a98c00ea3c1fad14833f440fcd770232d24e7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c67a98c00ea3c1fad14833f440fcd770232d24e7 Bisecting: 104 revisions left to test after this (roughly 7 steps) [b84b6345e3827ab616946b52f46e95179657b596] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit b84b6345e3827ab616946b52f46e95179657b596 with gcc (GCC) 8.1.0 all runs: OK # git bisect good b84b6345e3827ab616946b52f46e95179657b596 Bisecting: 55 revisions left to test after this (roughly 6 steps) [edeca3a769ad28a9477798c3b1d8e0701db728e4] Merge tag 'sound-4.20-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit edeca3a769ad28a9477798c3b1d8e0701db728e4 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in default_write_copy_kernel # git bisect bad edeca3a769ad28a9477798c3b1d8e0701db728e4 Bisecting: 28 revisions left to test after this (roughly 5 steps) [63529eaa6164ef7ab4b907b25ac3648177e5e78f] usb: cdc-acm: add entry for Hiro (Conexant) modem testing commit 63529eaa6164ef7ab4b907b25ac3648177e5e78f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 63529eaa6164ef7ab4b907b25ac3648177e5e78f Bisecting: 16 revisions left to test after this (roughly 4 steps) [544b03da39e2d7b4961d3163976ed4bfb1fac509] Documentation/security-bugs: Postpone fix publication in exceptional cases testing commit 544b03da39e2d7b4961d3163976ed4bfb1fac509 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 544b03da39e2d7b4961d3163976ed4bfb1fac509 Bisecting: 8 revisions left to test after this (roughly 3 steps) [e8828ec1c003727fc001eab06aa19bd2ca9b677e] mtd: spi-nor: fix selection of uniform erase type in flexible conf testing commit e8828ec1c003727fc001eab06aa19bd2ca9b677e with gcc (GCC) 8.1.0 all runs: OK # git bisect good e8828ec1c003727fc001eab06aa19bd2ca9b677e Bisecting: 4 revisions left to test after this (roughly 2 steps) [cce997292a5264c5342c968bbd226d7c365f03d6] ALSA: hda/ca0132 - Add new ZxR quirk testing commit cce997292a5264c5342c968bbd226d7c365f03d6 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in default_write_copy_kernel # git bisect bad cce997292a5264c5342c968bbd226d7c365f03d6 Bisecting: 1 revision left to test after this (roughly 1 step) [563785edfcef02b566e64fb5292c74c1600808aa] ALSA: hda/realtek - Add quirk entry for HP Pavilion 15 testing commit 563785edfcef02b566e64fb5292c74c1600808aa with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in default_write_copy_kernel # git bisect bad 563785edfcef02b566e64fb5292c74c1600808aa Bisecting: 0 revisions left to test after this (roughly 0 steps) [65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476] ALSA: oss: Use kvzalloc() for local buffer allocations testing commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in default_write_copy_kernel # git bisect bad 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 is the first bad commit commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Author: Takashi Iwai Date: Fri Nov 9 11:59:45 2018 +0100 ALSA: oss: Use kvzalloc() for local buffer allocations PCM OSS layer may allocate a few temporary buffers, one for the core read/write and another for the conversions via plugins. Currently both are allocated via vmalloc(). But as the allocation size is equivalent with the PCM period size, the required size might be quite small, depending on the application. This patch replaces these vmalloc() calls with kvzalloc() for covering small period sizes better. Also, we use "z"-alloc variant here for addressing the possible uninitialized access reported by syzkaller. Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai sound/core/oss/pcm_oss.c | 6 +++--- sound/core/oss/pcm_plugin.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) revisions tested: 16, total time: 3h27m42.140739081s (build: 1h16m54.849295546s, test: 2h7m7.154600353s) first bad commit: 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 ALSA: oss: Use kvzalloc() for local buffer allocations cc: ["alsa-devel@alsa-project.org" "dan.carpenter@oracle.com" "gustavo@embeddedor.com" "joe@perches.com" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de" "vkoul@kernel.org"] crash: KASAN: slab-out-of-bounds Read in default_write_copy_kernel ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:352 [inline] BUG: KASAN: slab-out-of-bounds in default_write_copy_kernel+0xcf/0x160 sound/core/pcm_lib.c:1946 Read of size 64 at addr ffff88005bd47840 by task syz-executor4/7844 __should_failslab+0xba/0xf0 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1578 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc mm/slab.c:3378 [inline] kmem_cache_alloc_trace+0x2d7/0x750 mm/slab.c:3618 kmalloc include/linux/slab.h:546 [inline] snd_pcm_hw_param_near.constprop.35+0x14f/0xa40 sound/core/oss/pcm_oss.c:415 snd_pcm_oss_change_params_locked+0xab5/0x3570 sound/core/oss/pcm_oss.c:891 snd_pcm_oss_make_ready_locked+0x82/0xf0 sound/core/oss/pcm_oss.c:1183 snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1397 [inline] snd_pcm_oss_write+0x40e/0x900 sound/core/oss/pcm_oss.c:2775 __vfs_write+0xe6/0xc30 fs/read_write.c:485 vfs_write+0x150/0x4d0 fs/read_write.c:549 ksys_write+0xf5/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x456fc9 Code: 5d af fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b af fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fce69435c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000456fc9 RDX: 0000000056da83a0 RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 00007fce69435ca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce694366d4 R13: 00000000004acb8e R14: 00000000006ec570 R15: 0000000000000005 CPU: 0 PID: 7844 Comm: syz-executor4 Not tainted 4.20.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1cc/0x2f4 lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:352 [inline] default_write_copy_kernel+0xcf/0x160 sound/core/pcm_lib.c:1946 interleaved_copy+0xb7/0x130 sound/core/pcm_lib.c:2007 __snd_pcm_lib_xfer+0xfad/0x2039 sound/core/pcm_lib.c:2227 snd_pcm_oss_write3+0xd0/0x190 sound/core/oss/pcm_oss.c:1237 io_playback_transfer+0x1da/0x2d0 sound/core/oss/io.c:47 snd_pcm_plug_write_transfer+0x2c6/0x420 sound/core/oss/pcm_plugin.c:620 snd_pcm_oss_write2+0x223/0x450 sound/core/oss/pcm_oss.c:1366 snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1432 [inline] snd_pcm_oss_write+0x442/0x900 sound/core/oss/pcm_oss.c:2775 __vfs_write+0xe6/0xc30 fs/read_write.c:485 vfs_write+0x150/0x4d0 fs/read_write.c:549 ksys_write+0xf5/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x456fc9 Code: 5d af fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b af fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9f8b402c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000456fc9 RDX: 0000000056da83a0 RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 00007f9f8b402ca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9f8b4036d4 R13: 00000000004acb8e R14: 00000000006ec570 R15: 0000000000000005 Allocated by task 7844: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3684 [inline] __kmalloc_node+0x50/0x70 mm/slab.c:3691 kmalloc_node include/linux/slab.h:589 [inline] kvmalloc_node+0x68/0x70 mm/util.c:416 kvmalloc include/linux/mm.h:577 [inline] kvzalloc include/linux/mm.h:585 [inline] snd_pcm_plugin_alloc+0x445/0x8d0 sound/core/oss/pcm_plugin.c:70 snd_pcm_plug_alloc+0x18e/0x280 sound/core/oss/pcm_plugin.c:117 snd_pcm_oss_change_params_locked+0x1d99/0x3570 sound/core/oss/pcm_oss.c:1038 snd_pcm_oss_make_ready_locked+0x82/0xf0 sound/core/oss/pcm_oss.c:1183 snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1397 [inline] snd_pcm_oss_write+0x40e/0x900 sound/core/oss/pcm_oss.c:2775 __vfs_write+0xe6/0xc30 fs/read_write.c:485 vfs_write+0x150/0x4d0 fs/read_write.c:549 ksys_write+0xf5/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3817 apparmor_sk_free_security+0xa3/0xf0 security/apparmor/lsm.c:790 security_sk_free+0x40/0x70 security/security.c:1482 sk_prot_free net/core/sock.c:1502 [inline] __sk_destruct+0x637/0xa00 net/core/sock.c:1588 sk_destruct+0x49/0x60 net/core/sock.c:1596 __sk_free+0x9e/0x230 net/core/sock.c:1607 sk_free+0x23/0x30 net/core/sock.c:1618 deferred_put_nlk_sk+0x134/0x320 net/netlink/af_netlink.c:738 __rcu_reclaim kernel/rcu/rcu.h:240 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697 __do_softirq+0x308/0xb7e kernel/softirq.c:292 The buggy address belongs to the object at ffff88005bd47840 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes inside of 32-byte region [ffff88005bd47840, ffff88005bd47860) The buggy address belongs to the page: page:ffffea00016f51c0 count:1 mapcount:0 mapping:ffff88006c0001c0 index:0xffff88005bd47fc1 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea0001a65a08 ffffea00016ae788 ffff88006c0001c0 raw: ffff88005bd47fc1 ffff88005bd47000 000000010000003f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88005bd47700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff88005bd47780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >ffff88005bd47800: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc ^ ffff88005bd47880: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc ffff88005bd47900: fb fb fb fb fc fc fc fc 00 07 fc fc fc fc fc fc ==================================================================