bisecting fixing commit since 4abf26854aade9732a215a168205fa9fecd6149a
building syzkaller on 99917735b6a974a09d3833c34b3d4a8b8198522d
testing commit 4abf26854aade9732a215a168205fa9fecd6149a with gcc (GCC) 8.4.1 20210217
kernel signature: 0c3da0677b29a5553dbfe1e1821aa5da4460fff5f007608ea5adb9f4cace9aef
all runs: crashed: KASAN: use-after-free Read in drm_getunique
testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b
testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217
kernel signature: 0d10a6f55508cb359566d7d001ebed7d175494c8469096eb95b254126dfd2ec7
all runs: OK
# git bisect start eb575cd5d7f60241d016fdd13a9e86d962093c9b 4abf26854aade9732a215a168205fa9fecd6149a
Bisecting: 1203 revisions left to test after this (roughly 10 steps)
[a51479a20f1df093afc50f5259d781f7f8dceb01] platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices

testing commit a51479a20f1df093afc50f5259d781f7f8dceb01 with gcc (GCC) 8.4.1 20210217
kernel signature: b03616120fc2ceb15b0ebafaa7e26245e84e4c6cd82e8eb26555573219508065
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good a51479a20f1df093afc50f5259d781f7f8dceb01
Bisecting: 601 revisions left to test after this (roughly 9 steps)
[d43d56dbf452ccecc1ec735cd4b6840118005d7c] tracing: Restructure trace_clock_global() to never block

testing commit d43d56dbf452ccecc1ec735cd4b6840118005d7c with gcc (GCC) 8.4.1 20210217
kernel signature: b9494bbc2ae4261347ab0dca3785ef52448737b4b38d5d64c22fc90e8d5f9e0c
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good d43d56dbf452ccecc1ec735cd4b6840118005d7c
Bisecting: 300 revisions left to test after this (roughly 8 steps)
[a03ed6e6dd0321a7e501f66c912c986e3f4f03f8] net: stmmac: Do not enable RX FIFO overflow interrupts

testing commit a03ed6e6dd0321a7e501f66c912c986e3f4f03f8 with gcc (GCC) 8.4.1 20210217
kernel signature: 927b38b6277c49907858b113e581fb039b46c42de59ef8023f28653a0f7832a4
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip a03ed6e6dd0321a7e501f66c912c986e3f4f03f8
Bisecting: 300 revisions left to test after this (roughly 8 steps)
[a18602375a6aad68104e4d04dc8ab02e511ac2ea] fotg210-udc: Complete OUT requests on short packets

testing commit a18602375a6aad68104e4d04dc8ab02e511ac2ea with gcc (GCC) 8.4.1 20210217
kernel signature: 6f1b681630009da7a2960ea92cfc8b314c492233f4560011b2c6f98c673a633e
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good a18602375a6aad68104e4d04dc8ab02e511ac2ea
Bisecting: 263 revisions left to test after this (roughly 8 steps)
[94deabc3da468888b9abd8d7f4df3e7d1a43e497] Revert "video: imsttfb: fix potential NULL pointer dereferences"

testing commit 94deabc3da468888b9abd8d7f4df3e7d1a43e497 with gcc (GCC) 8.4.1 20210217
kernel signature: 14eff867e713aebecbcae1f204a4acdfdcec0feedf9a11890e0c7cdac1ca7092
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good 94deabc3da468888b9abd8d7f4df3e7d1a43e497
Bisecting: 131 revisions left to test after this (roughly 7 steps)
[0bcab1a47152dd2754087a96d464334a87ae6773] MIPS: alchemy: xxs1500: add gpio-au1000.h header file

testing commit 0bcab1a47152dd2754087a96d464334a87ae6773 with gcc (GCC) 8.4.1 20210217
kernel signature: ec734d322608165be90c9e0aef75c72654c3d062afff45035077a51e070059c1
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good 0bcab1a47152dd2754087a96d464334a87ae6773
Bisecting: 65 revisions left to test after this (roughly 6 steps)
[1f41b8f9577907fba56684231c7be89c8243d960] proc: Track /proc/$pid/attr/ opener mm_struct

testing commit 1f41b8f9577907fba56684231c7be89c8243d960 with gcc (GCC) 8.4.1 20210217
kernel signature: d5352dec02bc0a559733d0f9dc7ebe6b6ef29d3ee732351168f3e81fe5c50ac3
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good 1f41b8f9577907fba56684231c7be89c8243d960
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[24b2a63239714bc22ebce2d7f82d9f8b4a52e716] USB: f_ncm: ncm_bitrate (speed) is unsigned

testing commit 24b2a63239714bc22ebce2d7f82d9f8b4a52e716 with gcc (GCC) 8.4.1 20210217
kernel signature: 2efbd085ad06b19ecb2706d8212821cb8e2e8c743f068fa0303f2db85f3ce4df
all runs: OK
# git bisect bad 24b2a63239714bc22ebce2d7f82d9f8b4a52e716
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[57372e2926fe4796a3c25b1448cb041d8cfa3c78] net: appletalk: cops: Fix data race in cops_probe1

testing commit 57372e2926fe4796a3c25b1448cb041d8cfa3c78 with gcc (GCC) 8.4.1 20210217
kernel signature: fae3ab253c9b6038a7668cfe9099fb10af99ac0679c8f31e012b3083616ad592
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good 57372e2926fe4796a3c25b1448cb041d8cfa3c78
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[81361b8ec1e639e0d99a7d8539f63968c990c5d5] ARM: dts: imx6qdl-sabresd: Assign corresponding power supply for LDOs

testing commit 81361b8ec1e639e0d99a7d8539f63968c990c5d5 with gcc (GCC) 8.4.1 20210217
kernel signature: fa723c03fd835ff2617a8ba30faa769cb71c46184d1efdda3542d1154cd98eb5
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good 81361b8ec1e639e0d99a7d8539f63968c990c5d5
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[22b87fb17a28d37331bb9c1110737627b17f6781] kvm: avoid speculation-based attacks from out-of-range memslot accesses

testing commit 22b87fb17a28d37331bb9c1110737627b17f6781 with gcc (GCC) 8.4.1 20210217
kernel signature: 96847b74030f2394522a4ece50ac12accc03bb4a6797d0e1ad19196eacaf2104
all runs: OK
# git bisect bad 22b87fb17a28d37331bb9c1110737627b17f6781
Bisecting: 1 revision left to test after this (roughly 1 step)
[7d233ba700ceb593905ea82b42dadb4ec8ef85e9] drm: Fix use-after-free read in drm_getunique()

testing commit 7d233ba700ceb593905ea82b42dadb4ec8ef85e9 with gcc (GCC) 8.4.1 20210217
kernel signature: a37f58ac9ae8b635e56013563f3a6b6580459e148eac84f5ceed0daae375f1ad
all runs: OK
# git bisect bad 7d233ba700ceb593905ea82b42dadb4ec8ef85e9
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[430754aebd981251d6b7eabce1e0d331722ff004] ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators

testing commit 430754aebd981251d6b7eabce1e0d331722ff004 with gcc (GCC) 8.4.1 20210217
kernel signature: fa723c03fd835ff2617a8ba30faa769cb71c46184d1efdda3542d1154cd98eb5
all runs: crashed: KASAN: use-after-free Read in drm_getunique
# git bisect good 430754aebd981251d6b7eabce1e0d331722ff004
7d233ba700ceb593905ea82b42dadb4ec8ef85e9 is the first bad commit
commit 7d233ba700ceb593905ea82b42dadb4ec8ef85e9
Author: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Date:   Tue Jun 8 19:04:36 2021 +0800

    drm: Fix use-after-free read in drm_getunique()
    
    commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream.
    
    There is a time-of-check-to-time-of-use error in drm_getunique() due
    to retrieving file_priv->master prior to locking the device's master
    mutex.
    
    An example can be seen in the crash report of the use-after-free error
    found by Syzbot:
    https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803
    
    In the report, the master pointer was used after being freed. This is
    because another process had acquired the device's master mutex in
    drm_setmaster_ioctl(), then overwrote fpriv->master in
    drm_new_set_master(). The old value of fpriv->master was subsequently
    freed before the mutex was unlocked.
    
    To fix this, we lock the device's master mutex before retrieving the
    pointer from from fpriv->master. This patch passes the Syzbot
    reproducer test.
    
    Reported-by: syzbot+c3a706cec1ea99e1c693@syzkaller.appspotmail.com
    Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmondcheongzx@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/gpu/drm/drm_ioctl.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

culprit signature: a37f58ac9ae8b635e56013563f3a6b6580459e148eac84f5ceed0daae375f1ad
parent  signature: fa723c03fd835ff2617a8ba30faa769cb71c46184d1efdda3542d1154cd98eb5
revisions tested: 15, total time: 3h4m56.349227464s (build: 1h56m12.785650893s, test: 1h7m43.590818755s)
first good commit: 7d233ba700ceb593905ea82b42dadb4ec8ef85e9 drm: Fix use-after-free read in drm_getunique()
recipients (to): ["daniel.vetter@ffwll.ch" "desmondcheongzx@gmail.com" "gregkh@linuxfoundation.org"]
recipients (cc): []