bisecting fixing commit since 6dd0e32665e591e9debe3edaf73c2f8135bf047e
building syzkaller on 3f3c557402456696073f79aafa65b4d7fa2b8794
testing commit 6dd0e32665e591e9debe3edaf73c2f8135bf047e with gcc (GCC) 8.1.0
kernel signature: 5291ad0596d993a9342ffefee48ebd89a3e7972f7bd735e77cb258108162fb7d
run #0: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #1: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #2: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #3: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #4: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #6: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #8: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #9: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
testing current HEAD 3fc898571b974f9a05e4e5c1fe17b18548207091
testing commit 3fc898571b974f9a05e4e5c1fe17b18548207091 with gcc (GCC) 8.1.0
kernel signature: d3ea9a1a89abb8e76cd5266adf5bf743fe8f24f5c321cba85b362374367d6dbc
all runs: OK
# git bisect start 3fc898571b974f9a05e4e5c1fe17b18548207091 6dd0e32665e591e9debe3edaf73c2f8135bf047e
Bisecting: 431 revisions left to test after this (roughly 9 steps)
[38faccf5f918330394a33ed8266f98b43525869b] ext4: check for non-zero journal inum in ext4_calculate_overhead
testing commit 38faccf5f918330394a33ed8266f98b43525869b with gcc (GCC) 8.1.0
kernel signature: c854852ee97ccca0382f0be9ecc14c964b17ab915746c09b04da7074d206c36a
run #0: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #1: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #2: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #3: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #4: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #6: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #9: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
# git bisect good 38faccf5f918330394a33ed8266f98b43525869b
Bisecting: 215 revisions left to test after this (roughly 8 steps)
[c3c1cf3dbb9ca9809a670927a8bb5f97c386ce3b] i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'
testing commit c3c1cf3dbb9ca9809a670927a8bb5f97c386ce3b with gcc (GCC) 8.1.0
kernel signature: 6d8d9aabb85cd3e711ff43f39f37f0238d09c46a4d24a4919d9260f060b57ee6
all runs: OK
# git bisect bad c3c1cf3dbb9ca9809a670927a8bb5f97c386ce3b
Bisecting: 107 revisions left to test after this (roughly 7 steps)
[b50dee75473625765ba44c569c4bb0f51f55b614] batman-adv: Fix refcnt leak in batadv_store_throughput_override
testing commit b50dee75473625765ba44c569c4bb0f51f55b614 with gcc (GCC) 8.1.0
kernel signature: 7169f83b72d6ac87f345e522106762b69e169228fea1c0b7299eac66d4972f2a
run #0: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #1: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #2: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #3: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #4: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #5: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #6: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #7: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #9: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
# git bisect good b50dee75473625765ba44c569c4bb0f51f55b614
Bisecting: 53 revisions left to test after this (roughly 6 steps)
[63e320a09544dfbae7ceb1b43d4a768bca285325] arm64: fix the flush_icache_range arguments in machine_kexec
testing commit 63e320a09544dfbae7ceb1b43d4a768bca285325 with gcc (GCC) 8.1.0
kernel signature: 8c904681db64e4e7b1c4d61a4d119a6824e68088602d6a73b2ddc85ab607f5fe
run #0: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #1: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #2: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #3: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #4: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #5: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #6: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #9: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
# git bisect good 63e320a09544dfbae7ceb1b43d4a768bca285325
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[5ac0e17eba009715b35d029383c20a6ab23cb5e3] dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg()
testing commit 5ac0e17eba009715b35d029383c20a6ab23cb5e3 with gcc (GCC) 8.1.0
kernel signature: 2030bd031bb34c24cfc70ca74132ecbe6b6107e2453e3eb4db47bbb23d7913ce
all runs: OK
# git bisect bad 5ac0e17eba009715b35d029383c20a6ab23cb5e3
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[f8685c334d53045b189f84b59bb3c4c58d32f58e] ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
testing commit f8685c334d53045b189f84b59bb3c4c58d32f58e with gcc (GCC) 8.1.0
kernel signature: 2ec6ff7a710e8c8511d09deb413899149f66eb3738af33161271bf6897db2aec
run #0: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #1: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #2: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #3: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #4: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #5: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #6: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
run #7: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #8: crashed: KASAN: use-after-free Write in snd_rawmidi_kernel_write1
run #9: crashed: KASAN: slab-out-of-bounds Write in snd_rawmidi_kernel_write1
# git bisect good f8685c334d53045b189f84b59bb3c4c58d32f58e
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[7abecb94bc72529f4e8911cf9511bc0b6828d3d5] ARM: dts: dra7: Fix bus_dma_limit for PCIe
testing commit 7abecb94bc72529f4e8911cf9511bc0b6828d3d5 with gcc (GCC) 8.1.0
kernel signature: 0c699c5d1f0932bc9a9ce5da2e58130418cfd7b17f59935d1e64c4e484f1dd98
all runs: OK
# git bisect bad 7abecb94bc72529f4e8911cf9511bc0b6828d3d5
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[073a30cb2e68bbfee67002830d6924d805210efa] usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B
testing commit 073a30cb2e68bbfee67002830d6924d805210efa with gcc (GCC) 8.1.0
kernel signature: b058963780493e1a73b80d4fae7dcc3d3380bf7c7b20b4bbbc2efc286588ebbb
all runs: OK
# git bisect bad 073a30cb2e68bbfee67002830d6924d805210efa
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e5c0fbcd2cb5d6f2aa6f241f1a7c42c1a125da8c] ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset
testing commit e5c0fbcd2cb5d6f2aa6f241f1a7c42c1a125da8c with gcc (GCC) 8.1.0
kernel signature: ff2d55a4be03c3a7b8e00b53deee417e9c0eb1c89e1d5df11e9082312dcf24b7
all runs: OK
# git bisect bad e5c0fbcd2cb5d6f2aa6f241f1a7c42c1a125da8c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[a507658fdb2ad8ca282b0eb42f2a40b805deb1e6] ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
testing commit a507658fdb2ad8ca282b0eb42f2a40b805deb1e6 with gcc (GCC) 8.1.0
kernel signature: 821226e90b9445f7cefb3716da6590fad5521ecd5eaf2371c1add7323294f772
all runs: OK
# git bisect bad a507658fdb2ad8ca282b0eb42f2a40b805deb1e6
a507658fdb2ad8ca282b0eb42f2a40b805deb1e6 is the first bad commit
commit a507658fdb2ad8ca282b0eb42f2a40b805deb1e6
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu May 7 13:44:56 2020 +0200

    ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
    
    commit c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d upstream.
    
    The rawmidi core allows user to resize the runtime buffer via ioctl,
    and this may lead to UAF when performed during concurrent reads or
    writes: the read/write functions unlock the runtime lock temporarily
    during copying form/to user-space, and that's the race window.
    
    This patch fixes the hole by introducing a reference counter for the
    runtime buffer read/write access and returns -EBUSY error when the
    resize is performed concurrently against read/write.
    
    Note that the ref count field is a simple integer instead of
    refcount_t here, since the all contexts accessing the buffer is
    basically protected with a spinlock, hence we need no expensive atomic
    ops.  Also, note that this busy check is needed only against read /
    write functions, and not in receive/transmit callbacks; the race can
    happen only at the spinlock hole mentioned in the above, while the
    whole function is protected for receive / transmit callbacks.
    
    Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
    Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 include/sound/rawmidi.h |  1 +
 sound/core/rawmidi.c    | 31 +++++++++++++++++++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)
culprit signature: 821226e90b9445f7cefb3716da6590fad5521ecd5eaf2371c1add7323294f772
parent  signature: 2ec6ff7a710e8c8511d09deb413899149f66eb3738af33161271bf6897db2aec
revisions tested: 12, total time: 3h52m56.419265201s (build: 1h45m35.426910928s, test: 2h6m19.709706516s)
first good commit: a507658fdb2ad8ca282b0eb42f2a40b805deb1e6 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
cc: ["alsa-devel@alsa-project.org" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"]