bisecting cause commit starting from 6980b7f6f9db7d5f344ae202012460e9d8869d89
building syzkaller on dc438b91deb00a8ad5634a9c55903e0b1a537c61
testing commit 6980b7f6f9db7d5f344ae202012460e9d8869d89 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 6980b7f6f9db7d5f344ae202012460e9d8869d89 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Bisecting: 12985 revisions left to test after this (roughly 14 steps)
[aefcf2f4b58155d27340ba5f9ddbe9513da8286d] Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit aefcf2f4b58155d27340ba5f9ddbe9513da8286d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good aefcf2f4b58155d27340ba5f9ddbe9513da8286d
Bisecting: 7013 revisions left to test after this (roughly 13 steps)
[8eeae6ae1ef07ebd26b4f7562f258adc1656137b] Merge remote-tracking branch 'rdma/for-next'
testing commit 8eeae6ae1ef07ebd26b4f7562f258adc1656137b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8eeae6ae1ef07ebd26b4f7562f258adc1656137b
Bisecting: 3520 revisions left to test after this (roughly 12 steps)
[9949f228dd2a72a44e2ade84e938bddac4d2ee3d] Merge remote-tracking branch 'etnaviv/etnaviv/next'
testing commit 9949f228dd2a72a44e2ade84e938bddac4d2ee3d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9949f228dd2a72a44e2ade84e938bddac4d2ee3d
Bisecting: 1812 revisions left to test after this (roughly 11 steps)
[a378d0501ef4acc6caacd61e74ad96ec6729d489] Merge remote-tracking branch 'driver-core/driver-core-next'
testing commit a378d0501ef4acc6caacd61e74ad96ec6729d489 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
# git bisect bad a378d0501ef4acc6caacd61e74ad96ec6729d489
Bisecting: 851 revisions left to test after this (roughly 10 steps)
[d57d593bac6300ec2f63af6226bb52604673a1af] Merge remote-tracking branch 'tpmdd/next'
testing commit d57d593bac6300ec2f63af6226bb52604673a1af with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
# git bisect bad d57d593bac6300ec2f63af6226bb52604673a1af
Bisecting: 402 revisions left to test after this (roughly 9 steps)
[a6bf5a6bb738440364721cc75f82db87a7ae5e89] Merge remote-tracking branch 'input/next'
testing commit a6bf5a6bb738440364721cc75f82db87a7ae5e89 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
# git bisect bad a6bf5a6bb738440364721cc75f82db87a7ae5e89
Bisecting: 226 revisions left to test after this (roughly 8 steps)
[139c7febad1afa221c687f3314560284e482a1f4] ASoC: SOF: Intel: add support for snd-hda-codec-hdmi
testing commit 139c7febad1afa221c687f3314560284e482a1f4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 139c7febad1afa221c687f3314560284e482a1f4
Bisecting: 137 revisions left to test after this (roughly 7 steps)
[fdea53fe5de532969a332d6e5e727f2ad8bf084d] ALSA: timer: Limit max amount of slave instances
testing commit fdea53fe5de532969a332d6e5e727f2ad8bf084d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fdea53fe5de532969a332d6e5e727f2ad8bf084d
Bisecting: 68 revisions left to test after this (roughly 6 steps)
[67b2945d632328fa0245279e8281e34bf1c78ae2] usb: gadget: u_audio: Remove superfluous snd_dma_continuous_data()
testing commit 67b2945d632328fa0245279e8281e34bf1c78ae2 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
# git bisect bad 67b2945d632328fa0245279e8281e34bf1c78ae2
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[cd3c5ad7b2503f4fb4dfcc095b3fccc2b3603c36] ASoC: soc-core: typo fix at soc_dai_link_sanity_check()
testing commit cd3c5ad7b2503f4fb4dfcc095b3fccc2b3603c36 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good cd3c5ad7b2503f4fb4dfcc095b3fccc2b3603c36
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[df95a16d2a9626dcfc3f2b3671c9b91fa076c997] ASoC: soc-core: fix RIP warning on card removal
testing commit df95a16d2a9626dcfc3f2b3671c9b91fa076c997 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good df95a16d2a9626dcfc3f2b3671c9b91fa076c997
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14] ALSA: pcm: Yet another missing check of non-cached buffer type
testing commit 2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
# git bisect bad 2406ff9b86aa1b77fe1a6d15f37195ac1fdb2a14
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[9ff7759731db1df8dfe036046d05c3f7ed1e37b0] Merge tag 'asoc-v5.5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next
testing commit 9ff7759731db1df8dfe036046d05c3f7ed1e37b0 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9ff7759731db1df8dfe036046d05c3f7ed1e37b0
Bisecting: 2 revisions left to test after this (roughly 1 step)
[ebfc6de29ae8e48f91e280fd37539188b5252b38] ALSA: timer: Unify master/slave linking code
testing commit ebfc6de29ae8e48f91e280fd37539188b5252b38 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ebfc6de29ae8e48f91e280fd37539188b5252b38
Bisecting: 0 revisions left to test after this (roughly 1 step)
[6a34367e52caea1413eb0a0dcbb524f0c9b67e82] ALSA: timer: Fix possible race at assigning a timer instance
testing commit 6a34367e52caea1413eb0a0dcbb524f0c9b67e82 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in snd_timer_open
# git bisect bad 6a34367e52caea1413eb0a0dcbb524f0c9b67e82
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[33bbb8a0ecd142fb5e78f26f3a0b927ae77c30e7] ALSA: timer: Make snd_timer_close() returning void
testing commit 33bbb8a0ecd142fb5e78f26f3a0b927ae77c30e7 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 33bbb8a0ecd142fb5e78f26f3a0b927ae77c30e7
6a34367e52caea1413eb0a0dcbb524f0c9b67e82 is the first bad commit
commit 6a34367e52caea1413eb0a0dcbb524f0c9b67e82
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Nov 7 20:20:08 2019 +0100

    ALSA: timer: Fix possible race at assigning a timer instance
    
    When a new timer instance is created and assigned to the active link
    in snd_timer_open(), the caller still doesn't (can't) set its callback
    and callback data.  In both the user-timer and the sequencer-timer
    code, they do manually set up the callbacks after calling
    snd_timer_open().  This has a potential risk of race when the timer
    instance is added to the already running timer target, as the callback
    might get triggered during setting up the callback itself.
    
    This patch tries to address it by changing the API usage slightly:
    
    - An empty timer instance is created at first via the new function
      snd_timer_instance_new().  This object isn't linked to the timer
      list yet.
    - The caller sets up the callbacks and others stuff for the new timer
      instance.
    - The caller invokes snd_timer_open() with this instance, so that it's
      linked to the target timer.
    
    For closing, do similarly:
    
    - Call snd_timer_close().  This unlinks the timer instance from the
      timer list.
    - Free the timer instance via snd_timer_instance_free() after that.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Link: https://lore.kernel.org/r/20191107192008.32331-4-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>

:040000 040000 6078791058c2f4cbb00d99fc682f889b8787ffef 4f6748c298f7249ea28d1751b9f69b57d1e437b5 M	include
:040000 040000 bf2c2dee64e7629b61611f2e35fea33440fa9383 affbb27068cc404de73f12a62e8bdac8f26dc03a M	sound
revisions tested: 18, total time: 4h20m10.364446883s (build: 1h46m2.110112071s, test: 2h27m53.234058903s)
first bad commit: 6a34367e52caea1413eb0a0dcbb524f0c9b67e82 ALSA: timer: Fix possible race at assigning a timer instance
cc: ["allison@lohutok.net" "alsa-devel@alsa-project.org" "bhelgaas@google.com" "gregkh@linuxfoundation.org" "kirr@nexedi.com" "linux-kernel@vger.kernel.org" "perex@perex.cz" "rfontana@redhat.com" "tglx@linutronix.de" "tiwai@suse.com" "tiwai@suse.de"]
crash: KASAN: use-after-free Read in snd_timer_open
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xb0 lib/list_debug.c:26
Read of size 8 at addr ffff8880a7bed938 by task syz-executor.3/7727

CPU: 1 PID: 7727 Comm: syz-executor.3 Not tainted 5.4.0-rc2+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 __list_add_valid+0x8f/0xb0 lib/list_debug.c:26
 __list_add include/linux/list.h:60 [inline]
 list_add_tail include/linux/list.h:93 [inline]
 snd_timer_open+0x1db/0xf50 sound/core/timer.c:268
 snd_timer_user_tselect sound/core/timer.c:1738 [inline]
 __snd_timer_user_ioctl.isra.27+0xc8d/0x1de0 sound/core/timer.c:2008
 snd_timer_user_ioctl+0x77/0xa4 sound/core/timer.c:2038
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a219
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007feaeabf5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219
RDX: 0000000020029fcc RSI: 0000000040345410 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007feaeabf66d4
R13: 00000000004cf428 R14: 00000000004d9760 R15: 00000000ffffffff

Allocated by task 7724:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:510
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3550
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:686 [inline]
 snd_timer_instance_new+0x46/0x2c0 sound/core/timer.c:96
 snd_timer_user_tselect sound/core/timer.c:1725 [inline]
 __snd_timer_user_ioctl.isra.27+0xb0c/0x1de0 sound/core/timer.c:2008
 snd_timer_user_ioctl+0x77/0xa4 sound/core/timer.c:2038
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7724:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x108/0x2c0 mm/slab.c:3756
 snd_timer_instance_free+0x62/0x80 sound/core/timer.c:120
 snd_timer_user_tselect sound/core/timer.c:1740 [inline]
 __snd_timer_user_ioctl.isra.27+0xcbe/0x1de0 sound/core/timer.c:2008
 snd_timer_user_ioctl+0x77/0xa4 sound/core/timer.c:2038
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a7bed8c0
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 120 bytes inside of
 256-byte region [ffff8880a7bed8c0, ffff8880a7bed9c0)
The buggy address belongs to the page:
page:ffffea00029efb40 refcount:1 mapcount:0 mapping:ffff8880aa4008c0 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00026c4688 ffffea00023b8588 ffff8880aa4008c0
raw: 0000000000000000 ffff8880a7bed000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a7bed800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff8880a7bed880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880a7bed900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8880a7bed980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a7beda00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================