Hello,
The following program triggers a BUG in snd_ctl_find_numid:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/ioctl.h> #include <sound/asound.h>
int main() { struct snd_ctl_tlv tlv; int fd = open("/dev/snd/controlC0", O_RDWR); tlv.numid = 0; tlv.length = 8; ioctl(fd, SNDRV_CTL_IOCTL_TLV_WRITE, &tlv); return 0; }
------------[ cut here ]------------ WARNING: CPU: 1 PID: 29204 at sound/core/control.c:668 snd_ctl_find_numid+0xff/0x130() Modules linked in: CPU: 1 PID: 29204 Comm: a.out Tainted: G W 4.4.0+ #259 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff88005e55fb30 ffffffff8298accd 0000000000000000 ffff8800647caf80 ffffffff86d23d80 ffff88005e55fb70 ffffffff81352089 ffffffff84f16b3f ffffffff86d23d80 000000000000029c ffff88002402cb60 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff8298accd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff84f16b3f>] snd_ctl_find_numid+0xff/0x130 sound/core/control.c:668 [<ffffffff84f1caf9>] snd_ctl_tlv_ioctl+0x119/0x680 sound/core/control.c:1409 [<ffffffff84f1f88b>] snd_ctl_ioctl+0x24b/0xdd0 sound/core/control.c:1501 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817ebfac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674 [< inline >] SYSC_ioctl fs/ioctl.c:689 [<ffffffff817ece5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 [<ffffffff863259b6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 ---[ end trace 010bca66b8d6c52a ]---
On commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4.