On Sun, 16 Jul 2023 at 22:47, Geraldo Nascimento geraldogabriel@gmail.com wrote:
On Sun, Jul 16, 2023 at 03:07:23PM +0200, Takashi Iwai wrote:
On Sun, 16 Jul 2023 10:21:49 +0200, syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000 kernel config: https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3 dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.... vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.x... kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.x...
IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts. executing program executing program BUG: memory leak unreferenced object 0xffff888100877000 (size 512): comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s) hex dump (first 32 bytes): 80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline] [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135 [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324 [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327 [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856 [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak unreferenced object 0xffff888106742c00 (size 512): comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s) hex dump (first 32 bytes): 80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline] [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline] [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135 [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324 [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327 [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856 [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Likely a forgotten kfree() at the error path. The patch below should fix it.
Takashi
-- 8< -- From: Takashi Iwai tiwai@suse.de Subject: [PATCH] ALSA: seq: Fix memory leak at error path in snd_seq_create_port()
We forgot to release a newly allocated item at the error path in snd_seq_create_port(). This patch fixes it.
Thanks for the clarification and quick proposed resolution Takashi. As an ALSA novice these bots always stunt me, personally. I understand how helpful they are however, even if cryptic.
Hi Geraldo,
What exactly is cryptic in the report? Is there anything that can be done to make it less cryptic?
But shouldn't this be reported to security? It's always prone to bad stuff when we forget a kfree()
Thanks, Geraldo Nascimento
Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/00000000000098ed3a0600965f89@google.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de
sound/core/seq/seq_ports.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c index 9b80f8275026..f3f14ff0f80f 100644 --- a/sound/core/seq/seq_ports.c +++ b/sound/core/seq/seq_ports.c @@ -149,6 +149,7 @@ int snd_seq_create_port(struct snd_seq_client *client, int port, write_lock_irq(&client->ports_lock); list_for_each_entry(p, &client->ports_list_head, list) { if (p->addr.port == port) {
kfree(new_port); num = -EBUSY; goto unlock; }
-- 2.35.3