[alsa-devel] sound: GPF in snd_seq_fifo_clear
Hello,
The following program triggers GPF in snd_seq_fifo_clear:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdlib.h> #include <stdint.h> #include <pthread.h>
int fd;
void *thr(void *arg) { switch ((long)arg) { case 0: *(uint32_t*)0x20001fb0 = (uint32_t)0x1; *(uint64_t*)0x20001fc8 = (uint64_t)0x0; *(uint64_t*)0x20001fd0 = (uint64_t)0x0; *(uint8_t*)0x20001fd8 = (uint8_t)0x3; *(uint8_t*)0x20001fd9 = (uint8_t)0x32be; *(uint8_t*)0x20001fda = (uint8_t)0x36; *(uint8_t*)0x20001fdb = (uint8_t)0x5120; *(uint32_t*)0x20001fdc = (uint32_t)0x0; *(uint8_t*)0x20001fe0 = (uint8_t)0x4; *(uint32_t*)0x20001fe4 = (uint32_t)0x0; *(uint32_t*)0x20001fe8 = (uint32_t)0x0; *(uint32_t*)0x20001fec = (uint32_t)0x0; *(uint32_t*)0x20001ff0 = (uint32_t)0x0; *(uint32_t*)0x20001ff4 = (uint32_t)0x0; *(uint32_t*)0x20001ff8 = (uint32_t)0x0; *(uint32_t*)0x20001ffc = (uint32_t)0x0; *(uint32_t*)0x20002000 = (uint32_t)0x0; *(uint32_t*)0x20002004 = (uint32_t)0x0; *(uint32_t*)0x20002008 = (uint32_t)0x0; syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0); break; case 1: *(uint32_t*)0x20006000 = (uint32_t)0xaff; *(uint32_t*)0x20006004 = (uint32_t)0x5; *(uint32_t*)0x20006008 = (uint32_t)0x101; *(uint64_t*)0x20006010 = (uint64_t)0x0; *(uint64_t*)0x20006018 = (uint64_t)0x989680; *(uint32_t*)0x20006020 = (uint32_t)0x3; *(uint32_t*)0x20006024 = (uint32_t)0x4; *(uint8_t*)0x20006028 = (uint8_t)0x0; *(uint8_t*)0x20006029 = (uint8_t)0x0; *(uint8_t*)0x2000602a = (uint8_t)0x0; *(uint8_t*)0x2000602b = (uint8_t)0x0; *(uint8_t*)0x2000602c = (uint8_t)0x0; *(uint8_t*)0x2000602d = (uint8_t)0x0; *(uint8_t*)0x2000602e = (uint8_t)0x0; *(uint8_t*)0x2000602f = (uint8_t)0x0; *(uint8_t*)0x20006030 = (uint8_t)0x0; *(uint8_t*)0x20006031 = (uint8_t)0x0; *(uint8_t*)0x20006032 = (uint8_t)0x0; *(uint8_t*)0x20006033 = (uint8_t)0x0; *(uint8_t*)0x20006034 = (uint8_t)0x0; *(uint8_t*)0x20006035 = (uint8_t)0x0; *(uint8_t*)0x20006036 = (uint8_t)0x0; *(uint8_t*)0x20006037 = (uint8_t)0x0; *(uint8_t*)0x20006038 = (uint8_t)0x0; *(uint8_t*)0x20006039 = (uint8_t)0x0; *(uint8_t*)0x2000603a = (uint8_t)0x0; *(uint8_t*)0x2000603b = (uint8_t)0x0; *(uint8_t*)0x2000603c = (uint8_t)0x0; *(uint8_t*)0x2000603d = (uint8_t)0x0; *(uint8_t*)0x2000603e = (uint8_t)0x0; *(uint8_t*)0x2000603f = (uint8_t)0x0; *(uint8_t*)0x20006040 = (uint8_t)0x0; *(uint8_t*)0x20006041 = (uint8_t)0x0; *(uint8_t*)0x20006042 = (uint8_t)0x0; *(uint8_t*)0x20006043 = (uint8_t)0x0; *(uint8_t*)0x20006044 = (uint8_t)0x0; *(uint8_t*)0x20006045 = (uint8_t)0x0; *(uint8_t*)0x20006046 = (uint8_t)0x0; *(uint8_t*)0x20006047 = (uint8_t)0x0; *(uint8_t*)0x20006048 = (uint8_t)0x0; *(uint8_t*)0x20006049 = (uint8_t)0x0; *(uint8_t*)0x2000604a = (uint8_t)0x0; *(uint8_t*)0x2000604b = (uint8_t)0x0; *(uint8_t*)0x2000604c = (uint8_t)0x0; *(uint8_t*)0x2000604d = (uint8_t)0x0; *(uint8_t*)0x2000604e = (uint8_t)0x0; *(uint8_t*)0x2000604f = (uint8_t)0x0; *(uint8_t*)0x20006050 = (uint8_t)0x0; *(uint8_t*)0x20006051 = (uint8_t)0x0; *(uint8_t*)0x20006052 = (uint8_t)0x0; *(uint8_t*)0x20006053 = (uint8_t)0x0; *(uint8_t*)0x20006054 = (uint8_t)0x0; *(uint8_t*)0x20006055 = (uint8_t)0x0; *(uint8_t*)0x20006056 = (uint8_t)0x0; *(uint8_t*)0x20006057 = (uint8_t)0x0; *(uint8_t*)0x20006058 = (uint8_t)0x0; *(uint8_t*)0x20006059 = (uint8_t)0x0; *(uint8_t*)0x2000605a = (uint8_t)0x0; *(uint8_t*)0x2000605b = (uint8_t)0x0; *(uint8_t*)0x2000605c = (uint8_t)0x0; *(uint8_t*)0x2000605d = (uint8_t)0x0; *(uint8_t*)0x2000605e = (uint8_t)0x0; *(uint8_t*)0x2000605f = (uint8_t)0x0; *(uint8_t*)0x20006060 = (uint8_t)0x0; *(uint8_t*)0x20006061 = (uint8_t)0x0; *(uint8_t*)0x20006062 = (uint8_t)0x0; *(uint8_t*)0x20006063 = (uint8_t)0x0; *(uint8_t*)0x20006064 = (uint8_t)0x0; *(uint8_t*)0x20006065 = (uint8_t)0x0; *(uint8_t*)0x20006066 = (uint8_t)0x0; *(uint8_t*)0x20006067 = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0); break; case 2: *(uint8_t*)0x20007fb0 = (uint8_t)0x1037; *(uint8_t*)0x20007fb1 = (uint8_t)0x7; *(uint8_t*)0x20007fb2 = (uint8_t)0x30b; *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0; *(uint32_t*)0x20007fb4 = (uint32_t)0x5; *(uint32_t*)0x20007fb8 = (uint32_t)0x7; *(uint8_t*)0x20007fbc = (uint8_t)0x75d; *(uint8_t*)0x20007fbd = (uint8_t)0x0; *(uint8_t*)0x20007fbe = (uint8_t)0x0; *(uint8_t*)0x20007fbf = (uint8_t)0x0; *(uint8_t*)0x20007fc0 = (uint8_t)0x0; *(uint8_t*)0x20007fc1 = (uint8_t)0x0; *(uint8_t*)0x20007fc2 = (uint8_t)0x0; *(uint8_t*)0x20007fc3 = (uint8_t)0x0; *(uint8_t*)0x20007fc4 = (uint8_t)0x0; *(uint8_t*)0x20007fc5 = (uint8_t)0x0; *(uint8_t*)0x20007fc6 = (uint8_t)0x0; *(uint8_t*)0x20007fc7 = (uint8_t)0x0; *(uint8_t*)0x20007fc8 = (uint8_t)0x0; *(uint8_t*)0x20007fc9 = (uint8_t)0x0; *(uint8_t*)0x20007fca = (uint8_t)0x0; *(uint8_t*)0x20007fcb = (uint8_t)0x0; *(uint8_t*)0x20007fcc = (uint8_t)0x0; *(uint8_t*)0x20007fcd = (uint8_t)0x0; *(uint8_t*)0x20007fce = (uint8_t)0x0; *(uint8_t*)0x20007fcf = (uint8_t)0x0; *(uint8_t*)0x20007fd0 = (uint8_t)0x0; *(uint8_t*)0x20007fd1 = (uint8_t)0x0; *(uint8_t*)0x20007fd2 = (uint8_t)0x0; *(uint8_t*)0x20007fd3 = (uint8_t)0x0; *(uint8_t*)0x20007fd4 = (uint8_t)0x0; *(uint8_t*)0x20007fd5 = (uint8_t)0x0; *(uint8_t*)0x20007fd6 = (uint8_t)0x0; *(uint8_t*)0x20007fd7 = (uint8_t)0x0; *(uint8_t*)0x20007fd8 = (uint8_t)0x0; *(uint8_t*)0x20007fd9 = (uint8_t)0x0; *(uint8_t*)0x20007fda = (uint8_t)0x0; *(uint8_t*)0x20007fdb = (uint8_t)0x0; *(uint8_t*)0x20007fdc = (uint8_t)0x0; *(uint8_t*)0x20007fdd = (uint8_t)0x0; *(uint8_t*)0x20007fde = (uint8_t)0x0; *(uint8_t*)0x20007fdf = (uint8_t)0x0; *(uint8_t*)0x20007fe0 = (uint8_t)0x0; *(uint8_t*)0x20007fe1 = (uint8_t)0x0; *(uint8_t*)0x20007fe2 = (uint8_t)0x0; *(uint8_t*)0x20007fe3 = (uint8_t)0x0; *(uint8_t*)0x20007fe4 = (uint8_t)0x0; *(uint8_t*)0x20007fe5 = (uint8_t)0x0; *(uint8_t*)0x20007fe6 = (uint8_t)0x0; *(uint8_t*)0x20007fe7 = (uint8_t)0x0; *(uint8_t*)0x20007fe8 = (uint8_t)0x0; *(uint8_t*)0x20007fe9 = (uint8_t)0x0; *(uint8_t*)0x20007fea = (uint8_t)0x0; *(uint8_t*)0x20007feb = (uint8_t)0x0; *(uint8_t*)0x20007fec = (uint8_t)0x0; *(uint8_t*)0x20007fed = (uint8_t)0x0; *(uint8_t*)0x20007fee = (uint8_t)0x0; *(uint8_t*)0x20007fef = (uint8_t)0x0; *(uint8_t*)0x20007ff0 = (uint8_t)0x0; *(uint8_t*)0x20007ff1 = (uint8_t)0x0; *(uint8_t*)0x20007ff2 = (uint8_t)0x0; *(uint8_t*)0x20007ff3 = (uint8_t)0x0; *(uint8_t*)0x20007ff4 = (uint8_t)0x0; *(uint8_t*)0x20007ff5 = (uint8_t)0x0; *(uint8_t*)0x20007ff6 = (uint8_t)0x0; *(uint8_t*)0x20007ff7 = (uint8_t)0x0; *(uint8_t*)0x20007ff8 = (uint8_t)0x0; *(uint8_t*)0x20007ff9 = (uint8_t)0x0; *(uint8_t*)0x20007ffa = (uint8_t)0x0; *(uint8_t*)0x20007ffb = (uint8_t)0x0; *(uint8_t*)0x20007ffc = (uint8_t)0x0; *(uint8_t*)0x20007ffd = (uint8_t)0x0; *(uint8_t*)0x20007ffe = (uint8_t)0x0; *(uint8_t*)0x20007fff = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0); break; } return 0; }
int main() { long i; pthread_t th;
srand(getpid()); syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20005000, "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12); fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0); for (i = 0; i < 6; i++) { pthread_create(&th, 0, thr, (void*)(i%3)); if (rand()%2==0) usleep(rand()%1000); } usleep(10000); return 0; }
kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000 RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 RSP: 0018:ffff880063627c48 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8 RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0 R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001 FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0 Stack: ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0 ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000 ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918 Call Trace: [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0 sound/core/seq/seq_clientmgr.c:1966 [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0 sound/core/seq/seq_clientmgr.c:2209 [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80 sound/core/seq/seq_clientmgr.c:2224 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607 [< inline >] SYSC_ioctl fs/ioctl.c:622 [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RIP [< inline >] __write_once_size include/linux/compiler.h:246 RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39 RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 sound/core/seq/seq_fifo.c:99 RSP <ffff880063627c48> ---[ end trace 3ee37e6a5304c762 ]---
On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
On Tue, 12 Jan 2016 11:07:16 +0100, Dmitry Vyukov wrote:
Hello,
The following program triggers GPF in snd_seq_fifo_clear:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdlib.h> #include <stdint.h> #include <pthread.h>
int fd;
void *thr(void *arg) { switch ((long)arg) { case 0: *(uint32_t*)0x20001fb0 = (uint32_t)0x1; *(uint64_t*)0x20001fc8 = (uint64_t)0x0; *(uint64_t*)0x20001fd0 = (uint64_t)0x0; *(uint8_t*)0x20001fd8 = (uint8_t)0x3; *(uint8_t*)0x20001fd9 = (uint8_t)0x32be; *(uint8_t*)0x20001fda = (uint8_t)0x36; *(uint8_t*)0x20001fdb = (uint8_t)0x5120; *(uint32_t*)0x20001fdc = (uint32_t)0x0; *(uint8_t*)0x20001fe0 = (uint8_t)0x4; *(uint32_t*)0x20001fe4 = (uint32_t)0x0; *(uint32_t*)0x20001fe8 = (uint32_t)0x0; *(uint32_t*)0x20001fec = (uint32_t)0x0; *(uint32_t*)0x20001ff0 = (uint32_t)0x0; *(uint32_t*)0x20001ff4 = (uint32_t)0x0; *(uint32_t*)0x20001ff8 = (uint32_t)0x0; *(uint32_t*)0x20001ffc = (uint32_t)0x0; *(uint32_t*)0x20002000 = (uint32_t)0x0; *(uint32_t*)0x20002004 = (uint32_t)0x0; *(uint32_t*)0x20002008 = (uint32_t)0x0; syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0); break; case 1: *(uint32_t*)0x20006000 = (uint32_t)0xaff; *(uint32_t*)0x20006004 = (uint32_t)0x5; *(uint32_t*)0x20006008 = (uint32_t)0x101; *(uint64_t*)0x20006010 = (uint64_t)0x0; *(uint64_t*)0x20006018 = (uint64_t)0x989680; *(uint32_t*)0x20006020 = (uint32_t)0x3; *(uint32_t*)0x20006024 = (uint32_t)0x4; *(uint8_t*)0x20006028 = (uint8_t)0x0; *(uint8_t*)0x20006029 = (uint8_t)0x0; *(uint8_t*)0x2000602a = (uint8_t)0x0; *(uint8_t*)0x2000602b = (uint8_t)0x0; *(uint8_t*)0x2000602c = (uint8_t)0x0; *(uint8_t*)0x2000602d = (uint8_t)0x0; *(uint8_t*)0x2000602e = (uint8_t)0x0; *(uint8_t*)0x2000602f = (uint8_t)0x0; *(uint8_t*)0x20006030 = (uint8_t)0x0; *(uint8_t*)0x20006031 = (uint8_t)0x0; *(uint8_t*)0x20006032 = (uint8_t)0x0; *(uint8_t*)0x20006033 = (uint8_t)0x0; *(uint8_t*)0x20006034 = (uint8_t)0x0; *(uint8_t*)0x20006035 = (uint8_t)0x0; *(uint8_t*)0x20006036 = (uint8_t)0x0; *(uint8_t*)0x20006037 = (uint8_t)0x0; *(uint8_t*)0x20006038 = (uint8_t)0x0; *(uint8_t*)0x20006039 = (uint8_t)0x0; *(uint8_t*)0x2000603a = (uint8_t)0x0; *(uint8_t*)0x2000603b = (uint8_t)0x0; *(uint8_t*)0x2000603c = (uint8_t)0x0; *(uint8_t*)0x2000603d = (uint8_t)0x0; *(uint8_t*)0x2000603e = (uint8_t)0x0; *(uint8_t*)0x2000603f = (uint8_t)0x0; *(uint8_t*)0x20006040 = (uint8_t)0x0; *(uint8_t*)0x20006041 = (uint8_t)0x0; *(uint8_t*)0x20006042 = (uint8_t)0x0; *(uint8_t*)0x20006043 = (uint8_t)0x0; *(uint8_t*)0x20006044 = (uint8_t)0x0; *(uint8_t*)0x20006045 = (uint8_t)0x0; *(uint8_t*)0x20006046 = (uint8_t)0x0; *(uint8_t*)0x20006047 = (uint8_t)0x0; *(uint8_t*)0x20006048 = (uint8_t)0x0; *(uint8_t*)0x20006049 = (uint8_t)0x0; *(uint8_t*)0x2000604a = (uint8_t)0x0; *(uint8_t*)0x2000604b = (uint8_t)0x0; *(uint8_t*)0x2000604c = (uint8_t)0x0; *(uint8_t*)0x2000604d = (uint8_t)0x0; *(uint8_t*)0x2000604e = (uint8_t)0x0; *(uint8_t*)0x2000604f = (uint8_t)0x0; *(uint8_t*)0x20006050 = (uint8_t)0x0; *(uint8_t*)0x20006051 = (uint8_t)0x0; *(uint8_t*)0x20006052 = (uint8_t)0x0; *(uint8_t*)0x20006053 = (uint8_t)0x0; *(uint8_t*)0x20006054 = (uint8_t)0x0; *(uint8_t*)0x20006055 = (uint8_t)0x0; *(uint8_t*)0x20006056 = (uint8_t)0x0; *(uint8_t*)0x20006057 = (uint8_t)0x0; *(uint8_t*)0x20006058 = (uint8_t)0x0; *(uint8_t*)0x20006059 = (uint8_t)0x0; *(uint8_t*)0x2000605a = (uint8_t)0x0; *(uint8_t*)0x2000605b = (uint8_t)0x0; *(uint8_t*)0x2000605c = (uint8_t)0x0; *(uint8_t*)0x2000605d = (uint8_t)0x0; *(uint8_t*)0x2000605e = (uint8_t)0x0; *(uint8_t*)0x2000605f = (uint8_t)0x0; *(uint8_t*)0x20006060 = (uint8_t)0x0; *(uint8_t*)0x20006061 = (uint8_t)0x0; *(uint8_t*)0x20006062 = (uint8_t)0x0; *(uint8_t*)0x20006063 = (uint8_t)0x0; *(uint8_t*)0x20006064 = (uint8_t)0x0; *(uint8_t*)0x20006065 = (uint8_t)0x0; *(uint8_t*)0x20006066 = (uint8_t)0x0; *(uint8_t*)0x20006067 = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0); break; case 2: *(uint8_t*)0x20007fb0 = (uint8_t)0x1037; *(uint8_t*)0x20007fb1 = (uint8_t)0x7; *(uint8_t*)0x20007fb2 = (uint8_t)0x30b; *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0; *(uint32_t*)0x20007fb4 = (uint32_t)0x5; *(uint32_t*)0x20007fb8 = (uint32_t)0x7; *(uint8_t*)0x20007fbc = (uint8_t)0x75d; *(uint8_t*)0x20007fbd = (uint8_t)0x0; *(uint8_t*)0x20007fbe = (uint8_t)0x0; *(uint8_t*)0x20007fbf = (uint8_t)0x0; *(uint8_t*)0x20007fc0 = (uint8_t)0x0; *(uint8_t*)0x20007fc1 = (uint8_t)0x0; *(uint8_t*)0x20007fc2 = (uint8_t)0x0; *(uint8_t*)0x20007fc3 = (uint8_t)0x0; *(uint8_t*)0x20007fc4 = (uint8_t)0x0; *(uint8_t*)0x20007fc5 = (uint8_t)0x0; *(uint8_t*)0x20007fc6 = (uint8_t)0x0; *(uint8_t*)0x20007fc7 = (uint8_t)0x0; *(uint8_t*)0x20007fc8 = (uint8_t)0x0; *(uint8_t*)0x20007fc9 = (uint8_t)0x0; *(uint8_t*)0x20007fca = (uint8_t)0x0; *(uint8_t*)0x20007fcb = (uint8_t)0x0; *(uint8_t*)0x20007fcc = (uint8_t)0x0; *(uint8_t*)0x20007fcd = (uint8_t)0x0; *(uint8_t*)0x20007fce = (uint8_t)0x0; *(uint8_t*)0x20007fcf = (uint8_t)0x0; *(uint8_t*)0x20007fd0 = (uint8_t)0x0; *(uint8_t*)0x20007fd1 = (uint8_t)0x0; *(uint8_t*)0x20007fd2 = (uint8_t)0x0; *(uint8_t*)0x20007fd3 = (uint8_t)0x0; *(uint8_t*)0x20007fd4 = (uint8_t)0x0; *(uint8_t*)0x20007fd5 = (uint8_t)0x0; *(uint8_t*)0x20007fd6 = (uint8_t)0x0; *(uint8_t*)0x20007fd7 = (uint8_t)0x0; *(uint8_t*)0x20007fd8 = (uint8_t)0x0; *(uint8_t*)0x20007fd9 = (uint8_t)0x0; *(uint8_t*)0x20007fda = (uint8_t)0x0; *(uint8_t*)0x20007fdb = (uint8_t)0x0; *(uint8_t*)0x20007fdc = (uint8_t)0x0; *(uint8_t*)0x20007fdd = (uint8_t)0x0; *(uint8_t*)0x20007fde = (uint8_t)0x0; *(uint8_t*)0x20007fdf = (uint8_t)0x0; *(uint8_t*)0x20007fe0 = (uint8_t)0x0; *(uint8_t*)0x20007fe1 = (uint8_t)0x0; *(uint8_t*)0x20007fe2 = (uint8_t)0x0; *(uint8_t*)0x20007fe3 = (uint8_t)0x0; *(uint8_t*)0x20007fe4 = (uint8_t)0x0; *(uint8_t*)0x20007fe5 = (uint8_t)0x0; *(uint8_t*)0x20007fe6 = (uint8_t)0x0; *(uint8_t*)0x20007fe7 = (uint8_t)0x0; *(uint8_t*)0x20007fe8 = (uint8_t)0x0; *(uint8_t*)0x20007fe9 = (uint8_t)0x0; *(uint8_t*)0x20007fea = (uint8_t)0x0; *(uint8_t*)0x20007feb = (uint8_t)0x0; *(uint8_t*)0x20007fec = (uint8_t)0x0; *(uint8_t*)0x20007fed = (uint8_t)0x0; *(uint8_t*)0x20007fee = (uint8_t)0x0; *(uint8_t*)0x20007fef = (uint8_t)0x0; *(uint8_t*)0x20007ff0 = (uint8_t)0x0; *(uint8_t*)0x20007ff1 = (uint8_t)0x0; *(uint8_t*)0x20007ff2 = (uint8_t)0x0; *(uint8_t*)0x20007ff3 = (uint8_t)0x0; *(uint8_t*)0x20007ff4 = (uint8_t)0x0; *(uint8_t*)0x20007ff5 = (uint8_t)0x0; *(uint8_t*)0x20007ff6 = (uint8_t)0x0; *(uint8_t*)0x20007ff7 = (uint8_t)0x0; *(uint8_t*)0x20007ff8 = (uint8_t)0x0; *(uint8_t*)0x20007ff9 = (uint8_t)0x0; *(uint8_t*)0x20007ffa = (uint8_t)0x0; *(uint8_t*)0x20007ffb = (uint8_t)0x0; *(uint8_t*)0x20007ffc = (uint8_t)0x0; *(uint8_t*)0x20007ffd = (uint8_t)0x0; *(uint8_t*)0x20007ffe = (uint8_t)0x0; *(uint8_t*)0x20007fff = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0); break; } return 0; }
int main() { long i; pthread_t th;
srand(getpid()); syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20005000, "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12); fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0); for (i = 0; i < 6; i++) { pthread_create(&th, 0, thr, (void*)(i%3)); if (rand()%2==0) usleep(rand()%1000); } usleep(10000); return 0; }
kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000 RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 RSP: 0018:ffff880063627c48 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8 RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0 R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001 FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0 Stack: ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0 ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000 ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918 Call Trace: [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0 sound/core/seq/seq_clientmgr.c:1966 [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0 sound/core/seq/seq_clientmgr.c:2209 [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80 sound/core/seq/seq_clientmgr.c:2224 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607 [< inline >] SYSC_ioctl fs/ioctl.c:622 [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RIP [< inline >] __write_once_size include/linux/compiler.h:246 RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39 RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 sound/core/seq/seq_fifo.c:99 RSP <ffff880063627c48> ---[ end trace 3ee37e6a5304c762 ]---
On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
Thanks for reporting.
Fortunately this one looks like an easy problem, a simple missing NULL check. Could you check the patch below?
Takashi
-- 8< -- From: Takashi Iwai tiwai@suse.de Subject: [PATCH] ALSA: seq: Fix missing NULL check at remove_events ioctl
snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check.
Reported-by: Dmitry Vyukov dvyukov@google.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/seq/seq_clientmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c index b64f20deba90..13cfa815732d 100644 --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client, * No restrictions so for a user client we can clear * the whole fifo */ - if (client->type == USER_CLIENT) + if (client->type == USER_CLIENT && client->data.user.fifo) snd_seq_fifo_clear(client->data.user.fifo); }
On Tue, Jan 12, 2016 at 12:44 PM, Takashi Iwai tiwai@suse.de wrote:
On Tue, 12 Jan 2016 11:07:16 +0100, Dmitry Vyukov wrote:
Hello,
The following program triggers GPF in snd_seq_fifo_clear:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdlib.h> #include <stdint.h> #include <pthread.h>
int fd;
void *thr(void *arg) { switch ((long)arg) { case 0: *(uint32_t*)0x20001fb0 = (uint32_t)0x1; *(uint64_t*)0x20001fc8 = (uint64_t)0x0; *(uint64_t*)0x20001fd0 = (uint64_t)0x0; *(uint8_t*)0x20001fd8 = (uint8_t)0x3; *(uint8_t*)0x20001fd9 = (uint8_t)0x32be; *(uint8_t*)0x20001fda = (uint8_t)0x36; *(uint8_t*)0x20001fdb = (uint8_t)0x5120; *(uint32_t*)0x20001fdc = (uint32_t)0x0; *(uint8_t*)0x20001fe0 = (uint8_t)0x4; *(uint32_t*)0x20001fe4 = (uint32_t)0x0; *(uint32_t*)0x20001fe8 = (uint32_t)0x0; *(uint32_t*)0x20001fec = (uint32_t)0x0; *(uint32_t*)0x20001ff0 = (uint32_t)0x0; *(uint32_t*)0x20001ff4 = (uint32_t)0x0; *(uint32_t*)0x20001ff8 = (uint32_t)0x0; *(uint32_t*)0x20001ffc = (uint32_t)0x0; *(uint32_t*)0x20002000 = (uint32_t)0x0; *(uint32_t*)0x20002004 = (uint32_t)0x0; *(uint32_t*)0x20002008 = (uint32_t)0x0; syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0); break; case 1: *(uint32_t*)0x20006000 = (uint32_t)0xaff; *(uint32_t*)0x20006004 = (uint32_t)0x5; *(uint32_t*)0x20006008 = (uint32_t)0x101; *(uint64_t*)0x20006010 = (uint64_t)0x0; *(uint64_t*)0x20006018 = (uint64_t)0x989680; *(uint32_t*)0x20006020 = (uint32_t)0x3; *(uint32_t*)0x20006024 = (uint32_t)0x4; *(uint8_t*)0x20006028 = (uint8_t)0x0; *(uint8_t*)0x20006029 = (uint8_t)0x0; *(uint8_t*)0x2000602a = (uint8_t)0x0; *(uint8_t*)0x2000602b = (uint8_t)0x0; *(uint8_t*)0x2000602c = (uint8_t)0x0; *(uint8_t*)0x2000602d = (uint8_t)0x0; *(uint8_t*)0x2000602e = (uint8_t)0x0; *(uint8_t*)0x2000602f = (uint8_t)0x0; *(uint8_t*)0x20006030 = (uint8_t)0x0; *(uint8_t*)0x20006031 = (uint8_t)0x0; *(uint8_t*)0x20006032 = (uint8_t)0x0; *(uint8_t*)0x20006033 = (uint8_t)0x0; *(uint8_t*)0x20006034 = (uint8_t)0x0; *(uint8_t*)0x20006035 = (uint8_t)0x0; *(uint8_t*)0x20006036 = (uint8_t)0x0; *(uint8_t*)0x20006037 = (uint8_t)0x0; *(uint8_t*)0x20006038 = (uint8_t)0x0; *(uint8_t*)0x20006039 = (uint8_t)0x0; *(uint8_t*)0x2000603a = (uint8_t)0x0; *(uint8_t*)0x2000603b = (uint8_t)0x0; *(uint8_t*)0x2000603c = (uint8_t)0x0; *(uint8_t*)0x2000603d = (uint8_t)0x0; *(uint8_t*)0x2000603e = (uint8_t)0x0; *(uint8_t*)0x2000603f = (uint8_t)0x0; *(uint8_t*)0x20006040 = (uint8_t)0x0; *(uint8_t*)0x20006041 = (uint8_t)0x0; *(uint8_t*)0x20006042 = (uint8_t)0x0; *(uint8_t*)0x20006043 = (uint8_t)0x0; *(uint8_t*)0x20006044 = (uint8_t)0x0; *(uint8_t*)0x20006045 = (uint8_t)0x0; *(uint8_t*)0x20006046 = (uint8_t)0x0; *(uint8_t*)0x20006047 = (uint8_t)0x0; *(uint8_t*)0x20006048 = (uint8_t)0x0; *(uint8_t*)0x20006049 = (uint8_t)0x0; *(uint8_t*)0x2000604a = (uint8_t)0x0; *(uint8_t*)0x2000604b = (uint8_t)0x0; *(uint8_t*)0x2000604c = (uint8_t)0x0; *(uint8_t*)0x2000604d = (uint8_t)0x0; *(uint8_t*)0x2000604e = (uint8_t)0x0; *(uint8_t*)0x2000604f = (uint8_t)0x0; *(uint8_t*)0x20006050 = (uint8_t)0x0; *(uint8_t*)0x20006051 = (uint8_t)0x0; *(uint8_t*)0x20006052 = (uint8_t)0x0; *(uint8_t*)0x20006053 = (uint8_t)0x0; *(uint8_t*)0x20006054 = (uint8_t)0x0; *(uint8_t*)0x20006055 = (uint8_t)0x0; *(uint8_t*)0x20006056 = (uint8_t)0x0; *(uint8_t*)0x20006057 = (uint8_t)0x0; *(uint8_t*)0x20006058 = (uint8_t)0x0; *(uint8_t*)0x20006059 = (uint8_t)0x0; *(uint8_t*)0x2000605a = (uint8_t)0x0; *(uint8_t*)0x2000605b = (uint8_t)0x0; *(uint8_t*)0x2000605c = (uint8_t)0x0; *(uint8_t*)0x2000605d = (uint8_t)0x0; *(uint8_t*)0x2000605e = (uint8_t)0x0; *(uint8_t*)0x2000605f = (uint8_t)0x0; *(uint8_t*)0x20006060 = (uint8_t)0x0; *(uint8_t*)0x20006061 = (uint8_t)0x0; *(uint8_t*)0x20006062 = (uint8_t)0x0; *(uint8_t*)0x20006063 = (uint8_t)0x0; *(uint8_t*)0x20006064 = (uint8_t)0x0; *(uint8_t*)0x20006065 = (uint8_t)0x0; *(uint8_t*)0x20006066 = (uint8_t)0x0; *(uint8_t*)0x20006067 = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0); break; case 2: *(uint8_t*)0x20007fb0 = (uint8_t)0x1037; *(uint8_t*)0x20007fb1 = (uint8_t)0x7; *(uint8_t*)0x20007fb2 = (uint8_t)0x30b; *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0; *(uint32_t*)0x20007fb4 = (uint32_t)0x5; *(uint32_t*)0x20007fb8 = (uint32_t)0x7; *(uint8_t*)0x20007fbc = (uint8_t)0x75d; *(uint8_t*)0x20007fbd = (uint8_t)0x0; *(uint8_t*)0x20007fbe = (uint8_t)0x0; *(uint8_t*)0x20007fbf = (uint8_t)0x0; *(uint8_t*)0x20007fc0 = (uint8_t)0x0; *(uint8_t*)0x20007fc1 = (uint8_t)0x0; *(uint8_t*)0x20007fc2 = (uint8_t)0x0; *(uint8_t*)0x20007fc3 = (uint8_t)0x0; *(uint8_t*)0x20007fc4 = (uint8_t)0x0; *(uint8_t*)0x20007fc5 = (uint8_t)0x0; *(uint8_t*)0x20007fc6 = (uint8_t)0x0; *(uint8_t*)0x20007fc7 = (uint8_t)0x0; *(uint8_t*)0x20007fc8 = (uint8_t)0x0; *(uint8_t*)0x20007fc9 = (uint8_t)0x0; *(uint8_t*)0x20007fca = (uint8_t)0x0; *(uint8_t*)0x20007fcb = (uint8_t)0x0; *(uint8_t*)0x20007fcc = (uint8_t)0x0; *(uint8_t*)0x20007fcd = (uint8_t)0x0; *(uint8_t*)0x20007fce = (uint8_t)0x0; *(uint8_t*)0x20007fcf = (uint8_t)0x0; *(uint8_t*)0x20007fd0 = (uint8_t)0x0; *(uint8_t*)0x20007fd1 = (uint8_t)0x0; *(uint8_t*)0x20007fd2 = (uint8_t)0x0; *(uint8_t*)0x20007fd3 = (uint8_t)0x0; *(uint8_t*)0x20007fd4 = (uint8_t)0x0; *(uint8_t*)0x20007fd5 = (uint8_t)0x0; *(uint8_t*)0x20007fd6 = (uint8_t)0x0; *(uint8_t*)0x20007fd7 = (uint8_t)0x0; *(uint8_t*)0x20007fd8 = (uint8_t)0x0; *(uint8_t*)0x20007fd9 = (uint8_t)0x0; *(uint8_t*)0x20007fda = (uint8_t)0x0; *(uint8_t*)0x20007fdb = (uint8_t)0x0; *(uint8_t*)0x20007fdc = (uint8_t)0x0; *(uint8_t*)0x20007fdd = (uint8_t)0x0; *(uint8_t*)0x20007fde = (uint8_t)0x0; *(uint8_t*)0x20007fdf = (uint8_t)0x0; *(uint8_t*)0x20007fe0 = (uint8_t)0x0; *(uint8_t*)0x20007fe1 = (uint8_t)0x0; *(uint8_t*)0x20007fe2 = (uint8_t)0x0; *(uint8_t*)0x20007fe3 = (uint8_t)0x0; *(uint8_t*)0x20007fe4 = (uint8_t)0x0; *(uint8_t*)0x20007fe5 = (uint8_t)0x0; *(uint8_t*)0x20007fe6 = (uint8_t)0x0; *(uint8_t*)0x20007fe7 = (uint8_t)0x0; *(uint8_t*)0x20007fe8 = (uint8_t)0x0; *(uint8_t*)0x20007fe9 = (uint8_t)0x0; *(uint8_t*)0x20007fea = (uint8_t)0x0; *(uint8_t*)0x20007feb = (uint8_t)0x0; *(uint8_t*)0x20007fec = (uint8_t)0x0; *(uint8_t*)0x20007fed = (uint8_t)0x0; *(uint8_t*)0x20007fee = (uint8_t)0x0; *(uint8_t*)0x20007fef = (uint8_t)0x0; *(uint8_t*)0x20007ff0 = (uint8_t)0x0; *(uint8_t*)0x20007ff1 = (uint8_t)0x0; *(uint8_t*)0x20007ff2 = (uint8_t)0x0; *(uint8_t*)0x20007ff3 = (uint8_t)0x0; *(uint8_t*)0x20007ff4 = (uint8_t)0x0; *(uint8_t*)0x20007ff5 = (uint8_t)0x0; *(uint8_t*)0x20007ff6 = (uint8_t)0x0; *(uint8_t*)0x20007ff7 = (uint8_t)0x0; *(uint8_t*)0x20007ff8 = (uint8_t)0x0; *(uint8_t*)0x20007ff9 = (uint8_t)0x0; *(uint8_t*)0x20007ffa = (uint8_t)0x0; *(uint8_t*)0x20007ffb = (uint8_t)0x0; *(uint8_t*)0x20007ffc = (uint8_t)0x0; *(uint8_t*)0x20007ffd = (uint8_t)0x0; *(uint8_t*)0x20007ffe = (uint8_t)0x0; *(uint8_t*)0x20007fff = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0); break; } return 0; }
int main() { long i; pthread_t th;
srand(getpid()); syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20005000, "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12); fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0); for (i = 0; i < 6; i++) { pthread_create(&th, 0, thr, (void*)(i%3)); if (rand()%2==0) usleep(rand()%1000); } usleep(10000); return 0; }
kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000 RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 RSP: 0018:ffff880063627c48 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8 RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0 R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001 FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0 Stack: ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0 ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000 ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918 Call Trace: [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0 sound/core/seq/seq_clientmgr.c:1966 [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0 sound/core/seq/seq_clientmgr.c:2209 [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80 sound/core/seq/seq_clientmgr.c:2224 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607 [< inline >] SYSC_ioctl fs/ioctl.c:622 [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RIP [< inline >] __write_once_size include/linux/compiler.h:246 RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39 RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 sound/core/seq/seq_fifo.c:99 RSP <ffff880063627c48> ---[ end trace 3ee37e6a5304c762 ]---
On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
Thanks for reporting.
Fortunately this one looks like an easy problem, a simple missing NULL check. Could you check the patch below?
Yes, it fixes the crashes for me. Thanks for quick fix!
Tested-by: Dmitry Vyukov dvyukov@google.com
-- 8< -- From: Takashi Iwai tiwai@suse.de Subject: [PATCH] ALSA: seq: Fix missing NULL check at remove_events ioctl
snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check.
Reported-by: Dmitry Vyukov dvyukov@google.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de
sound/core/seq/seq_clientmgr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c index b64f20deba90..13cfa815732d 100644 --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client, * No restrictions so for a user client we can clear * the whole fifo */
if (client->type == USER_CLIENT)
if (client->type == USER_CLIENT && client->data.user.fifo) snd_seq_fifo_clear(client->data.user.fifo); }
-- 2.7.0
On Tue, 12 Jan 2016 17:19:49 +0100, Dmitry Vyukov wrote:
On Tue, Jan 12, 2016 at 12:44 PM, Takashi Iwai tiwai@suse.de wrote:
On Tue, 12 Jan 2016 11:07:16 +0100, Dmitry Vyukov wrote:
Hello,
The following program triggers GPF in snd_seq_fifo_clear:
// autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdlib.h> #include <stdint.h> #include <pthread.h>
int fd;
void *thr(void *arg) { switch ((long)arg) { case 0: *(uint32_t*)0x20001fb0 = (uint32_t)0x1; *(uint64_t*)0x20001fc8 = (uint64_t)0x0; *(uint64_t*)0x20001fd0 = (uint64_t)0x0; *(uint8_t*)0x20001fd8 = (uint8_t)0x3; *(uint8_t*)0x20001fd9 = (uint8_t)0x32be; *(uint8_t*)0x20001fda = (uint8_t)0x36; *(uint8_t*)0x20001fdb = (uint8_t)0x5120; *(uint32_t*)0x20001fdc = (uint32_t)0x0; *(uint8_t*)0x20001fe0 = (uint8_t)0x4; *(uint32_t*)0x20001fe4 = (uint32_t)0x0; *(uint32_t*)0x20001fe8 = (uint32_t)0x0; *(uint32_t*)0x20001fec = (uint32_t)0x0; *(uint32_t*)0x20001ff0 = (uint32_t)0x0; *(uint32_t*)0x20001ff4 = (uint32_t)0x0; *(uint32_t*)0x20001ff8 = (uint32_t)0x0; *(uint32_t*)0x20001ffc = (uint32_t)0x0; *(uint32_t*)0x20002000 = (uint32_t)0x0; *(uint32_t*)0x20002004 = (uint32_t)0x0; *(uint32_t*)0x20002008 = (uint32_t)0x0; syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0); break; case 1: *(uint32_t*)0x20006000 = (uint32_t)0xaff; *(uint32_t*)0x20006004 = (uint32_t)0x5; *(uint32_t*)0x20006008 = (uint32_t)0x101; *(uint64_t*)0x20006010 = (uint64_t)0x0; *(uint64_t*)0x20006018 = (uint64_t)0x989680; *(uint32_t*)0x20006020 = (uint32_t)0x3; *(uint32_t*)0x20006024 = (uint32_t)0x4; *(uint8_t*)0x20006028 = (uint8_t)0x0; *(uint8_t*)0x20006029 = (uint8_t)0x0; *(uint8_t*)0x2000602a = (uint8_t)0x0; *(uint8_t*)0x2000602b = (uint8_t)0x0; *(uint8_t*)0x2000602c = (uint8_t)0x0; *(uint8_t*)0x2000602d = (uint8_t)0x0; *(uint8_t*)0x2000602e = (uint8_t)0x0; *(uint8_t*)0x2000602f = (uint8_t)0x0; *(uint8_t*)0x20006030 = (uint8_t)0x0; *(uint8_t*)0x20006031 = (uint8_t)0x0; *(uint8_t*)0x20006032 = (uint8_t)0x0; *(uint8_t*)0x20006033 = (uint8_t)0x0; *(uint8_t*)0x20006034 = (uint8_t)0x0; *(uint8_t*)0x20006035 = (uint8_t)0x0; *(uint8_t*)0x20006036 = (uint8_t)0x0; *(uint8_t*)0x20006037 = (uint8_t)0x0; *(uint8_t*)0x20006038 = (uint8_t)0x0; *(uint8_t*)0x20006039 = (uint8_t)0x0; *(uint8_t*)0x2000603a = (uint8_t)0x0; *(uint8_t*)0x2000603b = (uint8_t)0x0; *(uint8_t*)0x2000603c = (uint8_t)0x0; *(uint8_t*)0x2000603d = (uint8_t)0x0; *(uint8_t*)0x2000603e = (uint8_t)0x0; *(uint8_t*)0x2000603f = (uint8_t)0x0; *(uint8_t*)0x20006040 = (uint8_t)0x0; *(uint8_t*)0x20006041 = (uint8_t)0x0; *(uint8_t*)0x20006042 = (uint8_t)0x0; *(uint8_t*)0x20006043 = (uint8_t)0x0; *(uint8_t*)0x20006044 = (uint8_t)0x0; *(uint8_t*)0x20006045 = (uint8_t)0x0; *(uint8_t*)0x20006046 = (uint8_t)0x0; *(uint8_t*)0x20006047 = (uint8_t)0x0; *(uint8_t*)0x20006048 = (uint8_t)0x0; *(uint8_t*)0x20006049 = (uint8_t)0x0; *(uint8_t*)0x2000604a = (uint8_t)0x0; *(uint8_t*)0x2000604b = (uint8_t)0x0; *(uint8_t*)0x2000604c = (uint8_t)0x0; *(uint8_t*)0x2000604d = (uint8_t)0x0; *(uint8_t*)0x2000604e = (uint8_t)0x0; *(uint8_t*)0x2000604f = (uint8_t)0x0; *(uint8_t*)0x20006050 = (uint8_t)0x0; *(uint8_t*)0x20006051 = (uint8_t)0x0; *(uint8_t*)0x20006052 = (uint8_t)0x0; *(uint8_t*)0x20006053 = (uint8_t)0x0; *(uint8_t*)0x20006054 = (uint8_t)0x0; *(uint8_t*)0x20006055 = (uint8_t)0x0; *(uint8_t*)0x20006056 = (uint8_t)0x0; *(uint8_t*)0x20006057 = (uint8_t)0x0; *(uint8_t*)0x20006058 = (uint8_t)0x0; *(uint8_t*)0x20006059 = (uint8_t)0x0; *(uint8_t*)0x2000605a = (uint8_t)0x0; *(uint8_t*)0x2000605b = (uint8_t)0x0; *(uint8_t*)0x2000605c = (uint8_t)0x0; *(uint8_t*)0x2000605d = (uint8_t)0x0; *(uint8_t*)0x2000605e = (uint8_t)0x0; *(uint8_t*)0x2000605f = (uint8_t)0x0; *(uint8_t*)0x20006060 = (uint8_t)0x0; *(uint8_t*)0x20006061 = (uint8_t)0x0; *(uint8_t*)0x20006062 = (uint8_t)0x0; *(uint8_t*)0x20006063 = (uint8_t)0x0; *(uint8_t*)0x20006064 = (uint8_t)0x0; *(uint8_t*)0x20006065 = (uint8_t)0x0; *(uint8_t*)0x20006066 = (uint8_t)0x0; *(uint8_t*)0x20006067 = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0); break; case 2: *(uint8_t*)0x20007fb0 = (uint8_t)0x1037; *(uint8_t*)0x20007fb1 = (uint8_t)0x7; *(uint8_t*)0x20007fb2 = (uint8_t)0x30b; *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0; *(uint32_t*)0x20007fb4 = (uint32_t)0x5; *(uint32_t*)0x20007fb8 = (uint32_t)0x7; *(uint8_t*)0x20007fbc = (uint8_t)0x75d; *(uint8_t*)0x20007fbd = (uint8_t)0x0; *(uint8_t*)0x20007fbe = (uint8_t)0x0; *(uint8_t*)0x20007fbf = (uint8_t)0x0; *(uint8_t*)0x20007fc0 = (uint8_t)0x0; *(uint8_t*)0x20007fc1 = (uint8_t)0x0; *(uint8_t*)0x20007fc2 = (uint8_t)0x0; *(uint8_t*)0x20007fc3 = (uint8_t)0x0; *(uint8_t*)0x20007fc4 = (uint8_t)0x0; *(uint8_t*)0x20007fc5 = (uint8_t)0x0; *(uint8_t*)0x20007fc6 = (uint8_t)0x0; *(uint8_t*)0x20007fc7 = (uint8_t)0x0; *(uint8_t*)0x20007fc8 = (uint8_t)0x0; *(uint8_t*)0x20007fc9 = (uint8_t)0x0; *(uint8_t*)0x20007fca = (uint8_t)0x0; *(uint8_t*)0x20007fcb = (uint8_t)0x0; *(uint8_t*)0x20007fcc = (uint8_t)0x0; *(uint8_t*)0x20007fcd = (uint8_t)0x0; *(uint8_t*)0x20007fce = (uint8_t)0x0; *(uint8_t*)0x20007fcf = (uint8_t)0x0; *(uint8_t*)0x20007fd0 = (uint8_t)0x0; *(uint8_t*)0x20007fd1 = (uint8_t)0x0; *(uint8_t*)0x20007fd2 = (uint8_t)0x0; *(uint8_t*)0x20007fd3 = (uint8_t)0x0; *(uint8_t*)0x20007fd4 = (uint8_t)0x0; *(uint8_t*)0x20007fd5 = (uint8_t)0x0; *(uint8_t*)0x20007fd6 = (uint8_t)0x0; *(uint8_t*)0x20007fd7 = (uint8_t)0x0; *(uint8_t*)0x20007fd8 = (uint8_t)0x0; *(uint8_t*)0x20007fd9 = (uint8_t)0x0; *(uint8_t*)0x20007fda = (uint8_t)0x0; *(uint8_t*)0x20007fdb = (uint8_t)0x0; *(uint8_t*)0x20007fdc = (uint8_t)0x0; *(uint8_t*)0x20007fdd = (uint8_t)0x0; *(uint8_t*)0x20007fde = (uint8_t)0x0; *(uint8_t*)0x20007fdf = (uint8_t)0x0; *(uint8_t*)0x20007fe0 = (uint8_t)0x0; *(uint8_t*)0x20007fe1 = (uint8_t)0x0; *(uint8_t*)0x20007fe2 = (uint8_t)0x0; *(uint8_t*)0x20007fe3 = (uint8_t)0x0; *(uint8_t*)0x20007fe4 = (uint8_t)0x0; *(uint8_t*)0x20007fe5 = (uint8_t)0x0; *(uint8_t*)0x20007fe6 = (uint8_t)0x0; *(uint8_t*)0x20007fe7 = (uint8_t)0x0; *(uint8_t*)0x20007fe8 = (uint8_t)0x0; *(uint8_t*)0x20007fe9 = (uint8_t)0x0; *(uint8_t*)0x20007fea = (uint8_t)0x0; *(uint8_t*)0x20007feb = (uint8_t)0x0; *(uint8_t*)0x20007fec = (uint8_t)0x0; *(uint8_t*)0x20007fed = (uint8_t)0x0; *(uint8_t*)0x20007fee = (uint8_t)0x0; *(uint8_t*)0x20007fef = (uint8_t)0x0; *(uint8_t*)0x20007ff0 = (uint8_t)0x0; *(uint8_t*)0x20007ff1 = (uint8_t)0x0; *(uint8_t*)0x20007ff2 = (uint8_t)0x0; *(uint8_t*)0x20007ff3 = (uint8_t)0x0; *(uint8_t*)0x20007ff4 = (uint8_t)0x0; *(uint8_t*)0x20007ff5 = (uint8_t)0x0; *(uint8_t*)0x20007ff6 = (uint8_t)0x0; *(uint8_t*)0x20007ff7 = (uint8_t)0x0; *(uint8_t*)0x20007ff8 = (uint8_t)0x0; *(uint8_t*)0x20007ff9 = (uint8_t)0x0; *(uint8_t*)0x20007ffa = (uint8_t)0x0; *(uint8_t*)0x20007ffb = (uint8_t)0x0; *(uint8_t*)0x20007ffc = (uint8_t)0x0; *(uint8_t*)0x20007ffd = (uint8_t)0x0; *(uint8_t*)0x20007ffe = (uint8_t)0x0; *(uint8_t*)0x20007fff = (uint8_t)0x0; syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0); break; } return 0; }
int main() { long i; pthread_t th;
srand(getpid()); syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20005000, "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12); fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0); for (i = 0; i < 6; i++) { pthread_create(&th, 0, thr, (void*)(i%3)); if (rand()%2==0) usleep(rand()%1000); } usleep(10000); return 0; }
kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan: CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000 RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 RSP: 0018:ffff880063627c48 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8 RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0 R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001 FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0 Stack: ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0 ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000 ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918 Call Trace: [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0 sound/core/seq/seq_clientmgr.c:1966 [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0 sound/core/seq/seq_clientmgr.c:2209 [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80 sound/core/seq/seq_clientmgr.c:2224 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607 [< inline >] SYSC_ioctl fs/ioctl.c:622 [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RIP [< inline >] __write_once_size include/linux/compiler.h:246 RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39 RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 sound/core/seq/seq_fifo.c:99 RSP <ffff880063627c48> ---[ end trace 3ee37e6a5304c762 ]---
On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
Thanks for reporting.
Fortunately this one looks like an easy problem, a simple missing NULL check. Could you check the patch below?
Yes, it fixes the crashes for me. Thanks for quick fix!
Tested-by: Dmitry Vyukov dvyukov@google.com
Thanks for quick testing. I queued the patch now.
Takashi
participants (2)
-
Dmitry Vyukov
-
Takashi Iwai