* sound: GPF in snd_seq_fifo_clear
@ 2016-01-12 10:07 Dmitry Vyukov
2016-01-12 11:44 ` Takashi Iwai
0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2016-01-12 10:07 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin,
Eric Dumazet
Hello,
The following program triggers GPF in snd_seq_fifo_clear:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include <pthread.h>
int fd;
void *thr(void *arg)
{
switch ((long)arg) {
case 0:
*(uint32_t*)0x20001fb0 = (uint32_t)0x1;
*(uint64_t*)0x20001fc8 = (uint64_t)0x0;
*(uint64_t*)0x20001fd0 = (uint64_t)0x0;
*(uint8_t*)0x20001fd8 = (uint8_t)0x3;
*(uint8_t*)0x20001fd9 = (uint8_t)0x32be;
*(uint8_t*)0x20001fda = (uint8_t)0x36;
*(uint8_t*)0x20001fdb = (uint8_t)0x5120;
*(uint32_t*)0x20001fdc = (uint32_t)0x0;
*(uint8_t*)0x20001fe0 = (uint8_t)0x4;
*(uint32_t*)0x20001fe4 = (uint32_t)0x0;
*(uint32_t*)0x20001fe8 = (uint32_t)0x0;
*(uint32_t*)0x20001fec = (uint32_t)0x0;
*(uint32_t*)0x20001ff0 = (uint32_t)0x0;
*(uint32_t*)0x20001ff4 = (uint32_t)0x0;
*(uint32_t*)0x20001ff8 = (uint32_t)0x0;
*(uint32_t*)0x20001ffc = (uint32_t)0x0;
*(uint32_t*)0x20002000 = (uint32_t)0x0;
*(uint32_t*)0x20002004 = (uint32_t)0x0;
*(uint32_t*)0x20002008 = (uint32_t)0x0;
syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0);
break;
case 1:
*(uint32_t*)0x20006000 = (uint32_t)0xaff;
*(uint32_t*)0x20006004 = (uint32_t)0x5;
*(uint32_t*)0x20006008 = (uint32_t)0x101;
*(uint64_t*)0x20006010 = (uint64_t)0x0;
*(uint64_t*)0x20006018 = (uint64_t)0x989680;
*(uint32_t*)0x20006020 = (uint32_t)0x3;
*(uint32_t*)0x20006024 = (uint32_t)0x4;
*(uint8_t*)0x20006028 = (uint8_t)0x0;
*(uint8_t*)0x20006029 = (uint8_t)0x0;
*(uint8_t*)0x2000602a = (uint8_t)0x0;
*(uint8_t*)0x2000602b = (uint8_t)0x0;
*(uint8_t*)0x2000602c = (uint8_t)0x0;
*(uint8_t*)0x2000602d = (uint8_t)0x0;
*(uint8_t*)0x2000602e = (uint8_t)0x0;
*(uint8_t*)0x2000602f = (uint8_t)0x0;
*(uint8_t*)0x20006030 = (uint8_t)0x0;
*(uint8_t*)0x20006031 = (uint8_t)0x0;
*(uint8_t*)0x20006032 = (uint8_t)0x0;
*(uint8_t*)0x20006033 = (uint8_t)0x0;
*(uint8_t*)0x20006034 = (uint8_t)0x0;
*(uint8_t*)0x20006035 = (uint8_t)0x0;
*(uint8_t*)0x20006036 = (uint8_t)0x0;
*(uint8_t*)0x20006037 = (uint8_t)0x0;
*(uint8_t*)0x20006038 = (uint8_t)0x0;
*(uint8_t*)0x20006039 = (uint8_t)0x0;
*(uint8_t*)0x2000603a = (uint8_t)0x0;
*(uint8_t*)0x2000603b = (uint8_t)0x0;
*(uint8_t*)0x2000603c = (uint8_t)0x0;
*(uint8_t*)0x2000603d = (uint8_t)0x0;
*(uint8_t*)0x2000603e = (uint8_t)0x0;
*(uint8_t*)0x2000603f = (uint8_t)0x0;
*(uint8_t*)0x20006040 = (uint8_t)0x0;
*(uint8_t*)0x20006041 = (uint8_t)0x0;
*(uint8_t*)0x20006042 = (uint8_t)0x0;
*(uint8_t*)0x20006043 = (uint8_t)0x0;
*(uint8_t*)0x20006044 = (uint8_t)0x0;
*(uint8_t*)0x20006045 = (uint8_t)0x0;
*(uint8_t*)0x20006046 = (uint8_t)0x0;
*(uint8_t*)0x20006047 = (uint8_t)0x0;
*(uint8_t*)0x20006048 = (uint8_t)0x0;
*(uint8_t*)0x20006049 = (uint8_t)0x0;
*(uint8_t*)0x2000604a = (uint8_t)0x0;
*(uint8_t*)0x2000604b = (uint8_t)0x0;
*(uint8_t*)0x2000604c = (uint8_t)0x0;
*(uint8_t*)0x2000604d = (uint8_t)0x0;
*(uint8_t*)0x2000604e = (uint8_t)0x0;
*(uint8_t*)0x2000604f = (uint8_t)0x0;
*(uint8_t*)0x20006050 = (uint8_t)0x0;
*(uint8_t*)0x20006051 = (uint8_t)0x0;
*(uint8_t*)0x20006052 = (uint8_t)0x0;
*(uint8_t*)0x20006053 = (uint8_t)0x0;
*(uint8_t*)0x20006054 = (uint8_t)0x0;
*(uint8_t*)0x20006055 = (uint8_t)0x0;
*(uint8_t*)0x20006056 = (uint8_t)0x0;
*(uint8_t*)0x20006057 = (uint8_t)0x0;
*(uint8_t*)0x20006058 = (uint8_t)0x0;
*(uint8_t*)0x20006059 = (uint8_t)0x0;
*(uint8_t*)0x2000605a = (uint8_t)0x0;
*(uint8_t*)0x2000605b = (uint8_t)0x0;
*(uint8_t*)0x2000605c = (uint8_t)0x0;
*(uint8_t*)0x2000605d = (uint8_t)0x0;
*(uint8_t*)0x2000605e = (uint8_t)0x0;
*(uint8_t*)0x2000605f = (uint8_t)0x0;
*(uint8_t*)0x20006060 = (uint8_t)0x0;
*(uint8_t*)0x20006061 = (uint8_t)0x0;
*(uint8_t*)0x20006062 = (uint8_t)0x0;
*(uint8_t*)0x20006063 = (uint8_t)0x0;
*(uint8_t*)0x20006064 = (uint8_t)0x0;
*(uint8_t*)0x20006065 = (uint8_t)0x0;
*(uint8_t*)0x20006066 = (uint8_t)0x0;
*(uint8_t*)0x20006067 = (uint8_t)0x0;
syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0);
break;
case 2:
*(uint8_t*)0x20007fb0 = (uint8_t)0x1037;
*(uint8_t*)0x20007fb1 = (uint8_t)0x7;
*(uint8_t*)0x20007fb2 = (uint8_t)0x30b;
*(uint8_t*)0x20007fb3 = (uint8_t)0x34b0;
*(uint32_t*)0x20007fb4 = (uint32_t)0x5;
*(uint32_t*)0x20007fb8 = (uint32_t)0x7;
*(uint8_t*)0x20007fbc = (uint8_t)0x75d;
*(uint8_t*)0x20007fbd = (uint8_t)0x0;
*(uint8_t*)0x20007fbe = (uint8_t)0x0;
*(uint8_t*)0x20007fbf = (uint8_t)0x0;
*(uint8_t*)0x20007fc0 = (uint8_t)0x0;
*(uint8_t*)0x20007fc1 = (uint8_t)0x0;
*(uint8_t*)0x20007fc2 = (uint8_t)0x0;
*(uint8_t*)0x20007fc3 = (uint8_t)0x0;
*(uint8_t*)0x20007fc4 = (uint8_t)0x0;
*(uint8_t*)0x20007fc5 = (uint8_t)0x0;
*(uint8_t*)0x20007fc6 = (uint8_t)0x0;
*(uint8_t*)0x20007fc7 = (uint8_t)0x0;
*(uint8_t*)0x20007fc8 = (uint8_t)0x0;
*(uint8_t*)0x20007fc9 = (uint8_t)0x0;
*(uint8_t*)0x20007fca = (uint8_t)0x0;
*(uint8_t*)0x20007fcb = (uint8_t)0x0;
*(uint8_t*)0x20007fcc = (uint8_t)0x0;
*(uint8_t*)0x20007fcd = (uint8_t)0x0;
*(uint8_t*)0x20007fce = (uint8_t)0x0;
*(uint8_t*)0x20007fcf = (uint8_t)0x0;
*(uint8_t*)0x20007fd0 = (uint8_t)0x0;
*(uint8_t*)0x20007fd1 = (uint8_t)0x0;
*(uint8_t*)0x20007fd2 = (uint8_t)0x0;
*(uint8_t*)0x20007fd3 = (uint8_t)0x0;
*(uint8_t*)0x20007fd4 = (uint8_t)0x0;
*(uint8_t*)0x20007fd5 = (uint8_t)0x0;
*(uint8_t*)0x20007fd6 = (uint8_t)0x0;
*(uint8_t*)0x20007fd7 = (uint8_t)0x0;
*(uint8_t*)0x20007fd8 = (uint8_t)0x0;
*(uint8_t*)0x20007fd9 = (uint8_t)0x0;
*(uint8_t*)0x20007fda = (uint8_t)0x0;
*(uint8_t*)0x20007fdb = (uint8_t)0x0;
*(uint8_t*)0x20007fdc = (uint8_t)0x0;
*(uint8_t*)0x20007fdd = (uint8_t)0x0;
*(uint8_t*)0x20007fde = (uint8_t)0x0;
*(uint8_t*)0x20007fdf = (uint8_t)0x0;
*(uint8_t*)0x20007fe0 = (uint8_t)0x0;
*(uint8_t*)0x20007fe1 = (uint8_t)0x0;
*(uint8_t*)0x20007fe2 = (uint8_t)0x0;
*(uint8_t*)0x20007fe3 = (uint8_t)0x0;
*(uint8_t*)0x20007fe4 = (uint8_t)0x0;
*(uint8_t*)0x20007fe5 = (uint8_t)0x0;
*(uint8_t*)0x20007fe6 = (uint8_t)0x0;
*(uint8_t*)0x20007fe7 = (uint8_t)0x0;
*(uint8_t*)0x20007fe8 = (uint8_t)0x0;
*(uint8_t*)0x20007fe9 = (uint8_t)0x0;
*(uint8_t*)0x20007fea = (uint8_t)0x0;
*(uint8_t*)0x20007feb = (uint8_t)0x0;
*(uint8_t*)0x20007fec = (uint8_t)0x0;
*(uint8_t*)0x20007fed = (uint8_t)0x0;
*(uint8_t*)0x20007fee = (uint8_t)0x0;
*(uint8_t*)0x20007fef = (uint8_t)0x0;
*(uint8_t*)0x20007ff0 = (uint8_t)0x0;
*(uint8_t*)0x20007ff1 = (uint8_t)0x0;
*(uint8_t*)0x20007ff2 = (uint8_t)0x0;
*(uint8_t*)0x20007ff3 = (uint8_t)0x0;
*(uint8_t*)0x20007ff4 = (uint8_t)0x0;
*(uint8_t*)0x20007ff5 = (uint8_t)0x0;
*(uint8_t*)0x20007ff6 = (uint8_t)0x0;
*(uint8_t*)0x20007ff7 = (uint8_t)0x0;
*(uint8_t*)0x20007ff8 = (uint8_t)0x0;
*(uint8_t*)0x20007ff9 = (uint8_t)0x0;
*(uint8_t*)0x20007ffa = (uint8_t)0x0;
*(uint8_t*)0x20007ffb = (uint8_t)0x0;
*(uint8_t*)0x20007ffc = (uint8_t)0x0;
*(uint8_t*)0x20007ffd = (uint8_t)0x0;
*(uint8_t*)0x20007ffe = (uint8_t)0x0;
*(uint8_t*)0x20007fff = (uint8_t)0x0;
syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0);
break;
}
return 0;
}
int main()
{
long i;
pthread_t th;
srand(getpid());
syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20005000,
"\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12);
fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0);
for (i = 0; i < 6; i++) {
pthread_create(&th, 0, thr, (void*)(i%3));
if (rand()%2==0)
usleep(rand()%1000);
}
usleep(10000);
return 0;
}
kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan:
CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr
deref or user memory accessgeneral protection fault: 0000 [#1] SMP
DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000
RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>]
snd_seq_fifo_clear+0x31/0x1d0
RSP: 0018:ffff880063627c48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8
RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0
R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001
FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0
Stack:
ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0
ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000
ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918
Call Trace:
[<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0
sound/core/seq/seq_clientmgr.c:1966
[<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80
sound/core/seq/seq_clientmgr.c:2224
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
[< inline >] SYSC_ioctl fs/ioctl.c:622
[<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d
bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP [< inline >] __write_once_size include/linux/compiler.h:246
RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39
RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0
sound/core/seq/seq_fifo.c:99
RSP <ffff880063627c48>
---[ end trace 3ee37e6a5304c762 ]---
On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sound: GPF in snd_seq_fifo_clear
2016-01-12 10:07 sound: GPF in snd_seq_fifo_clear Dmitry Vyukov
@ 2016-01-12 11:44 ` Takashi Iwai
0 siblings, 0 replies; 6+ messages in thread
From: Takashi Iwai @ 2016-01-12 11:44 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Eric Dumazet,
Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Tue, 12 Jan 2016 11:07:16 +0100,
Dmitry Vyukov wrote:
>
> Hello,
>
> The following program triggers GPF in snd_seq_fifo_clear:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <unistd.h>
> #include <sys/syscall.h>
> #include <string.h>
> #include <stdlib.h>
> #include <stdint.h>
> #include <pthread.h>
>
> int fd;
>
> void *thr(void *arg)
> {
> switch ((long)arg) {
> case 0:
> *(uint32_t*)0x20001fb0 = (uint32_t)0x1;
> *(uint64_t*)0x20001fc8 = (uint64_t)0x0;
> *(uint64_t*)0x20001fd0 = (uint64_t)0x0;
> *(uint8_t*)0x20001fd8 = (uint8_t)0x3;
> *(uint8_t*)0x20001fd9 = (uint8_t)0x32be;
> *(uint8_t*)0x20001fda = (uint8_t)0x36;
> *(uint8_t*)0x20001fdb = (uint8_t)0x5120;
> *(uint32_t*)0x20001fdc = (uint32_t)0x0;
> *(uint8_t*)0x20001fe0 = (uint8_t)0x4;
> *(uint32_t*)0x20001fe4 = (uint32_t)0x0;
> *(uint32_t*)0x20001fe8 = (uint32_t)0x0;
> *(uint32_t*)0x20001fec = (uint32_t)0x0;
> *(uint32_t*)0x20001ff0 = (uint32_t)0x0;
> *(uint32_t*)0x20001ff4 = (uint32_t)0x0;
> *(uint32_t*)0x20001ff8 = (uint32_t)0x0;
> *(uint32_t*)0x20001ffc = (uint32_t)0x0;
> *(uint32_t*)0x20002000 = (uint32_t)0x0;
> *(uint32_t*)0x20002004 = (uint32_t)0x0;
> *(uint32_t*)0x20002008 = (uint32_t)0x0;
> syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0);
> break;
> case 1:
> *(uint32_t*)0x20006000 = (uint32_t)0xaff;
> *(uint32_t*)0x20006004 = (uint32_t)0x5;
> *(uint32_t*)0x20006008 = (uint32_t)0x101;
> *(uint64_t*)0x20006010 = (uint64_t)0x0;
> *(uint64_t*)0x20006018 = (uint64_t)0x989680;
> *(uint32_t*)0x20006020 = (uint32_t)0x3;
> *(uint32_t*)0x20006024 = (uint32_t)0x4;
> *(uint8_t*)0x20006028 = (uint8_t)0x0;
> *(uint8_t*)0x20006029 = (uint8_t)0x0;
> *(uint8_t*)0x2000602a = (uint8_t)0x0;
> *(uint8_t*)0x2000602b = (uint8_t)0x0;
> *(uint8_t*)0x2000602c = (uint8_t)0x0;
> *(uint8_t*)0x2000602d = (uint8_t)0x0;
> *(uint8_t*)0x2000602e = (uint8_t)0x0;
> *(uint8_t*)0x2000602f = (uint8_t)0x0;
> *(uint8_t*)0x20006030 = (uint8_t)0x0;
> *(uint8_t*)0x20006031 = (uint8_t)0x0;
> *(uint8_t*)0x20006032 = (uint8_t)0x0;
> *(uint8_t*)0x20006033 = (uint8_t)0x0;
> *(uint8_t*)0x20006034 = (uint8_t)0x0;
> *(uint8_t*)0x20006035 = (uint8_t)0x0;
> *(uint8_t*)0x20006036 = (uint8_t)0x0;
> *(uint8_t*)0x20006037 = (uint8_t)0x0;
> *(uint8_t*)0x20006038 = (uint8_t)0x0;
> *(uint8_t*)0x20006039 = (uint8_t)0x0;
> *(uint8_t*)0x2000603a = (uint8_t)0x0;
> *(uint8_t*)0x2000603b = (uint8_t)0x0;
> *(uint8_t*)0x2000603c = (uint8_t)0x0;
> *(uint8_t*)0x2000603d = (uint8_t)0x0;
> *(uint8_t*)0x2000603e = (uint8_t)0x0;
> *(uint8_t*)0x2000603f = (uint8_t)0x0;
> *(uint8_t*)0x20006040 = (uint8_t)0x0;
> *(uint8_t*)0x20006041 = (uint8_t)0x0;
> *(uint8_t*)0x20006042 = (uint8_t)0x0;
> *(uint8_t*)0x20006043 = (uint8_t)0x0;
> *(uint8_t*)0x20006044 = (uint8_t)0x0;
> *(uint8_t*)0x20006045 = (uint8_t)0x0;
> *(uint8_t*)0x20006046 = (uint8_t)0x0;
> *(uint8_t*)0x20006047 = (uint8_t)0x0;
> *(uint8_t*)0x20006048 = (uint8_t)0x0;
> *(uint8_t*)0x20006049 = (uint8_t)0x0;
> *(uint8_t*)0x2000604a = (uint8_t)0x0;
> *(uint8_t*)0x2000604b = (uint8_t)0x0;
> *(uint8_t*)0x2000604c = (uint8_t)0x0;
> *(uint8_t*)0x2000604d = (uint8_t)0x0;
> *(uint8_t*)0x2000604e = (uint8_t)0x0;
> *(uint8_t*)0x2000604f = (uint8_t)0x0;
> *(uint8_t*)0x20006050 = (uint8_t)0x0;
> *(uint8_t*)0x20006051 = (uint8_t)0x0;
> *(uint8_t*)0x20006052 = (uint8_t)0x0;
> *(uint8_t*)0x20006053 = (uint8_t)0x0;
> *(uint8_t*)0x20006054 = (uint8_t)0x0;
> *(uint8_t*)0x20006055 = (uint8_t)0x0;
> *(uint8_t*)0x20006056 = (uint8_t)0x0;
> *(uint8_t*)0x20006057 = (uint8_t)0x0;
> *(uint8_t*)0x20006058 = (uint8_t)0x0;
> *(uint8_t*)0x20006059 = (uint8_t)0x0;
> *(uint8_t*)0x2000605a = (uint8_t)0x0;
> *(uint8_t*)0x2000605b = (uint8_t)0x0;
> *(uint8_t*)0x2000605c = (uint8_t)0x0;
> *(uint8_t*)0x2000605d = (uint8_t)0x0;
> *(uint8_t*)0x2000605e = (uint8_t)0x0;
> *(uint8_t*)0x2000605f = (uint8_t)0x0;
> *(uint8_t*)0x20006060 = (uint8_t)0x0;
> *(uint8_t*)0x20006061 = (uint8_t)0x0;
> *(uint8_t*)0x20006062 = (uint8_t)0x0;
> *(uint8_t*)0x20006063 = (uint8_t)0x0;
> *(uint8_t*)0x20006064 = (uint8_t)0x0;
> *(uint8_t*)0x20006065 = (uint8_t)0x0;
> *(uint8_t*)0x20006066 = (uint8_t)0x0;
> *(uint8_t*)0x20006067 = (uint8_t)0x0;
> syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0);
> break;
> case 2:
> *(uint8_t*)0x20007fb0 = (uint8_t)0x1037;
> *(uint8_t*)0x20007fb1 = (uint8_t)0x7;
> *(uint8_t*)0x20007fb2 = (uint8_t)0x30b;
> *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0;
> *(uint32_t*)0x20007fb4 = (uint32_t)0x5;
> *(uint32_t*)0x20007fb8 = (uint32_t)0x7;
> *(uint8_t*)0x20007fbc = (uint8_t)0x75d;
> *(uint8_t*)0x20007fbd = (uint8_t)0x0;
> *(uint8_t*)0x20007fbe = (uint8_t)0x0;
> *(uint8_t*)0x20007fbf = (uint8_t)0x0;
> *(uint8_t*)0x20007fc0 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc1 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc2 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc3 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc4 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc5 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc6 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc7 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc8 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc9 = (uint8_t)0x0;
> *(uint8_t*)0x20007fca = (uint8_t)0x0;
> *(uint8_t*)0x20007fcb = (uint8_t)0x0;
> *(uint8_t*)0x20007fcc = (uint8_t)0x0;
> *(uint8_t*)0x20007fcd = (uint8_t)0x0;
> *(uint8_t*)0x20007fce = (uint8_t)0x0;
> *(uint8_t*)0x20007fcf = (uint8_t)0x0;
> *(uint8_t*)0x20007fd0 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd1 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd2 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd3 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd4 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd5 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd6 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd7 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd8 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd9 = (uint8_t)0x0;
> *(uint8_t*)0x20007fda = (uint8_t)0x0;
> *(uint8_t*)0x20007fdb = (uint8_t)0x0;
> *(uint8_t*)0x20007fdc = (uint8_t)0x0;
> *(uint8_t*)0x20007fdd = (uint8_t)0x0;
> *(uint8_t*)0x20007fde = (uint8_t)0x0;
> *(uint8_t*)0x20007fdf = (uint8_t)0x0;
> *(uint8_t*)0x20007fe0 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe1 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe2 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe3 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe4 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe5 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe6 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe7 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe8 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe9 = (uint8_t)0x0;
> *(uint8_t*)0x20007fea = (uint8_t)0x0;
> *(uint8_t*)0x20007feb = (uint8_t)0x0;
> *(uint8_t*)0x20007fec = (uint8_t)0x0;
> *(uint8_t*)0x20007fed = (uint8_t)0x0;
> *(uint8_t*)0x20007fee = (uint8_t)0x0;
> *(uint8_t*)0x20007fef = (uint8_t)0x0;
> *(uint8_t*)0x20007ff0 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff1 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff2 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff3 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff4 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff5 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff6 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff7 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff8 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff9 = (uint8_t)0x0;
> *(uint8_t*)0x20007ffa = (uint8_t)0x0;
> *(uint8_t*)0x20007ffb = (uint8_t)0x0;
> *(uint8_t*)0x20007ffc = (uint8_t)0x0;
> *(uint8_t*)0x20007ffd = (uint8_t)0x0;
> *(uint8_t*)0x20007ffe = (uint8_t)0x0;
> *(uint8_t*)0x20007fff = (uint8_t)0x0;
> syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0);
> break;
> }
> return 0;
> }
>
> int main()
> {
> long i;
> pthread_t th;
>
> srand(getpid());
> syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
> 0xfffffffffffffffful, 0x0ul);
> memcpy((void*)0x20005000,
> "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12);
> fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0);
> for (i = 0; i < 6; i++) {
> pthread_create(&th, 0, thr, (void*)(i%3));
> if (rand()%2==0)
> usleep(rand()%1000);
> }
> usleep(10000);
> return 0;
> }
>
>
>
> kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan:
> CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr
> deref or user memory accessgeneral protection fault: 0000 [#1] SMP
> DEBUG_PAGEALLOC KASAN
> Modules linked in:
> CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000
> RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>]
> snd_seq_fifo_clear+0x31/0x1d0
> RSP: 0018:ffff880063627c48 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8
> RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001
> R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0
> R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001
> FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0
> Stack:
> ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0
> ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000
> ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918
> Call Trace:
> [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0
> sound/core/seq/seq_clientmgr.c:1966
> [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0
> sound/core/seq/seq_clientmgr.c:2209
> [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80
> sound/core/seq/seq_clientmgr.c:2224
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
> [< inline >] SYSC_ioctl fs/ioctl.c:622
> [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
> [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d
> bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
> RIP [< inline >] __write_once_size include/linux/compiler.h:246
> RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39
> RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0
> sound/core/seq/seq_fifo.c:99
> RSP <ffff880063627c48>
> ---[ end trace 3ee37e6a5304c762 ]---
>
>
> On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
Thanks for reporting.
Fortunately this one looks like an easy problem, a simple missing NULL
check. Could you check the patch below?
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: seq: Fix missing NULL check at remove_events ioctl
snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
unconditionally even if there is no FIFO assigned, and this leads to
an Oops due to NULL dereference. The fix is just to add a proper NULL
check.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/seq/seq_clientmgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index b64f20deba90..13cfa815732d 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
* No restrictions so for a user client we can clear
* the whole fifo
*/
- if (client->type == USER_CLIENT)
+ if (client->type == USER_CLIENT && client->data.user.fifo)
snd_seq_fifo_clear(client->data.user.fifo);
}
--
2.7.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: sound: GPF in snd_seq_fifo_clear
@ 2016-01-12 11:44 ` Takashi Iwai
0 siblings, 0 replies; 6+ messages in thread
From: Takashi Iwai @ 2016-01-12 11:44 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Eric Dumazet,
Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Tue, 12 Jan 2016 11:07:16 +0100,
Dmitry Vyukov wrote:
>
> Hello,
>
> The following program triggers GPF in snd_seq_fifo_clear:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <unistd.h>
> #include <sys/syscall.h>
> #include <string.h>
> #include <stdlib.h>
> #include <stdint.h>
> #include <pthread.h>
>
> int fd;
>
> void *thr(void *arg)
> {
> switch ((long)arg) {
> case 0:
> *(uint32_t*)0x20001fb0 = (uint32_t)0x1;
> *(uint64_t*)0x20001fc8 = (uint64_t)0x0;
> *(uint64_t*)0x20001fd0 = (uint64_t)0x0;
> *(uint8_t*)0x20001fd8 = (uint8_t)0x3;
> *(uint8_t*)0x20001fd9 = (uint8_t)0x32be;
> *(uint8_t*)0x20001fda = (uint8_t)0x36;
> *(uint8_t*)0x20001fdb = (uint8_t)0x5120;
> *(uint32_t*)0x20001fdc = (uint32_t)0x0;
> *(uint8_t*)0x20001fe0 = (uint8_t)0x4;
> *(uint32_t*)0x20001fe4 = (uint32_t)0x0;
> *(uint32_t*)0x20001fe8 = (uint32_t)0x0;
> *(uint32_t*)0x20001fec = (uint32_t)0x0;
> *(uint32_t*)0x20001ff0 = (uint32_t)0x0;
> *(uint32_t*)0x20001ff4 = (uint32_t)0x0;
> *(uint32_t*)0x20001ff8 = (uint32_t)0x0;
> *(uint32_t*)0x20001ffc = (uint32_t)0x0;
> *(uint32_t*)0x20002000 = (uint32_t)0x0;
> *(uint32_t*)0x20002004 = (uint32_t)0x0;
> *(uint32_t*)0x20002008 = (uint32_t)0x0;
> syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0);
> break;
> case 1:
> *(uint32_t*)0x20006000 = (uint32_t)0xaff;
> *(uint32_t*)0x20006004 = (uint32_t)0x5;
> *(uint32_t*)0x20006008 = (uint32_t)0x101;
> *(uint64_t*)0x20006010 = (uint64_t)0x0;
> *(uint64_t*)0x20006018 = (uint64_t)0x989680;
> *(uint32_t*)0x20006020 = (uint32_t)0x3;
> *(uint32_t*)0x20006024 = (uint32_t)0x4;
> *(uint8_t*)0x20006028 = (uint8_t)0x0;
> *(uint8_t*)0x20006029 = (uint8_t)0x0;
> *(uint8_t*)0x2000602a = (uint8_t)0x0;
> *(uint8_t*)0x2000602b = (uint8_t)0x0;
> *(uint8_t*)0x2000602c = (uint8_t)0x0;
> *(uint8_t*)0x2000602d = (uint8_t)0x0;
> *(uint8_t*)0x2000602e = (uint8_t)0x0;
> *(uint8_t*)0x2000602f = (uint8_t)0x0;
> *(uint8_t*)0x20006030 = (uint8_t)0x0;
> *(uint8_t*)0x20006031 = (uint8_t)0x0;
> *(uint8_t*)0x20006032 = (uint8_t)0x0;
> *(uint8_t*)0x20006033 = (uint8_t)0x0;
> *(uint8_t*)0x20006034 = (uint8_t)0x0;
> *(uint8_t*)0x20006035 = (uint8_t)0x0;
> *(uint8_t*)0x20006036 = (uint8_t)0x0;
> *(uint8_t*)0x20006037 = (uint8_t)0x0;
> *(uint8_t*)0x20006038 = (uint8_t)0x0;
> *(uint8_t*)0x20006039 = (uint8_t)0x0;
> *(uint8_t*)0x2000603a = (uint8_t)0x0;
> *(uint8_t*)0x2000603b = (uint8_t)0x0;
> *(uint8_t*)0x2000603c = (uint8_t)0x0;
> *(uint8_t*)0x2000603d = (uint8_t)0x0;
> *(uint8_t*)0x2000603e = (uint8_t)0x0;
> *(uint8_t*)0x2000603f = (uint8_t)0x0;
> *(uint8_t*)0x20006040 = (uint8_t)0x0;
> *(uint8_t*)0x20006041 = (uint8_t)0x0;
> *(uint8_t*)0x20006042 = (uint8_t)0x0;
> *(uint8_t*)0x20006043 = (uint8_t)0x0;
> *(uint8_t*)0x20006044 = (uint8_t)0x0;
> *(uint8_t*)0x20006045 = (uint8_t)0x0;
> *(uint8_t*)0x20006046 = (uint8_t)0x0;
> *(uint8_t*)0x20006047 = (uint8_t)0x0;
> *(uint8_t*)0x20006048 = (uint8_t)0x0;
> *(uint8_t*)0x20006049 = (uint8_t)0x0;
> *(uint8_t*)0x2000604a = (uint8_t)0x0;
> *(uint8_t*)0x2000604b = (uint8_t)0x0;
> *(uint8_t*)0x2000604c = (uint8_t)0x0;
> *(uint8_t*)0x2000604d = (uint8_t)0x0;
> *(uint8_t*)0x2000604e = (uint8_t)0x0;
> *(uint8_t*)0x2000604f = (uint8_t)0x0;
> *(uint8_t*)0x20006050 = (uint8_t)0x0;
> *(uint8_t*)0x20006051 = (uint8_t)0x0;
> *(uint8_t*)0x20006052 = (uint8_t)0x0;
> *(uint8_t*)0x20006053 = (uint8_t)0x0;
> *(uint8_t*)0x20006054 = (uint8_t)0x0;
> *(uint8_t*)0x20006055 = (uint8_t)0x0;
> *(uint8_t*)0x20006056 = (uint8_t)0x0;
> *(uint8_t*)0x20006057 = (uint8_t)0x0;
> *(uint8_t*)0x20006058 = (uint8_t)0x0;
> *(uint8_t*)0x20006059 = (uint8_t)0x0;
> *(uint8_t*)0x2000605a = (uint8_t)0x0;
> *(uint8_t*)0x2000605b = (uint8_t)0x0;
> *(uint8_t*)0x2000605c = (uint8_t)0x0;
> *(uint8_t*)0x2000605d = (uint8_t)0x0;
> *(uint8_t*)0x2000605e = (uint8_t)0x0;
> *(uint8_t*)0x2000605f = (uint8_t)0x0;
> *(uint8_t*)0x20006060 = (uint8_t)0x0;
> *(uint8_t*)0x20006061 = (uint8_t)0x0;
> *(uint8_t*)0x20006062 = (uint8_t)0x0;
> *(uint8_t*)0x20006063 = (uint8_t)0x0;
> *(uint8_t*)0x20006064 = (uint8_t)0x0;
> *(uint8_t*)0x20006065 = (uint8_t)0x0;
> *(uint8_t*)0x20006066 = (uint8_t)0x0;
> *(uint8_t*)0x20006067 = (uint8_t)0x0;
> syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0);
> break;
> case 2:
> *(uint8_t*)0x20007fb0 = (uint8_t)0x1037;
> *(uint8_t*)0x20007fb1 = (uint8_t)0x7;
> *(uint8_t*)0x20007fb2 = (uint8_t)0x30b;
> *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0;
> *(uint32_t*)0x20007fb4 = (uint32_t)0x5;
> *(uint32_t*)0x20007fb8 = (uint32_t)0x7;
> *(uint8_t*)0x20007fbc = (uint8_t)0x75d;
> *(uint8_t*)0x20007fbd = (uint8_t)0x0;
> *(uint8_t*)0x20007fbe = (uint8_t)0x0;
> *(uint8_t*)0x20007fbf = (uint8_t)0x0;
> *(uint8_t*)0x20007fc0 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc1 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc2 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc3 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc4 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc5 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc6 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc7 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc8 = (uint8_t)0x0;
> *(uint8_t*)0x20007fc9 = (uint8_t)0x0;
> *(uint8_t*)0x20007fca = (uint8_t)0x0;
> *(uint8_t*)0x20007fcb = (uint8_t)0x0;
> *(uint8_t*)0x20007fcc = (uint8_t)0x0;
> *(uint8_t*)0x20007fcd = (uint8_t)0x0;
> *(uint8_t*)0x20007fce = (uint8_t)0x0;
> *(uint8_t*)0x20007fcf = (uint8_t)0x0;
> *(uint8_t*)0x20007fd0 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd1 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd2 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd3 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd4 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd5 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd6 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd7 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd8 = (uint8_t)0x0;
> *(uint8_t*)0x20007fd9 = (uint8_t)0x0;
> *(uint8_t*)0x20007fda = (uint8_t)0x0;
> *(uint8_t*)0x20007fdb = (uint8_t)0x0;
> *(uint8_t*)0x20007fdc = (uint8_t)0x0;
> *(uint8_t*)0x20007fdd = (uint8_t)0x0;
> *(uint8_t*)0x20007fde = (uint8_t)0x0;
> *(uint8_t*)0x20007fdf = (uint8_t)0x0;
> *(uint8_t*)0x20007fe0 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe1 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe2 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe3 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe4 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe5 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe6 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe7 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe8 = (uint8_t)0x0;
> *(uint8_t*)0x20007fe9 = (uint8_t)0x0;
> *(uint8_t*)0x20007fea = (uint8_t)0x0;
> *(uint8_t*)0x20007feb = (uint8_t)0x0;
> *(uint8_t*)0x20007fec = (uint8_t)0x0;
> *(uint8_t*)0x20007fed = (uint8_t)0x0;
> *(uint8_t*)0x20007fee = (uint8_t)0x0;
> *(uint8_t*)0x20007fef = (uint8_t)0x0;
> *(uint8_t*)0x20007ff0 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff1 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff2 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff3 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff4 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff5 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff6 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff7 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff8 = (uint8_t)0x0;
> *(uint8_t*)0x20007ff9 = (uint8_t)0x0;
> *(uint8_t*)0x20007ffa = (uint8_t)0x0;
> *(uint8_t*)0x20007ffb = (uint8_t)0x0;
> *(uint8_t*)0x20007ffc = (uint8_t)0x0;
> *(uint8_t*)0x20007ffd = (uint8_t)0x0;
> *(uint8_t*)0x20007ffe = (uint8_t)0x0;
> *(uint8_t*)0x20007fff = (uint8_t)0x0;
> syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0);
> break;
> }
> return 0;
> }
>
> int main()
> {
> long i;
> pthread_t th;
>
> srand(getpid());
> syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
> 0xfffffffffffffffful, 0x0ul);
> memcpy((void*)0x20005000,
> "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12);
> fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0);
> for (i = 0; i < 6; i++) {
> pthread_create(&th, 0, thr, (void*)(i%3));
> if (rand()%2==0)
> usleep(rand()%1000);
> }
> usleep(10000);
> return 0;
> }
>
>
>
> kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan:
> CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr
> deref or user memory accessgeneral protection fault: 0000 [#1] SMP
> DEBUG_PAGEALLOC KASAN
> Modules linked in:
> CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000
> RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>]
> snd_seq_fifo_clear+0x31/0x1d0
> RSP: 0018:ffff880063627c48 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8
> RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001
> R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0
> R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001
> FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0
> Stack:
> ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0
> ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000
> ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918
> Call Trace:
> [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0
> sound/core/seq/seq_clientmgr.c:1966
> [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0
> sound/core/seq/seq_clientmgr.c:2209
> [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80
> sound/core/seq/seq_clientmgr.c:2224
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
> [< inline >] SYSC_ioctl fs/ioctl.c:622
> [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
> [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d
> bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
> RIP [< inline >] __write_once_size include/linux/compiler.h:246
> RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39
> RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0
> sound/core/seq/seq_fifo.c:99
> RSP <ffff880063627c48>
> ---[ end trace 3ee37e6a5304c762 ]---
>
>
> On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
Thanks for reporting.
Fortunately this one looks like an easy problem, a simple missing NULL
check. Could you check the patch below?
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: seq: Fix missing NULL check at remove_events ioctl
snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
unconditionally even if there is no FIFO assigned, and this leads to
an Oops due to NULL dereference. The fix is just to add a proper NULL
check.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/seq/seq_clientmgr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index b64f20deba90..13cfa815732d 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
* No restrictions so for a user client we can clear
* the whole fifo
*/
- if (client->type == USER_CLIENT)
+ if (client->type == USER_CLIENT && client->data.user.fifo)
snd_seq_fifo_clear(client->data.user.fifo);
}
--
2.7.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: sound: GPF in snd_seq_fifo_clear
2016-01-12 11:44 ` Takashi Iwai
(?)
@ 2016-01-12 16:19 ` Dmitry Vyukov
2016-01-12 16:23 ` Takashi Iwai
-1 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2016-01-12 16:19 UTC (permalink / raw)
To: Takashi Iwai
Cc: alsa-devel, Jaroslav Kysela, LKML, Eric Dumazet,
Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Tue, Jan 12, 2016 at 12:44 PM, Takashi Iwai <tiwai@suse.de> wrote:
> On Tue, 12 Jan 2016 11:07:16 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program triggers GPF in snd_seq_fifo_clear:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <unistd.h>
>> #include <sys/syscall.h>
>> #include <string.h>
>> #include <stdlib.h>
>> #include <stdint.h>
>> #include <pthread.h>
>>
>> int fd;
>>
>> void *thr(void *arg)
>> {
>> switch ((long)arg) {
>> case 0:
>> *(uint32_t*)0x20001fb0 = (uint32_t)0x1;
>> *(uint64_t*)0x20001fc8 = (uint64_t)0x0;
>> *(uint64_t*)0x20001fd0 = (uint64_t)0x0;
>> *(uint8_t*)0x20001fd8 = (uint8_t)0x3;
>> *(uint8_t*)0x20001fd9 = (uint8_t)0x32be;
>> *(uint8_t*)0x20001fda = (uint8_t)0x36;
>> *(uint8_t*)0x20001fdb = (uint8_t)0x5120;
>> *(uint32_t*)0x20001fdc = (uint32_t)0x0;
>> *(uint8_t*)0x20001fe0 = (uint8_t)0x4;
>> *(uint32_t*)0x20001fe4 = (uint32_t)0x0;
>> *(uint32_t*)0x20001fe8 = (uint32_t)0x0;
>> *(uint32_t*)0x20001fec = (uint32_t)0x0;
>> *(uint32_t*)0x20001ff0 = (uint32_t)0x0;
>> *(uint32_t*)0x20001ff4 = (uint32_t)0x0;
>> *(uint32_t*)0x20001ff8 = (uint32_t)0x0;
>> *(uint32_t*)0x20001ffc = (uint32_t)0x0;
>> *(uint32_t*)0x20002000 = (uint32_t)0x0;
>> *(uint32_t*)0x20002004 = (uint32_t)0x0;
>> *(uint32_t*)0x20002008 = (uint32_t)0x0;
>> syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0);
>> break;
>> case 1:
>> *(uint32_t*)0x20006000 = (uint32_t)0xaff;
>> *(uint32_t*)0x20006004 = (uint32_t)0x5;
>> *(uint32_t*)0x20006008 = (uint32_t)0x101;
>> *(uint64_t*)0x20006010 = (uint64_t)0x0;
>> *(uint64_t*)0x20006018 = (uint64_t)0x989680;
>> *(uint32_t*)0x20006020 = (uint32_t)0x3;
>> *(uint32_t*)0x20006024 = (uint32_t)0x4;
>> *(uint8_t*)0x20006028 = (uint8_t)0x0;
>> *(uint8_t*)0x20006029 = (uint8_t)0x0;
>> *(uint8_t*)0x2000602a = (uint8_t)0x0;
>> *(uint8_t*)0x2000602b = (uint8_t)0x0;
>> *(uint8_t*)0x2000602c = (uint8_t)0x0;
>> *(uint8_t*)0x2000602d = (uint8_t)0x0;
>> *(uint8_t*)0x2000602e = (uint8_t)0x0;
>> *(uint8_t*)0x2000602f = (uint8_t)0x0;
>> *(uint8_t*)0x20006030 = (uint8_t)0x0;
>> *(uint8_t*)0x20006031 = (uint8_t)0x0;
>> *(uint8_t*)0x20006032 = (uint8_t)0x0;
>> *(uint8_t*)0x20006033 = (uint8_t)0x0;
>> *(uint8_t*)0x20006034 = (uint8_t)0x0;
>> *(uint8_t*)0x20006035 = (uint8_t)0x0;
>> *(uint8_t*)0x20006036 = (uint8_t)0x0;
>> *(uint8_t*)0x20006037 = (uint8_t)0x0;
>> *(uint8_t*)0x20006038 = (uint8_t)0x0;
>> *(uint8_t*)0x20006039 = (uint8_t)0x0;
>> *(uint8_t*)0x2000603a = (uint8_t)0x0;
>> *(uint8_t*)0x2000603b = (uint8_t)0x0;
>> *(uint8_t*)0x2000603c = (uint8_t)0x0;
>> *(uint8_t*)0x2000603d = (uint8_t)0x0;
>> *(uint8_t*)0x2000603e = (uint8_t)0x0;
>> *(uint8_t*)0x2000603f = (uint8_t)0x0;
>> *(uint8_t*)0x20006040 = (uint8_t)0x0;
>> *(uint8_t*)0x20006041 = (uint8_t)0x0;
>> *(uint8_t*)0x20006042 = (uint8_t)0x0;
>> *(uint8_t*)0x20006043 = (uint8_t)0x0;
>> *(uint8_t*)0x20006044 = (uint8_t)0x0;
>> *(uint8_t*)0x20006045 = (uint8_t)0x0;
>> *(uint8_t*)0x20006046 = (uint8_t)0x0;
>> *(uint8_t*)0x20006047 = (uint8_t)0x0;
>> *(uint8_t*)0x20006048 = (uint8_t)0x0;
>> *(uint8_t*)0x20006049 = (uint8_t)0x0;
>> *(uint8_t*)0x2000604a = (uint8_t)0x0;
>> *(uint8_t*)0x2000604b = (uint8_t)0x0;
>> *(uint8_t*)0x2000604c = (uint8_t)0x0;
>> *(uint8_t*)0x2000604d = (uint8_t)0x0;
>> *(uint8_t*)0x2000604e = (uint8_t)0x0;
>> *(uint8_t*)0x2000604f = (uint8_t)0x0;
>> *(uint8_t*)0x20006050 = (uint8_t)0x0;
>> *(uint8_t*)0x20006051 = (uint8_t)0x0;
>> *(uint8_t*)0x20006052 = (uint8_t)0x0;
>> *(uint8_t*)0x20006053 = (uint8_t)0x0;
>> *(uint8_t*)0x20006054 = (uint8_t)0x0;
>> *(uint8_t*)0x20006055 = (uint8_t)0x0;
>> *(uint8_t*)0x20006056 = (uint8_t)0x0;
>> *(uint8_t*)0x20006057 = (uint8_t)0x0;
>> *(uint8_t*)0x20006058 = (uint8_t)0x0;
>> *(uint8_t*)0x20006059 = (uint8_t)0x0;
>> *(uint8_t*)0x2000605a = (uint8_t)0x0;
>> *(uint8_t*)0x2000605b = (uint8_t)0x0;
>> *(uint8_t*)0x2000605c = (uint8_t)0x0;
>> *(uint8_t*)0x2000605d = (uint8_t)0x0;
>> *(uint8_t*)0x2000605e = (uint8_t)0x0;
>> *(uint8_t*)0x2000605f = (uint8_t)0x0;
>> *(uint8_t*)0x20006060 = (uint8_t)0x0;
>> *(uint8_t*)0x20006061 = (uint8_t)0x0;
>> *(uint8_t*)0x20006062 = (uint8_t)0x0;
>> *(uint8_t*)0x20006063 = (uint8_t)0x0;
>> *(uint8_t*)0x20006064 = (uint8_t)0x0;
>> *(uint8_t*)0x20006065 = (uint8_t)0x0;
>> *(uint8_t*)0x20006066 = (uint8_t)0x0;
>> *(uint8_t*)0x20006067 = (uint8_t)0x0;
>> syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0);
>> break;
>> case 2:
>> *(uint8_t*)0x20007fb0 = (uint8_t)0x1037;
>> *(uint8_t*)0x20007fb1 = (uint8_t)0x7;
>> *(uint8_t*)0x20007fb2 = (uint8_t)0x30b;
>> *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0;
>> *(uint32_t*)0x20007fb4 = (uint32_t)0x5;
>> *(uint32_t*)0x20007fb8 = (uint32_t)0x7;
>> *(uint8_t*)0x20007fbc = (uint8_t)0x75d;
>> *(uint8_t*)0x20007fbd = (uint8_t)0x0;
>> *(uint8_t*)0x20007fbe = (uint8_t)0x0;
>> *(uint8_t*)0x20007fbf = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc0 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc1 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc2 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc3 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc4 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc5 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc6 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc7 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc8 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fc9 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fca = (uint8_t)0x0;
>> *(uint8_t*)0x20007fcb = (uint8_t)0x0;
>> *(uint8_t*)0x20007fcc = (uint8_t)0x0;
>> *(uint8_t*)0x20007fcd = (uint8_t)0x0;
>> *(uint8_t*)0x20007fce = (uint8_t)0x0;
>> *(uint8_t*)0x20007fcf = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd0 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd1 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd2 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd3 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd4 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd5 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd6 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd7 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd8 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fd9 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fda = (uint8_t)0x0;
>> *(uint8_t*)0x20007fdb = (uint8_t)0x0;
>> *(uint8_t*)0x20007fdc = (uint8_t)0x0;
>> *(uint8_t*)0x20007fdd = (uint8_t)0x0;
>> *(uint8_t*)0x20007fde = (uint8_t)0x0;
>> *(uint8_t*)0x20007fdf = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe0 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe1 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe2 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe3 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe4 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe5 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe6 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe7 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe8 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fe9 = (uint8_t)0x0;
>> *(uint8_t*)0x20007fea = (uint8_t)0x0;
>> *(uint8_t*)0x20007feb = (uint8_t)0x0;
>> *(uint8_t*)0x20007fec = (uint8_t)0x0;
>> *(uint8_t*)0x20007fed = (uint8_t)0x0;
>> *(uint8_t*)0x20007fee = (uint8_t)0x0;
>> *(uint8_t*)0x20007fef = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff0 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff1 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff2 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff3 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff4 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff5 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff6 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff7 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff8 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ff9 = (uint8_t)0x0;
>> *(uint8_t*)0x20007ffa = (uint8_t)0x0;
>> *(uint8_t*)0x20007ffb = (uint8_t)0x0;
>> *(uint8_t*)0x20007ffc = (uint8_t)0x0;
>> *(uint8_t*)0x20007ffd = (uint8_t)0x0;
>> *(uint8_t*)0x20007ffe = (uint8_t)0x0;
>> *(uint8_t*)0x20007fff = (uint8_t)0x0;
>> syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0);
>> break;
>> }
>> return 0;
>> }
>>
>> int main()
>> {
>> long i;
>> pthread_t th;
>>
>> srand(getpid());
>> syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
>> 0xfffffffffffffffful, 0x0ul);
>> memcpy((void*)0x20005000,
>> "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12);
>> fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0);
>> for (i = 0; i < 6; i++) {
>> pthread_create(&th, 0, thr, (void*)(i%3));
>> if (rand()%2==0)
>> usleep(rand()%1000);
>> }
>> usleep(10000);
>> return 0;
>> }
>>
>>
>>
>> kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan:
>> CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr
>> deref or user memory accessgeneral protection fault: 0000 [#1] SMP
>> DEBUG_PAGEALLOC KASAN
>> Modules linked in:
>> CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000
>> RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>]
>> snd_seq_fifo_clear+0x31/0x1d0
>> RSP: 0018:ffff880063627c48 EFLAGS: 00010202
>> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
>> RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8
>> RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001
>> R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0
>> R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001
>> FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0
>> Stack:
>> ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0
>> ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000
>> ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918
>> Call Trace:
>> [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0
>> sound/core/seq/seq_clientmgr.c:1966
>> [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0
>> sound/core/seq/seq_clientmgr.c:2209
>> [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80
>> sound/core/seq/seq_clientmgr.c:2224
>> [< inline >] vfs_ioctl fs/ioctl.c:43
>> [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
>> [< inline >] SYSC_ioctl fs/ioctl.c:622
>> [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
>> [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>> Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d
>> bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
>> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
>> RIP [< inline >] __write_once_size include/linux/compiler.h:246
>> RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39
>> RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0
>> sound/core/seq/seq_fifo.c:99
>> RSP <ffff880063627c48>
>> ---[ end trace 3ee37e6a5304c762 ]---
>>
>>
>> On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
>
> Thanks for reporting.
>
> Fortunately this one looks like an easy problem, a simple missing NULL
> check. Could you check the patch below?
Yes, it fixes the crashes for me. Thanks for quick fix!
Tested-by: Dmitry Vyukov <dvyukov@google.com>
> -- 8< --
> From: Takashi Iwai <tiwai@suse.de>
> Subject: [PATCH] ALSA: seq: Fix missing NULL check at remove_events ioctl
>
> snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
> unconditionally even if there is no FIFO assigned, and this leads to
> an Oops due to NULL dereference. The fix is just to add a proper NULL
> check.
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> sound/core/seq/seq_clientmgr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
> index b64f20deba90..13cfa815732d 100644
> --- a/sound/core/seq/seq_clientmgr.c
> +++ b/sound/core/seq/seq_clientmgr.c
> @@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
> * No restrictions so for a user client we can clear
> * the whole fifo
> */
> - if (client->type == USER_CLIENT)
> + if (client->type == USER_CLIENT && client->data.user.fifo)
> snd_seq_fifo_clear(client->data.user.fifo);
> }
>
> --
> 2.7.0
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sound: GPF in snd_seq_fifo_clear
2016-01-12 16:19 ` Dmitry Vyukov
@ 2016-01-12 16:23 ` Takashi Iwai
0 siblings, 0 replies; 6+ messages in thread
From: Takashi Iwai @ 2016-01-12 16:23 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Eric Dumazet,
Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Tue, 12 Jan 2016 17:19:49 +0100,
Dmitry Vyukov wrote:
>
> On Tue, Jan 12, 2016 at 12:44 PM, Takashi Iwai <tiwai@suse.de> wrote:
> > On Tue, 12 Jan 2016 11:07:16 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> The following program triggers GPF in snd_seq_fifo_clear:
> >>
> >> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> >> #include <unistd.h>
> >> #include <sys/syscall.h>
> >> #include <string.h>
> >> #include <stdlib.h>
> >> #include <stdint.h>
> >> #include <pthread.h>
> >>
> >> int fd;
> >>
> >> void *thr(void *arg)
> >> {
> >> switch ((long)arg) {
> >> case 0:
> >> *(uint32_t*)0x20001fb0 = (uint32_t)0x1;
> >> *(uint64_t*)0x20001fc8 = (uint64_t)0x0;
> >> *(uint64_t*)0x20001fd0 = (uint64_t)0x0;
> >> *(uint8_t*)0x20001fd8 = (uint8_t)0x3;
> >> *(uint8_t*)0x20001fd9 = (uint8_t)0x32be;
> >> *(uint8_t*)0x20001fda = (uint8_t)0x36;
> >> *(uint8_t*)0x20001fdb = (uint8_t)0x5120;
> >> *(uint32_t*)0x20001fdc = (uint32_t)0x0;
> >> *(uint8_t*)0x20001fe0 = (uint8_t)0x4;
> >> *(uint32_t*)0x20001fe4 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001fe8 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001fec = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ff0 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ff4 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ff8 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ffc = (uint32_t)0x0;
> >> *(uint32_t*)0x20002000 = (uint32_t)0x0;
> >> *(uint32_t*)0x20002004 = (uint32_t)0x0;
> >> *(uint32_t*)0x20002008 = (uint32_t)0x0;
> >> syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0);
> >> break;
> >> case 1:
> >> *(uint32_t*)0x20006000 = (uint32_t)0xaff;
> >> *(uint32_t*)0x20006004 = (uint32_t)0x5;
> >> *(uint32_t*)0x20006008 = (uint32_t)0x101;
> >> *(uint64_t*)0x20006010 = (uint64_t)0x0;
> >> *(uint64_t*)0x20006018 = (uint64_t)0x989680;
> >> *(uint32_t*)0x20006020 = (uint32_t)0x3;
> >> *(uint32_t*)0x20006024 = (uint32_t)0x4;
> >> *(uint8_t*)0x20006028 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006029 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006030 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006031 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006032 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006033 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006034 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006035 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006036 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006037 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006038 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006039 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006040 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006041 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006042 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006043 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006044 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006045 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006046 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006047 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006048 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006049 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006050 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006051 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006052 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006053 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006054 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006055 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006056 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006057 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006058 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006059 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006060 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006061 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006062 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006063 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006064 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006065 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006066 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006067 = (uint8_t)0x0;
> >> syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0);
> >> break;
> >> case 2:
> >> *(uint8_t*)0x20007fb0 = (uint8_t)0x1037;
> >> *(uint8_t*)0x20007fb1 = (uint8_t)0x7;
> >> *(uint8_t*)0x20007fb2 = (uint8_t)0x30b;
> >> *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0;
> >> *(uint32_t*)0x20007fb4 = (uint32_t)0x5;
> >> *(uint32_t*)0x20007fb8 = (uint32_t)0x7;
> >> *(uint8_t*)0x20007fbc = (uint8_t)0x75d;
> >> *(uint8_t*)0x20007fbd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fbe = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fbf = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fca = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcc = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fce = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcf = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fda = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdc = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fde = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdf = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fea = (uint8_t)0x0;
> >> *(uint8_t*)0x20007feb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fec = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fed = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fee = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fef = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffa = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffc = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffe = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fff = (uint8_t)0x0;
> >> syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0);
> >> break;
> >> }
> >> return 0;
> >> }
> >>
> >> int main()
> >> {
> >> long i;
> >> pthread_t th;
> >>
> >> srand(getpid());
> >> syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
> >> 0xfffffffffffffffful, 0x0ul);
> >> memcpy((void*)0x20005000,
> >> "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12);
> >> fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0);
> >> for (i = 0; i < 6; i++) {
> >> pthread_create(&th, 0, thr, (void*)(i%3));
> >> if (rand()%2==0)
> >> usleep(rand()%1000);
> >> }
> >> usleep(10000);
> >> return 0;
> >> }
> >>
> >>
> >>
> >> kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan:
> >> CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr
> >> deref or user memory accessgeneral protection fault: 0000 [#1] SMP
> >> DEBUG_PAGEALLOC KASAN
> >> Modules linked in:
> >> CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> >> task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000
> >> RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>]
> >> snd_seq_fifo_clear+0x31/0x1d0
> >> RSP: 0018:ffff880063627c48 EFLAGS: 00010202
> >> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> >> RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8
> >> RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001
> >> R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0
> >> R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001
> >> FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> >> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> >> CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0
> >> Stack:
> >> ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0
> >> ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000
> >> ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918
> >> Call Trace:
> >> [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0
> >> sound/core/seq/seq_clientmgr.c:1966
> >> [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0
> >> sound/core/seq/seq_clientmgr.c:2209
> >> [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80
> >> sound/core/seq/seq_clientmgr.c:2224
> >> [< inline >] vfs_ioctl fs/ioctl.c:43
> >> [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
> >> [< inline >] SYSC_ioctl fs/ioctl.c:622
> >> [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
> >> [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> >> arch/x86/entry/entry_64.S:185
> >> Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d
> >> bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
> >> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
> >> RIP [< inline >] __write_once_size include/linux/compiler.h:246
> >> RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39
> >> RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0
> >> sound/core/seq/seq_fifo.c:99
> >> RSP <ffff880063627c48>
> >> ---[ end trace 3ee37e6a5304c762 ]---
> >>
> >>
> >> On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
> >
> > Thanks for reporting.
> >
> > Fortunately this one looks like an easy problem, a simple missing NULL
> > check. Could you check the patch below?
>
> Yes, it fixes the crashes for me. Thanks for quick fix!
>
> Tested-by: Dmitry Vyukov <dvyukov@google.com>
Thanks for quick testing. I queued the patch now.
Takashi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: sound: GPF in snd_seq_fifo_clear
@ 2016-01-12 16:23 ` Takashi Iwai
0 siblings, 0 replies; 6+ messages in thread
From: Takashi Iwai @ 2016-01-12 16:23 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, LKML, Kostya Serebryany, Eric Dumazet, syzkaller,
Alexander Potapenko, Sasha Levin
On Tue, 12 Jan 2016 17:19:49 +0100,
Dmitry Vyukov wrote:
>
> On Tue, Jan 12, 2016 at 12:44 PM, Takashi Iwai <tiwai@suse.de> wrote:
> > On Tue, 12 Jan 2016 11:07:16 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> The following program triggers GPF in snd_seq_fifo_clear:
> >>
> >> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> >> #include <unistd.h>
> >> #include <sys/syscall.h>
> >> #include <string.h>
> >> #include <stdlib.h>
> >> #include <stdint.h>
> >> #include <pthread.h>
> >>
> >> int fd;
> >>
> >> void *thr(void *arg)
> >> {
> >> switch ((long)arg) {
> >> case 0:
> >> *(uint32_t*)0x20001fb0 = (uint32_t)0x1;
> >> *(uint64_t*)0x20001fc8 = (uint64_t)0x0;
> >> *(uint64_t*)0x20001fd0 = (uint64_t)0x0;
> >> *(uint8_t*)0x20001fd8 = (uint8_t)0x3;
> >> *(uint8_t*)0x20001fd9 = (uint8_t)0x32be;
> >> *(uint8_t*)0x20001fda = (uint8_t)0x36;
> >> *(uint8_t*)0x20001fdb = (uint8_t)0x5120;
> >> *(uint32_t*)0x20001fdc = (uint32_t)0x0;
> >> *(uint8_t*)0x20001fe0 = (uint8_t)0x4;
> >> *(uint32_t*)0x20001fe4 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001fe8 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001fec = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ff0 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ff4 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ff8 = (uint32_t)0x0;
> >> *(uint32_t*)0x20001ffc = (uint32_t)0x0;
> >> *(uint32_t*)0x20002000 = (uint32_t)0x0;
> >> *(uint32_t*)0x20002004 = (uint32_t)0x0;
> >> *(uint32_t*)0x20002008 = (uint32_t)0x0;
> >> syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0);
> >> break;
> >> case 1:
> >> *(uint32_t*)0x20006000 = (uint32_t)0xaff;
> >> *(uint32_t*)0x20006004 = (uint32_t)0x5;
> >> *(uint32_t*)0x20006008 = (uint32_t)0x101;
> >> *(uint64_t*)0x20006010 = (uint64_t)0x0;
> >> *(uint64_t*)0x20006018 = (uint64_t)0x989680;
> >> *(uint32_t*)0x20006020 = (uint32_t)0x3;
> >> *(uint32_t*)0x20006024 = (uint32_t)0x4;
> >> *(uint8_t*)0x20006028 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006029 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000602f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006030 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006031 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006032 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006033 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006034 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006035 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006036 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006037 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006038 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006039 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000603f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006040 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006041 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006042 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006043 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006044 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006045 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006046 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006047 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006048 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006049 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000604f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006050 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006051 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006052 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006053 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006054 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006055 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006056 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006057 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006058 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006059 = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605a = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605b = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605c = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605d = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605e = (uint8_t)0x0;
> >> *(uint8_t*)0x2000605f = (uint8_t)0x0;
> >> *(uint8_t*)0x20006060 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006061 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006062 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006063 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006064 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006065 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006066 = (uint8_t)0x0;
> >> *(uint8_t*)0x20006067 = (uint8_t)0x0;
> >> syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0);
> >> break;
> >> case 2:
> >> *(uint8_t*)0x20007fb0 = (uint8_t)0x1037;
> >> *(uint8_t*)0x20007fb1 = (uint8_t)0x7;
> >> *(uint8_t*)0x20007fb2 = (uint8_t)0x30b;
> >> *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0;
> >> *(uint32_t*)0x20007fb4 = (uint32_t)0x5;
> >> *(uint32_t*)0x20007fb8 = (uint32_t)0x7;
> >> *(uint8_t*)0x20007fbc = (uint8_t)0x75d;
> >> *(uint8_t*)0x20007fbd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fbe = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fbf = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fc9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fca = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcc = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fce = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fcf = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fd9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fda = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdc = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fde = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fdf = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fe9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fea = (uint8_t)0x0;
> >> *(uint8_t*)0x20007feb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fec = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fed = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fee = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fef = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff0 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff1 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff2 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff3 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff4 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff5 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff6 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff7 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff8 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ff9 = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffa = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffb = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffc = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffd = (uint8_t)0x0;
> >> *(uint8_t*)0x20007ffe = (uint8_t)0x0;
> >> *(uint8_t*)0x20007fff = (uint8_t)0x0;
> >> syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0);
> >> break;
> >> }
> >> return 0;
> >> }
> >>
> >> int main()
> >> {
> >> long i;
> >> pthread_t th;
> >>
> >> srand(getpid());
> >> syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul,
> >> 0xfffffffffffffffful, 0x0ul);
> >> memcpy((void*)0x20005000,
> >> "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12);
> >> fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0);
> >> for (i = 0; i < 6; i++) {
> >> pthread_create(&th, 0, thr, (void*)(i%3));
> >> if (rand()%2==0)
> >> usleep(rand()%1000);
> >> }
> >> usleep(10000);
> >> return 0;
> >> }
> >>
> >>
> >>
> >> kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan:
> >> CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr
> >> deref or user memory accessgeneral protection fault: 0000 [#1] SMP
> >> DEBUG_PAGEALLOC KASAN
> >> Modules linked in:
> >> CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ #222
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> >> task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000
> >> RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>]
> >> snd_seq_fifo_clear+0x31/0x1d0
> >> RSP: 0018:ffff880063627c48 EFLAGS: 00010202
> >> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
> >> RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8
> >> RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001
> >> R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0
> >> R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001
> >> FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000
> >> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> >> CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0
> >> Stack:
> >> ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0
> >> ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000
> >> ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918
> >> Call Trace:
> >> [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0
> >> sound/core/seq/seq_clientmgr.c:1966
> >> [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0
> >> sound/core/seq/seq_clientmgr.c:2209
> >> [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80
> >> sound/core/seq/seq_clientmgr.c:2224
> >> [< inline >] vfs_ioctl fs/ioctl.c:43
> >> [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
> >> [< inline >] SYSC_ioctl fs/ioctl.c:622
> >> [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
> >> [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> >> arch/x86/entry/entry_64.S:185
> >> Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d
> >> bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
> >> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
> >> RIP [< inline >] __write_once_size include/linux/compiler.h:246
> >> RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39
> >> RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0
> >> sound/core/seq/seq_fifo.c:99
> >> RSP <ffff880063627c48>
> >> ---[ end trace 3ee37e6a5304c762 ]---
> >>
> >>
> >> On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
> >
> > Thanks for reporting.
> >
> > Fortunately this one looks like an easy problem, a simple missing NULL
> > check. Could you check the patch below?
>
> Yes, it fixes the crashes for me. Thanks for quick fix!
>
> Tested-by: Dmitry Vyukov <dvyukov@google.com>
Thanks for quick testing. I queued the patch now.
Takashi
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-01-12 16:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-12 10:07 sound: GPF in snd_seq_fifo_clear Dmitry Vyukov
2016-01-12 11:44 ` Takashi Iwai
2016-01-12 11:44 ` Takashi Iwai
2016-01-12 16:19 ` Dmitry Vyukov
2016-01-12 16:23 ` Takashi Iwai
2016-01-12 16:23 ` Takashi Iwai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.