alsa-devel.alsa-project.org archive mirror
 help / color / mirror / Atom feed
* [syzbot] [alsa?] memory leak in snd_seq_create_port
@ 2023-07-16  8:21 syzbot
  2023-07-16 13:07 ` Takashi Iwai
  0 siblings, 1 reply; 8+ messages in thread
From: syzbot @ 2023-07-16  8:21 UTC (permalink / raw)
  To: alsa-devel, linux-kernel, perex, syzkaller-bugs, tiwai

Hello,

syzbot found the following issue on:

HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com

Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
executing program
executing program
BUG: memory leak
unreferenced object 0xffff888100877000 (size 512):
  comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
  hex dump (first 32 bytes):
    80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
    [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
    [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
    [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
    [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
    [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
    [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
    [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
    [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
    [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
    [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff888106742c00 (size 512):
  comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
  hex dump (first 32 bytes):
    80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
    [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
    [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
    [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
    [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
    [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
    [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
    [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
    [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
    [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
    [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-16  8:21 [syzbot] [alsa?] memory leak in snd_seq_create_port syzbot
@ 2023-07-16 13:07 ` Takashi Iwai
  2023-07-16 19:06   ` Geraldo Nascimento
  0 siblings, 1 reply; 8+ messages in thread
From: Takashi Iwai @ 2023-07-16 13:07 UTC (permalink / raw)
  To: syzbot; +Cc: alsa-devel, linux-kernel, perex, syzkaller-bugs, tiwai

On Sun, 16 Jul 2023 10:21:49 +0200,
syzbot wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
> dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> 
> Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff888100877000 (size 512):
>   comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
>   hex dump (first 32 bytes):
>     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
>     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
>     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
>     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
>     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
>     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
>     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
>     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
>     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
>     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
>     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
>     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> BUG: memory leak
> unreferenced object 0xffff888106742c00 (size 512):
>   comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
>   hex dump (first 32 bytes):
>     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
>     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
>     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
>     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
>     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
>     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
>     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
>     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
>     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
>     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
>     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
>     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Likely a forgotten kfree() at the error path.
The patch below should fix it.


Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: seq: Fix memory leak at error path in
 snd_seq_create_port()

We forgot to release a newly allocated item at the error path in
snd_seq_create_port().  This patch fixes it.

Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/00000000000098ed3a0600965f89@google.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/seq/seq_ports.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 9b80f8275026..f3f14ff0f80f 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -149,6 +149,7 @@ int snd_seq_create_port(struct snd_seq_client *client, int port,
 	write_lock_irq(&client->ports_lock);
 	list_for_each_entry(p, &client->ports_list_head, list) {
 		if (p->addr.port == port) {
+			kfree(new_port);
 			num = -EBUSY;
 			goto unlock;
 		}
-- 
2.35.3


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-16 13:07 ` Takashi Iwai
@ 2023-07-16 19:06   ` Geraldo Nascimento
  2023-07-17  6:27     ` Takashi Iwai
  2023-07-17  7:02     ` Dmitry Vyukov
  0 siblings, 2 replies; 8+ messages in thread
From: Geraldo Nascimento @ 2023-07-16 19:06 UTC (permalink / raw)
  To: Takashi Iwai
  Cc: syzbot, alsa-devel, linux-kernel, perex, syzkaller-bugs, tiwai

On Sun, Jul 16, 2023 at 03:07:23PM +0200, Takashi Iwai wrote:
> On Sun, 16 Jul 2023 10:21:49 +0200,
> syzbot wrote:
> > 
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
> > dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> > 
> > Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
> > executing program
> > executing program
> > BUG: memory leak
> > unreferenced object 0xffff888100877000 (size 512):
> >   comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
> >   hex dump (first 32 bytes):
> >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   backtrace:
> >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > 
> > BUG: memory leak
> > unreferenced object 0xffff888106742c00 (size 512):
> >   comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
> >   hex dump (first 32 bytes):
> >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   backtrace:
> >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> Likely a forgotten kfree() at the error path.
> The patch below should fix it.
> 
> 
> Takashi
> 
> -- 8< --
> From: Takashi Iwai <tiwai@suse.de>
> Subject: [PATCH] ALSA: seq: Fix memory leak at error path in
>  snd_seq_create_port()
> 
> We forgot to release a newly allocated item at the error path in
> snd_seq_create_port().  This patch fixes it.

Thanks for the clarification and quick proposed resolution Takashi. As
an ALSA novice these bots always stunt me, personally. I understand how
helpful they are however, even if cryptic.

But shouldn't this be reported to security? It's always prone to bad
stuff when we forget a kfree()

Thanks,
Geraldo Nascimento

> 
> Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/r/00000000000098ed3a0600965f89@google.com
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  sound/core/seq/seq_ports.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
> index 9b80f8275026..f3f14ff0f80f 100644
> --- a/sound/core/seq/seq_ports.c
> +++ b/sound/core/seq/seq_ports.c
> @@ -149,6 +149,7 @@ int snd_seq_create_port(struct snd_seq_client *client, int port,
>  	write_lock_irq(&client->ports_lock);
>  	list_for_each_entry(p, &client->ports_list_head, list) {
>  		if (p->addr.port == port) {
> +			kfree(new_port);
>  			num = -EBUSY;
>  			goto unlock;
>  		}
> -- 
> 2.35.3
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-16 19:06   ` Geraldo Nascimento
@ 2023-07-17  6:27     ` Takashi Iwai
  2023-07-17 13:29       ` Geraldo Nascimento
  2023-07-17  7:02     ` Dmitry Vyukov
  1 sibling, 1 reply; 8+ messages in thread
From: Takashi Iwai @ 2023-07-17  6:27 UTC (permalink / raw)
  To: Geraldo Nascimento
  Cc: syzbot, alsa-devel, linux-kernel, perex, syzkaller-bugs, tiwai

On Sun, 16 Jul 2023 21:06:52 +0200,
Geraldo Nascimento wrote:
> 
> On Sun, Jul 16, 2023 at 03:07:23PM +0200, Takashi Iwai wrote:
> > On Sun, 16 Jul 2023 10:21:49 +0200,
> > syzbot wrote:
> > > 
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > > 
> > > HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
> > > 
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz
> > > 
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> > > 
> > > Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
> > > executing program
> > > executing program
> > > BUG: memory leak
> > > unreferenced object 0xffff888100877000 (size 512):
> > >   comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
> > >   hex dump (first 32 bytes):
> > >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >   backtrace:
> > >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> > >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> > >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> > >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> > >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> > >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> > >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> > >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> > >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> > >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> > >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> > >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > > 
> > > BUG: memory leak
> > > unreferenced object 0xffff888106742c00 (size 512):
> > >   comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
> > >   hex dump (first 32 bytes):
> > >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >   backtrace:
> > >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> > >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> > >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> > >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> > >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> > >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> > >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> > >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> > >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> > >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> > >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> > >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > 
> > Likely a forgotten kfree() at the error path.
> > The patch below should fix it.
> > 
> > 
> > Takashi
> > 
> > -- 8< --
> > From: Takashi Iwai <tiwai@suse.de>
> > Subject: [PATCH] ALSA: seq: Fix memory leak at error path in
> >  snd_seq_create_port()
> > 
> > We forgot to release a newly allocated item at the error path in
> > snd_seq_create_port().  This patch fixes it.
> 
> Thanks for the clarification and quick proposed resolution Takashi. As
> an ALSA novice these bots always stunt me, personally. I understand how
> helpful they are however, even if cryptic.
> 
> But shouldn't this be reported to security? It's always prone to bad
> stuff when we forget a kfree()

It's a bug that happened only on 6.5-rc1, so no need to bother too
much with security issue fiasco for distros.


Takashi

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-16 19:06   ` Geraldo Nascimento
  2023-07-17  6:27     ` Takashi Iwai
@ 2023-07-17  7:02     ` Dmitry Vyukov
  2023-07-17 13:31       ` Geraldo Nascimento
  2023-07-17 21:05       ` Geraldo Nascimento
  1 sibling, 2 replies; 8+ messages in thread
From: Dmitry Vyukov @ 2023-07-17  7:02 UTC (permalink / raw)
  To: Geraldo Nascimento
  Cc: Takashi Iwai, syzbot, alsa-devel, linux-kernel, perex,
	syzkaller-bugs, tiwai, syzkaller

On Sun, 16 Jul 2023 at 22:47, Geraldo Nascimento
<geraldogabriel@gmail.com> wrote:
>
> On Sun, Jul 16, 2023 at 03:07:23PM +0200, Takashi Iwai wrote:
> > On Sun, 16 Jul 2023 10:21:49 +0200,
> > syzbot wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> > >
> > > Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
> > > executing program
> > > executing program
> > > BUG: memory leak
> > > unreferenced object 0xffff888100877000 (size 512):
> > >   comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
> > >   hex dump (first 32 bytes):
> > >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >   backtrace:
> > >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> > >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> > >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> > >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> > >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> > >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> > >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> > >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> > >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> > >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> > >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> > >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > >
> > > BUG: memory leak
> > > unreferenced object 0xffff888106742c00 (size 512):
> > >   comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
> > >   hex dump (first 32 bytes):
> > >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >   backtrace:
> > >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> > >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> > >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> > >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> > >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> > >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> > >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> > >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> > >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> > >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> > >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> > >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> >
> > Likely a forgotten kfree() at the error path.
> > The patch below should fix it.
> >
> >
> > Takashi
> >
> > -- 8< --
> > From: Takashi Iwai <tiwai@suse.de>
> > Subject: [PATCH] ALSA: seq: Fix memory leak at error path in
> >  snd_seq_create_port()
> >
> > We forgot to release a newly allocated item at the error path in
> > snd_seq_create_port().  This patch fixes it.
>
> Thanks for the clarification and quick proposed resolution Takashi. As
> an ALSA novice these bots always stunt me, personally. I understand how
> helpful they are however, even if cryptic.

Hi Geraldo,

What exactly is cryptic in the report? Is there anything that can be
done to make it less cryptic?


> But shouldn't this be reported to security? It's always prone to bad
> stuff when we forget a kfree()
>
> Thanks,
> Geraldo Nascimento
>
> >
> > Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/r/00000000000098ed3a0600965f89@google.com
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> >  sound/core/seq/seq_ports.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
> > index 9b80f8275026..f3f14ff0f80f 100644
> > --- a/sound/core/seq/seq_ports.c
> > +++ b/sound/core/seq/seq_ports.c
> > @@ -149,6 +149,7 @@ int snd_seq_create_port(struct snd_seq_client *client, int port,
> >       write_lock_irq(&client->ports_lock);
> >       list_for_each_entry(p, &client->ports_list_head, list) {
> >               if (p->addr.port == port) {
> > +                     kfree(new_port);
> >                       num = -EBUSY;
> >                       goto unlock;
> >               }
> > --
> > 2.35.3

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-17  6:27     ` Takashi Iwai
@ 2023-07-17 13:29       ` Geraldo Nascimento
  0 siblings, 0 replies; 8+ messages in thread
From: Geraldo Nascimento @ 2023-07-17 13:29 UTC (permalink / raw)
  To: Takashi Iwai
  Cc: syzbot, alsa-devel, linux-kernel, perex, syzkaller-bugs, tiwai

On Mon, Jul 17, 2023 at 08:27:48AM +0200, Takashi Iwai wrote:
> 
> It's a bug that happened only on 6.5-rc1, so no need to bother too
> much with security issue fiasco for distros.

Thanks Takashi. I tried to create a DoS to exhaust all memory through
this bug but ran on other unrelated issues with 6.5-rc1. Glad syzbot
caught this. Thanks!

Geraldo Nascimento

> 
> 
> Takashi

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-17  7:02     ` Dmitry Vyukov
@ 2023-07-17 13:31       ` Geraldo Nascimento
  2023-07-17 21:05       ` Geraldo Nascimento
  1 sibling, 0 replies; 8+ messages in thread
From: Geraldo Nascimento @ 2023-07-17 13:31 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: Takashi Iwai, syzbot, alsa-devel, linux-kernel, perex,
	syzkaller-bugs, tiwai, syzkaller

On Mon, Jul 17, 2023 at 09:02:07AM +0200, Dmitry Vyukov wrote:
> 
> Hi Geraldo,
> 
> What exactly is cryptic in the report? Is there anything that can be
> done to make it less cryptic?
>

Hi Dmitry,

It's cryptic for a novice only, of course, in the same sense that kernel
stack traces are a pain for a novice do decode. Unfortunately I believe
it's only AI/LLMs that will make it easier to abstract the low-level
details and give a high-level explanation of the bug.

Thanks,
Geraldo Nascimento

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
  2023-07-17  7:02     ` Dmitry Vyukov
  2023-07-17 13:31       ` Geraldo Nascimento
@ 2023-07-17 21:05       ` Geraldo Nascimento
  1 sibling, 0 replies; 8+ messages in thread
From: Geraldo Nascimento @ 2023-07-17 21:05 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: Takashi Iwai, syzbot, alsa-devel, linux-kernel, perex,
	syzkaller-bugs, tiwai, syzkaller

On Mon, Jul 17, 2023 at 09:02:07AM +0200, Dmitry Vyukov wrote:
> 
> Hi Geraldo,
> 
> What exactly is cryptic in the report? Is there anything that can be
> done to make it less cryptic?

Hi again, Dmitry.

Perhaps also a bad choice of words. Cryptic borders on the undecipharable
while esoteric is the more proper word here. Those kernel hackers with
esoteric C and assembly skills like Takashi Iwai or you will quickly
infer that a kfree() is missing in such and such scope.

In my other message, I meant to say that such esoteric knowledge is
barely possessed by a novice kernel hacker, and they end up adding noise
to the lists specially if they are involved in the patch acceptance
process, specially as author of the patch, which I'm neither in this
case.

Now, if somebody were to apply LLMs to the build and checker bots and
actually get to a point where they were getting good patch propositions
from the machine rather than a bunch of hallucinations, that would be
quite the feat. It's only a faint dream right now, but you did
specifically ask for the "vision" :)

Thank you,
Geraldo Nascimento

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-07-17 21:07 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-16  8:21 [syzbot] [alsa?] memory leak in snd_seq_create_port syzbot
2023-07-16 13:07 ` Takashi Iwai
2023-07-16 19:06   ` Geraldo Nascimento
2023-07-17  6:27     ` Takashi Iwai
2023-07-17 13:29       ` Geraldo Nascimento
2023-07-17  7:02     ` Dmitry Vyukov
2023-07-17 13:31       ` Geraldo Nascimento
2023-07-17 21:05       ` Geraldo Nascimento

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).