From: syzbot <syzbot+6912c9592caca7ca0e7d@syzkaller.appspotmail.com>
To: alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
perex@perex.cz, syzkaller-bugs@googlegroups.com, tiwai@suse.com
Subject: [syzbot] KASAN: use-after-free Read in __snd_rawmidi_transmit_ack
Date: Tue, 24 May 2022 23:50:25 -0700 [thread overview]
Message-ID: <000000000000e7e75005dfd07cf6@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 3b5e1590a267 Merge tag 'gpio-fixes-for-v5.18' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1195135ef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=902c5209311d387c
dashboard link: https://syzkaller.appspot.com/bug?extid=6912c9592caca7ca0e7d
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6912c9592caca7ca0e7d@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __snd_rawmidi_transmit_ack+0x2cd/0x2f0 sound/core/rawmidi.c:1348
Read of size 8 at addr ffff888078b36410 by task kworker/1:1H/754
CPU: 1 PID: 754 Comm: kworker/1:1H Not tainted 5.18.0-rc7-syzkaller-00136-g3b5e1590a267 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_highpri snd_usbmidi_out_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
__snd_rawmidi_transmit_ack+0x2cd/0x2f0 sound/core/rawmidi.c:1348
snd_rawmidi_transmit+0xae/0xf0 sound/core/rawmidi.c:1415
snd_usbmidi_standard_output+0x264/0xc10 sound/usb/midi.c:650
snd_usbmidi_do_output+0x200/0x510 sound/usb/midi.c:311
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 9345:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
snd_rawmidi_runtime_create sound/core/rawmidi.c:148 [inline]
open_substream+0xe9/0x8b0 sound/core/rawmidi.c:306
rawmidi_open_priv+0x591/0x6f0 sound/core/rawmidi.c:357
snd_rawmidi_kernel_open+0x1b5/0x270 sound/core/rawmidi.c:392
midisynth_use+0xee/0x270 sound/core/seq/seq_midi.c:215
subscribe_port sound/core/seq/seq_ports.c:412 [inline]
check_and_subscribe_port+0x89a/0xb80 sound/core/seq/seq_ports.c:495
snd_seq_port_connect+0x382/0x540 sound/core/seq/seq_ports.c:581
snd_seq_ioctl_subscribe_port+0x1fc/0x400 sound/core/seq/seq_clientmgr.c:1492
snd_seq_kernel_client_ctl+0x102/0x1e0 sound/core/seq/seq_clientmgr.c:2369
snd_seq_oss_midi_open+0x582/0x6e0 sound/core/seq/oss/seq_oss_midi.c:359
snd_seq_oss_synth_setup_midi+0x12d/0x530 sound/core/seq/oss/seq_oss_synth.c:269
snd_seq_oss_open+0x8c3/0xa80 sound/core/seq/oss/seq_oss_init.c:260
odev_open+0x6c/0x90 sound/core/seq/oss/seq_oss.c:128
soundcore_open+0x44e/0x620 sound/sound_core.c:593
chrdev_open+0x266/0x770 fs/char_dev.c:414
do_dentry_open+0x4a1/0x11e0 fs/open.c:824
do_open fs/namei.c:3476 [inline]
path_openat+0x1c71/0x2910 fs/namei.c:3609
do_filp_open+0x1aa/0x400 fs/namei.c:3636
do_sys_openat2+0x16d/0x4c0 fs/open.c:1213
do_sys_open fs/open.c:1229 [inline]
__do_sys_openat fs/open.c:1245 [inline]
__se_sys_openat fs/open.c:1240 [inline]
__x64_sys_openat+0x13f/0x1f0 fs/open.c:1240
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 9345:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:200 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
slab_free mm/slub.c:3510 [inline]
kfree+0xd6/0x4d0 mm/slub.c:4552
snd_rawmidi_runtime_free sound/core/rawmidi.c:177 [inline]
close_substream.part.0+0x18d/0x720 sound/core/rawmidi.c:528
close_substream sound/core/rawmidi.c:507 [inline]
rawmidi_release_priv+0x192/0x270 sound/core/rawmidi.c:547
snd_rawmidi_kernel_release+0x39/0xd0 sound/core/rawmidi.c:564
midisynth_unuse+0x45/0x80 sound/core/seq/seq_midi.c:244
unsubscribe_port sound/core/seq/seq_ports.c:437 [inline]
__delete_and_unsubscribe_port+0x270/0x4c0 sound/core/seq/seq_ports.c:537
snd_seq_port_disconnect+0x41c/0x5d0 sound/core/seq/seq_ports.c:616
snd_seq_ioctl_unsubscribe_port+0x1fc/0x400 sound/core/seq/seq_clientmgr.c:1537
snd_seq_kernel_client_ctl+0x102/0x1e0 sound/core/seq/seq_clientmgr.c:2369
snd_seq_oss_midi_close+0x44f/0x4d0 sound/core/seq/oss/seq_oss_midi.c:404
snd_seq_oss_synth_reset+0x422/0x880 sound/core/seq/oss/seq_oss_synth.c:406
snd_seq_oss_reset+0x6f/0x290 sound/core/seq/oss/seq_oss_init.c:435
snd_seq_oss_release+0x78/0x1a0 sound/core/seq/oss/seq_oss_init.c:412
odev_release+0x4f/0x70 sound/core/seq/oss/seq_oss.c:144
__fput+0x277/0x9d0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
get_signal+0x1c5/0x24c0 kernel/signal.c:2641
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888078b36400
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 16 bytes inside of
512-byte region [ffff888078b36400, ffff888078b36600)
The buggy address belongs to the physical page:
page:ffffea0001e2cd00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78b34
head:ffffea0001e2cd00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41c80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2967, tgid 2967 (udevadm), ts 15461279103, free_ts 12532036824
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x26c/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x8df/0xf20 mm/slub.c:3005
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
__kmalloc_node_track_caller+0x2cb/0x360 mm/slub.c:4947
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0xde/0x340 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1300 [inline]
alloc_uevent_skb+0x7b/0x210 lib/kobject_uevent.c:290
uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline]
kobject_uevent_net_broadcast lib/kobject_uevent.c:409 [inline]
kobject_uevent_env+0xc42/0x1660 lib/kobject_uevent.c:593
kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
store_uevent+0x12/0x20 kernel/module.c:1166
module_attr_store+0x50/0x80 kernel/params.c:919
sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:136
kernfs_fop_write_iter+0x3f8/0x610 fs/kernfs/file.c:291
call_write_iter include/linux/fs.h:2050 [inline]
new_sync_write+0x38a/0x560 fs/read_write.c:504
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1356 [inline]
free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
free_unref_page_prepare mm/page_alloc.c:3328 [inline]
free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423
free_contig_range+0xb1/0x180 mm/page_alloc.c:9418
destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1018
debug_vm_pgtable+0x2a51/0x2ae3 mm/debug_vm_pgtable.c:1332
do_one_initcall+0x103/0x650 init/main.c:1298
do_initcall_level init/main.c:1371 [inline]
do_initcalls init/main.c:1387 [inline]
do_basic_setup init/main.c:1406 [inline]
kernel_init_freeable+0x6b1/0x73a init/main.c:1613
kernel_init+0x1a/0x1d0 init/main.c:1502
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Memory state around the buggy address:
ffff888078b36300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888078b36380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888078b36400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888078b36480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888078b36500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
reply other threads:[~2022-05-25 6:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000e7e75005dfd07cf6@google.com \
--to=syzbot+6912c9592caca7ca0e7d@syzkaller.appspotmail.com \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.