[syzbot] KASAN: use-after-free Read in snd_rawmidi_poll
13 views
Skip to first unread message
syzbot
Jan 12, 2023, 5:12:41 AM1/12/23
to alsa-...@alsa-project.org, linux-...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com
Hello,
syzbot found the following issue on:
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1748baa1480000
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e3ec01...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
Read of size 8 at addr ffff8881479ea708 by task syz-executor.0/7629
CPU: 1 PID: 7629 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:279 [inline]
io_poll_task_func+0x3a6/0x1220 io_uring/poll.c:327
handle_tw_list+0xa8/0x460 io_uring/io_uring.c:1169
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f66cbc8c0c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f66cc936168 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: fffffffffffffe00 RBX: 00007f66cbdabf80 RCX: 00007f66cbc8c0c9
RDX: 0000000000000001 RSI: 0000000020000800 RDI: 0000000000000006
RBP: 00007f66cbce7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe231decef R14: 00007f66cc936300 R15: 0000000000022000
</TASK>
Allocated by task 7629:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_open+0x39a/0xb70 sound/core/rawmidi.c:482
snd_open+0x223/0x460 sound/core/sound.c:169
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:883
do_open fs/namei.c:3558 [inline]
path_openat+0x1bc1/0x2b40 fs/namei.c:3715
do_filp_open+0x1ba/0x410 fs/namei.c:3742
do_sys_openat2+0x16d/0x4c0 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 7629:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800
snd_rawmidi_release+0x6a/0xf0 sound/core/rawmidi.c:619
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8881479ea700
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 8 bytes inside of
32-byte region [ffff8881479ea700, ffff8881479ea720)
The buggy address belongs to the physical page:
page:ffffea00051e7a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1479ea
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 ffff888012441500 ffffea0001debd00 dead000000000004
raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 9844741481, free_ts 0
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2114
alloc_pages+0x233/0x270 mm/mempolicy.c:2276
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
usb_get_configuration+0x381/0x3b60 drivers/usb/core/config.c:919
usb_enumerate_device drivers/usb/core/hub.c:2405 [inline]
usb_new_device+0x56a/0x7b0 drivers/usb/core/hub.c:2543
register_root_hub+0x421/0x573 drivers/usb/core/hcd.c:1017
usb_add_hcd.cold+0x100c/0x13a1 drivers/usb/core/hcd.c:2991
vhci_hcd_probe+0x14f/0x3a0 drivers/usb/usbip/vhci_hcd.c:1362
platform_probe+0x100/0x1f0 drivers/base/platform.c:1400
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xb90 drivers/base/dd.c:639
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881479ea600: 00 00 00 00 fc fc fc fc 00 00 00 07 fc fc fc fc
ffff8881479ea680: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc
>ffff8881479ea700: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
^
ffff8881479ea780: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
ffff8881479ea800: 00 00 00 01 fc fc fc fc 00 00 00 00 fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1748baa1480000
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e3ec01...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
Read of size 8 at addr ffff8881479ea708 by task syz-executor.0/7629
CPU: 1 PID: 7629 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:279 [inline]
io_poll_task_func+0x3a6/0x1220 io_uring/poll.c:327
handle_tw_list+0xa8/0x460 io_uring/io_uring.c:1169
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f66cbc8c0c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f66cc936168 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: fffffffffffffe00 RBX: 00007f66cbdabf80 RCX: 00007f66cbc8c0c9
RDX: 0000000000000001 RSI: 0000000020000800 RDI: 0000000000000006
RBP: 00007f66cbce7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe231decef R14: 00007f66cc936300 R15: 0000000000022000
</TASK>
Allocated by task 7629:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_open+0x39a/0xb70 sound/core/rawmidi.c:482
snd_open+0x223/0x460 sound/core/sound.c:169
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:883
do_open fs/namei.c:3558 [inline]
path_openat+0x1bc1/0x2b40 fs/namei.c:3715
do_filp_open+0x1ba/0x410 fs/namei.c:3742
do_sys_openat2+0x16d/0x4c0 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 7629:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800
snd_rawmidi_release+0x6a/0xf0 sound/core/rawmidi.c:619
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8881479ea700
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 8 bytes inside of
32-byte region [ffff8881479ea700, ffff8881479ea720)
The buggy address belongs to the physical page:
page:ffffea00051e7a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1479ea
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 ffff888012441500 ffffea0001debd00 dead000000000004
raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 9844741481, free_ts 0
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2114
alloc_pages+0x233/0x270 mm/mempolicy.c:2276
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
usb_get_configuration+0x381/0x3b60 drivers/usb/core/config.c:919
usb_enumerate_device drivers/usb/core/hub.c:2405 [inline]
usb_new_device+0x56a/0x7b0 drivers/usb/core/hub.c:2543
register_root_hub+0x421/0x573 drivers/usb/core/hcd.c:1017
usb_add_hcd.cold+0x100c/0x13a1 drivers/usb/core/hcd.c:2991
vhci_hcd_probe+0x14f/0x3a0 drivers/usb/usbip/vhci_hcd.c:1362
platform_probe+0x100/0x1f0 drivers/base/platform.c:1400
call_driver_probe drivers/base/dd.c:560 [inline]
really_probe+0x249/0xb90 drivers/base/dd.c:639
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881479ea600: 00 00 00 00 fc fc fc fc 00 00 00 07 fc fc fc fc
ffff8881479ea680: fa fb fb fb fc fc fc fc 00 00 00 07 fc fc fc fc
>ffff8881479ea700: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
^
ffff8881479ea780: 00 00 00 00 fc fc fc fc 00 00 00 00 fc fc fc fc
ffff8881479ea800: 00 00 00 01 fc fc fc fc 00 00 00 00 fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 12, 2023, 10:42:35 AM1/12/23
to alsa-dev...@alsa-project.org, alsa-...@alsa-project.org, linux-...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=170d2a91480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b3995a480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e3ec01...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
Read of size 8 at addr ffff88801dff4dc8 by task syz-executor387/5079
CPU: 0 PID: 5079 Comm: syz-executor387 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa2dafd0308 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa2db0c7438 RCX: 00007fa2db0434a9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa2db0c7438
RBP: 00007fa2db0c7430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa2db095004
R13: 0000000000000005 R14: 00007fa2dafd0400 R15: 0000000000022000
</TASK>
Allocated by task 5078:
The buggy address belongs to the physical page:
page:ffffea000077fd00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dff4
anon flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888012441500 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
tomoyo_encode+0x2c/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x185/0x600 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x22d/0x430 security/tomoyo/file.c:822
security_inode_getattr+0xd3/0x140 security/security.c:1375
vfs_getattr fs/stat.c:167 [inline]
vfs_statx+0x16e/0x430 fs/stat.c:242
vfs_fstatat+0x90/0xb0 fs/stat.c:276
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3482
__vunmap+0x7fe/0xc00 mm/vmalloc.c:2746
free_work+0x5c/0x80 mm/vmalloc.c:100
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
Memory state around the buggy address:
ffff88801dff4c80: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
ffff88801dff4d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
>ffff88801dff4d80: 00 00 00 05 fc fc fc fc fa fb fb fb fc fc fc fc
^
ffff88801dff4e00: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
ffff88801dff4e80: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1755a902480000
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b3995a480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8111a570d6cb/disk-0a093b28.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecc135b7fc9a/vmlinux-0a093b28.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca8d73b446ea/bzImage-0a093b28.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e3ec01...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
CPU: 0 PID: 5079 Comm: syz-executor387 Not tainted 6.2.0-rc3-next-20230112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:279 [inline]
io_poll_task_func+0x3a6/0x1220 io_uring/poll.c:327
handle_tw_list+0xa8/0x460 io_uring/io_uring.c:1169
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa2db0434a9
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:279 [inline]
io_poll_task_func+0x3a6/0x1220 io_uring/poll.c:327
handle_tw_list+0xa8/0x460 io_uring/io_uring.c:1169
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa2dafd0308 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa2db0c7438 RCX: 00007fa2db0434a9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa2db0c7438
RBP: 00007fa2db0c7430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa2db095004
R13: 0000000000000005 R14: 00007fa2dafd0400 R15: 0000000000022000
</TASK>
Allocated by task 5078:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_open+0x39a/0xb70 sound/core/rawmidi.c:482
snd_open+0x223/0x460 sound/core/sound.c:169
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:883
do_open fs/namei.c:3558 [inline]
path_openat+0x1bc1/0x2b40 fs/namei.c:3715
do_filp_open+0x1ba/0x410 fs/namei.c:3742
do_sys_openat2+0x16d/0x4c0 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5079:
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_open+0x39a/0xb70 sound/core/rawmidi.c:482
snd_open+0x223/0x460 sound/core/sound.c:169
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:883
do_open fs/namei.c:3558 [inline]
path_openat+0x1bc1/0x2b40 fs/namei.c:3715
do_filp_open+0x1ba/0x410 fs/namei.c:3742
do_sys_openat2+0x16d/0x4c0 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800
snd_rawmidi_release+0x6a/0xf0 sound/core/rawmidi.c:619
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88801dff4dc0
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800
snd_rawmidi_release+0x6a/0xf0 sound/core/rawmidi.c:619
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 8 bytes inside of
32-byte region [ffff88801dff4dc0, ffff88801dff4de0)
The buggy address is located 8 bytes inside of
The buggy address belongs to the physical page:
anon flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888012441500 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 4439, tgid 4439 (udevadm), ts 18106124833, free_ts 13090785320
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
kzalloc include/linux/slab.h:720 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
tomoyo_encode+0x2c/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x185/0x600 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x22d/0x430 security/tomoyo/file.c:822
security_inode_getattr+0xd3/0x140 security/security.c:1375
vfs_getattr fs/stat.c:167 [inline]
vfs_statx+0x16e/0x430 fs/stat.c:242
vfs_fstatat+0x90/0xb0 fs/stat.c:276
__do_sys_newfstatat+0x8a/0x110 fs/stat.c:446
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3482
__vunmap+0x7fe/0xc00 mm/vmalloc.c:2746
free_work+0x5c/0x80 mm/vmalloc.c:100
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
Memory state around the buggy address:
ffff88801dff4d00: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
>ffff88801dff4d80: 00 00 00 05 fc fc fc fc fa fb fb fb fc fc fc fc
^
ffff88801dff4e00: fa fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc
ffff88801dff4e80: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
Hillf Danton
Jan 12, 2023, 10:40:11 PM1/12/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 12 Jan 2023 07:42:34 -0800
Bump file up to make task work safe in the following case.
add task work to poll file;
add task work to put file;
When task work run,
put file;
poll file;
uaf happens upon polling.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 0a093b2893c7
--- x/io_uring/io_uring.c
+++ y/io_uring/io_uring.c
@@ -1299,8 +1299,12 @@ void __io_req_task_work_add(struct io_ki
if (ctx->flags & IORING_SETUP_TASKRUN_FLAG)
atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
+ if (req->file)
+ get_file(req->file);
if (likely(!task_work_add(req->task, &tctx->task_work, ctx->notify_method)))
return;
+ if (req->file)
+ fput(req->file);
io_fallback_tw(tctx);
}
--- x/io_uring/poll.c
+++ y/io_uring/poll.c
@@ -325,6 +325,8 @@ static void io_poll_task_func(struct io_
int ret;
ret = io_poll_check_events(req, locked);
+ if (req->file)
+ fput(req->file);
if (ret == IOU_POLL_NO_ACTION)
return;
io_poll_remove_entries(req);
--
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b3995a480000
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
Bump file up to make task work safe in the following case.
add task work to poll file;
add task work to put file;
When task work run,
put file;
poll file;
uaf happens upon polling.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 0a093b2893c7
--- x/io_uring/io_uring.c
+++ y/io_uring/io_uring.c
@@ -1299,8 +1299,12 @@ void __io_req_task_work_add(struct io_ki
if (ctx->flags & IORING_SETUP_TASKRUN_FLAG)
atomic_or(IORING_SQ_TASKRUN, &ctx->rings->sq_flags);
+ if (req->file)
+ get_file(req->file);
if (likely(!task_work_add(req->task, &tctx->task_work, ctx->notify_method)))
return;
+ if (req->file)
+ fput(req->file);
io_fallback_tw(tctx);
}
--- x/io_uring/poll.c
+++ y/io_uring/poll.c
@@ -325,6 +325,8 @@ static void io_poll_task_func(struct io_
int ret;
ret = io_poll_check_events(req, locked);
+ if (req->file)
+ fput(req->file);
if (ret == IOU_POLL_NO_ACTION)
return;
io_poll_remove_entries(req);
--
syzbot
Jan 12, 2023, 11:07:17 PM1/12/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in snd_rawmidi_poll
==================================================================
BUG: KASAN: use-after-free in snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
Read of size 8 at addr ffff8880786086c8 by task syz-executor.0/5598
CPU: 1 PID: 5598 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller-dirty #0
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcda6ffe218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fcda7dac058 RCX: 00007fcda7c8c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fcda7dac058
RBP: 00007fcda7dac050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcda7dac05c
R13: 00007ffc4cac593f R14: 00007fcda6ffe300 R15: 0000000000022000
</TASK>
Allocated by task 5595:
The buggy address belongs to the physical page:
page:ffffea0001e18200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78608
raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
tomoyo_condition+0x12ba/0x2930 security/tomoyo/condition.c:827
tomoyo_check_acl+0x1b4/0x440 security/tomoyo/domain.c:177
tomoyo_execute_permission+0x178/0x4a0 security/tomoyo/file.c:615
tomoyo_find_next_domain+0x34c/0x1f80 security/tomoyo/domain.c:752
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
tomoyo_bprm_check_security+0x133/0x1c0 security/tomoyo/tomoyo.c:91
ffff888078608600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
>ffff888078608680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
^
ffff888078608700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff888078608780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10a6692c480000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in snd_rawmidi_poll
==================================================================
BUG: KASAN: use-after-free in snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
CPU: 1 PID: 5598 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:279 [inline]
io_poll_task_func+0x3a6/0x1280 io_uring/poll.c:327
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
snd_rawmidi_poll+0x559/0x680 sound/core/rawmidi.c:1655
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:279 [inline]
handle_tw_list+0xa8/0x460 io_uring/io_uring.c:1169
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcda7c8c0c9
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcda6ffe218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fcda7dac058 RCX: 00007fcda7c8c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fcda7dac058
RBP: 00007fcda7dac050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcda7dac05c
R13: 00007ffc4cac593f R14: 00007fcda6ffe300 R15: 0000000000022000
</TASK>
Allocated by task 5595:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_open+0x39a/0xb70 sound/core/rawmidi.c:482
snd_open+0x223/0x460 sound/core/sound.c:169
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:883
do_open fs/namei.c:3558 [inline]
path_openat+0x1bc1/0x2b40 fs/namei.c:3715
do_filp_open+0x1ba/0x410 fs/namei.c:3742
do_sys_openat2+0x16d/0x4c0 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5598:
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_open+0x39a/0xb70 sound/core/rawmidi.c:482
snd_open+0x223/0x460 sound/core/sound.c:169
chrdev_open+0x26a/0x770 fs/char_dev.c:414
do_dentry_open+0x6cc/0x13f0 fs/open.c:883
do_open fs/namei.c:3558 [inline]
path_openat+0x1bc1/0x2b40 fs/namei.c:3715
do_filp_open+0x1ba/0x410 fs/namei.c:3742
do_sys_openat2+0x16d/0x4c0 fs/open.c:1311
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800
snd_rawmidi_release+0x6a/0xf0 sound/core/rawmidi.c:619
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880786086c0
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800
snd_rawmidi_release+0x6a/0xf0 sound/core/rawmidi.c:619
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 8 bytes inside of
32-byte region [ffff8880786086c0, ffff8880786086e0)
The buggy address is located 8 bytes inside of
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888012441500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000400040 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5107, tgid 5107 (kworker/u4:4), ts 60258926459, free_ts 60222874536
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
kzalloc include/linux/slab.h:720 [inline]
tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
tomoyo_encode+0x2c/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x185/0x600 security/tomoyo/realpath.c:283
tomoyo_scan_exec_realpath security/tomoyo/condition.c:243 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
kzalloc include/linux/slab.h:720 [inline]
tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
tomoyo_encode+0x2c/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x185/0x600 security/tomoyo/realpath.c:283
tomoyo_condition+0x12ba/0x2930 security/tomoyo/condition.c:827
tomoyo_check_acl+0x1b4/0x440 security/tomoyo/domain.c:177
tomoyo_execute_permission+0x178/0x4a0 security/tomoyo/file.c:615
tomoyo_find_next_domain+0x34c/0x1f80 security/tomoyo/domain.c:752
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
tomoyo_bprm_check_security+0x133/0x1c0 security/tomoyo/tomoyo.c:91
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3482
__vunmap+0x7fe/0xc00 mm/vmalloc.c:2746
free_work+0x5c/0x80 mm/vmalloc.c:100
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
Memory state around the buggy address:
ffff888078608580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3482
__vunmap+0x7fe/0xc00 mm/vmalloc.c:2746
free_work+0x5c/0x80 mm/vmalloc.c:100
process_one_work+0x9bf/0x1750 kernel/workqueue.c:2293
worker_thread+0x669/0x1090 kernel/workqueue.c:2440
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
Memory state around the buggy address:
ffff888078608600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
>ffff888078608680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
^
ffff888078608700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff888078608780: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10a6692c480000
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17339986480000
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Hillf Danton
Jan 13, 2023, 1:29:28 AM1/13/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 12 Jan 2023 07:42:34 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b3995a480000
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
Serialize poll and release pathes with mutex.
--- x/sound/core/rawmidi.c
+++ y/sound/core/rawmidi.c
@@ -607,13 +607,19 @@ int snd_rawmidi_kernel_release(struct sn
}
EXPORT_SYMBOL(snd_rawmidi_kernel_release);
+static DEFINE_MUTEX(rawmidi_poll_mutex);
+
static int snd_rawmidi_release(struct inode *inode, struct file *file)
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi *rmidi;
struct module *module;
+ mutex_lock(&rawmidi_poll_mutex);
rfile = file->private_data;
+ file->private_data = NULL;
+ mutex_unlock(&rawmidi_poll_mutex);
+
rmidi = rfile->rmidi;
rawmidi_release_priv(rfile);
kfree(rfile);
@@ -1649,7 +1655,11 @@ static __poll_t snd_rawmidi_poll(struct
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi_runtime *runtime;
- __poll_t mask;
+ __poll_t mask = 0;
+
+ mutex_lock(&rawmidi_poll_mutex);
+ if (!file->private_data)
+ goto out;
rfile = file->private_data;
if (rfile->input != NULL) {
@@ -1661,7 +1671,6 @@ static __poll_t snd_rawmidi_poll(struct
runtime = rfile->output->runtime;
poll_wait(file, &runtime->sleep, wait);
}
- mask = 0;
if (rfile->input != NULL) {
if (snd_rawmidi_ready(rfile->input))
mask |= EPOLLIN | EPOLLRDNORM;
@@ -1670,6 +1679,8 @@ static __poll_t snd_rawmidi_poll(struct
if (snd_rawmidi_ready(rfile->output))
mask |= EPOLLOUT | EPOLLWRNORM;
}
+out:
+ mutex_unlock(&rawmidi_poll_mutex);
return mask;
}
--
syzbot
Jan 13, 2023, 1:46:19 AM1/13/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in io_poll_remove_entries
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3e7f/0x5660 kernel/locking/lockdep.c:4926
Read of size 8 at addr ffff88807e78e268 by task syz-executor.0/5598
CPU: 0 PID: 5598 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
__lock_acquire+0x3e7f/0x5660 kernel/locking/lockdep.c:4926
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xc0/0xf0 mm/kasan/report.c:517
lock_acquire.part.0+0x11a/0x350 kernel/locking/lockdep.c:5669
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:375 [inline]
io_poll_remove_entry io_uring/poll.c:183 [inline]
io_poll_remove_entries.part.0+0x15e/0x810 io_uring/poll.c:216
io_poll_remove_entries io_uring/poll.c:196 [inline]
io_poll_task_func+0x56c/0x1220 io_uring/poll.c:330
handle_tw_list+0xa8/0x460 io_uring/io_uring.c:1169
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f977d48c0c9
tctx_task_work+0x12e/0x530 io_uring/io_uring.c:1224
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f977e27c218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f977d5ac058 RCX: 00007f977d48c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f977d5ac058
RBP: 00007f977d5ac050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f977d5ac05c
R13: 00007ffef7edfc4f R14: 00007f977e27c300 R15: 0000000000022000
</TASK>
Allocated by task 5596:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
kzalloc include/linux/slab.h:720 [inline]
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
____kasan_kmalloc mm/kasan/common.c:330 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
snd_rawmidi_runtime_create sound/core/rawmidi.c:164 [inline]
open_substream+0xe9/0x8c0 sound/core/rawmidi.c:341
rawmidi_open_priv+0x591/0x6f0 sound/core/rawmidi.c:394
snd_rawmidi_open+0x467/0xb70 sound/core/rawmidi.c:492
close_substream.part.0+0x21d/0x850 sound/core/rawmidi.c:570
close_substream sound/core/rawmidi.c:544 [inline]
rawmidi_release_priv+0x192/0x270 sound/core/rawmidi.c:587
snd_rawmidi_release+0x87/0x120 sound/core/rawmidi.c:624
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88807e78e200
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 104 bytes inside of
256-byte region [ffff88807e78e200, ffff88807e78e300)
The buggy address belongs to the physical page:
head:ffffea0001f9e380 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff888012441b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5542, tgid 5542 (syz-executor.0), ts 112149922863, free_ts 109467087241
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2549 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
kzalloc include/linux/slab.h:720 [inline]
new_dir fs/proc/proc_sysctl.c:971 [inline]
get_page_from_freelist+0x11bb/0x2d50 mm/page_alloc.c:4324
__alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5590
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2281
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
__kmem_cache_alloc_node+0x136/0x330 mm/slub.c:3491
__do_kmalloc_node mm/slab_common.c:966 [inline]
__kmalloc+0x4a/0xd0 mm/slab_common.c:980
kmalloc include/linux/slab.h:584 [inline]
kzalloc include/linux/slab.h:720 [inline]
get_subdir fs/proc/proc_sysctl.c:1015 [inline]
__register_sysctl_table+0x9ef/0x10a0 fs/proc/proc_sysctl.c:1366
mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421
mpls_add_dev net/mpls/af_mpls.c:1472 [inline]
mpls_dev_notify+0x46d/0x990 net/mpls/af_mpls.c:1612
notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1944
call_netdevice_notifiers_extack net/core/dev.c:1982 [inline]
call_netdevice_notifiers net/core/dev.c:1996 [inline]
register_netdevice+0xfb4/0x1640 net/core/dev.c:10078
cfg80211_register_netdevice+0x157/0x330 net/wireless/core.c:1397
ieee80211_if_add+0x1073/0x1960 net/mac80211/iface.c:2198
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3482
qlink_free mm/kasan/quarantine.c:168 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1451 [inline]
free_pcp_prepare+0x4d0/0x910 mm/page_alloc.c:1501
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3482
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x192/0x220 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:769 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x175/0x320 mm/slub.c:3476
getname_flags.part.0+0x50/0x4f0 fs/namei.c:140
getname_flags include/linux/audit.h:320 [inline]
getname+0x92/0xd0 fs/namei.c:219
do_sys_openat2+0xf5/0x4c0 fs/open.c:1305
do_sys_open fs/open.c:1327 [inline]
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
__do_sys_openat fs/open.c:1343 [inline]
__se_sys_openat fs/open.c:1338 [inline]
__x64_sys_openat+0x143/0x1f0 fs/open.c:1338
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88807e78e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807e78e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807e78e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807e78e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e78e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=140bcf4a480000
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=117f933c480000
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Hillf Danton
Jan 13, 2023, 5:28:48 AM1/13/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 12 Jan 2023 07:42:34 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b3995a480000
Serialize poll and release pathes with mutex.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 0a093b2893c7
--- x/sound/core/rawmidi.c
+++ y/sound/core/rawmidi.c
@@ -188,6 +188,7 @@ static int snd_rawmidi_runtime_free(stru
Serialize poll and release pathes with mutex.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 0a093b2893c7
--- x/sound/core/rawmidi.c
+++ y/sound/core/rawmidi.c
{
struct snd_rawmidi_runtime *runtime = substream->runtime;
+ wake_up_pollfree(&runtime->sleep);
kvfree(runtime->buffer);
kfree(runtime);
substream->runtime = NULL;
@@ -607,13 +608,19 @@ int snd_rawmidi_kernel_release(struct sn
}
EXPORT_SYMBOL(snd_rawmidi_kernel_release);
+static DEFINE_MUTEX(rawmidi_poll_mutex);
+
static int snd_rawmidi_release(struct inode *inode, struct file *file)
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi *rmidi;
struct module *module;
+ mutex_lock(&rawmidi_poll_mutex);
rfile = file->private_data;
+ file->private_data = NULL;
+ mutex_unlock(&rawmidi_poll_mutex);
+
rmidi = rfile->rmidi;
rawmidi_release_priv(rfile);
kfree(rfile);
@@ -1649,7 +1656,11 @@ static __poll_t snd_rawmidi_poll(struct
EXPORT_SYMBOL(snd_rawmidi_kernel_release);
+static DEFINE_MUTEX(rawmidi_poll_mutex);
+
static int snd_rawmidi_release(struct inode *inode, struct file *file)
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi *rmidi;
struct module *module;
+ mutex_lock(&rawmidi_poll_mutex);
rfile = file->private_data;
+ file->private_data = NULL;
+ mutex_unlock(&rawmidi_poll_mutex);
+
rmidi = rfile->rmidi;
rawmidi_release_priv(rfile);
kfree(rfile);
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi_runtime *runtime;
- __poll_t mask;
+ __poll_t mask = 0;
+
+ mutex_lock(&rawmidi_poll_mutex);
+ if (!file->private_data)
+ goto out;
rfile = file->private_data;
if (rfile->input != NULL) {
@@ -1661,7 +1672,6 @@ static __poll_t snd_rawmidi_poll(struct
struct snd_rawmidi_file *rfile;
struct snd_rawmidi_runtime *runtime;
- __poll_t mask;
+ __poll_t mask = 0;
+
+ mutex_lock(&rawmidi_poll_mutex);
+ if (!file->private_data)
+ goto out;
rfile = file->private_data;
if (rfile->input != NULL) {
runtime = rfile->output->runtime;
poll_wait(file, &runtime->sleep, wait);
}
- mask = 0;
if (rfile->input != NULL) {
if (snd_rawmidi_ready(rfile->input))
mask |= EPOLLIN | EPOLLRDNORM;
@@ -1670,6 +1680,8 @@ static __poll_t snd_rawmidi_poll(struct
poll_wait(file, &runtime->sleep, wait);
}
- mask = 0;
if (rfile->input != NULL) {
if (snd_rawmidi_ready(rfile->input))
mask |= EPOLLIN | EPOLLRDNORM;
syzbot
Jan 13, 2023, 5:48:20 AM1/13/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in close_substream
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5602 at kernel/sched/wait.c:248 __wake_up_pollfree+0x44/0x60 kernel/sched/wait.c:249
Modules linked in:
CPU: 0 PID: 5602 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:__wake_up_pollfree+0x44/0x60 kernel/sched/wait.c:248
Code: 29 ff ff 48 8d 6b 40 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 11 48 8b 43 40 48 39 c5 75 03 5b 5d c3 <0f> 0b 5b 5d c3 48 89 ef e8 ef d1 6d 00 eb e5 66 66 2e 0f 1f 84 00
RSP: 0018:ffffc90004fafab0 EFLAGS: 00010297
RAX: ffffc90004fbfcd8 RBX: ffff888075f56a50 RCX: 0000000000000000
RDX: 1ffff1100ebead52 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff888075f56a90 R08: 0000000000000001 R09: ffffffff91353c67
R10: 0000000000000001 R11: 000000000009d400 R12: ffff888075f56a90
R13: 0000000000000001 R14: ffff88814a092100 R15: ffff88801c690050
FS: 00007f49e15dd700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005598bec2d000 CR3: 000000002b119000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
wake_up_pollfree include/linux/wait.h:271 [inline]
snd_rawmidi_runtime_free sound/core/rawmidi.c:191 [inline]
close_substream.part.0+0x229/0x8a0 sound/core/rawmidi.c:571
close_substream sound/core/rawmidi.c:545 [inline]
rawmidi_release_priv+0x192/0x270 sound/core/rawmidi.c:588
snd_rawmidi_release+0x87/0x120 sound/core/rawmidi.c:625
__fput+0x27c/0xa90 fs/file_table.c:321
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f49e228c0c9
task_work_run+0x16f/0x270 kernel/task_work.c:179
get_signal+0x1c7/0x24f0 kernel/signal.c:2635
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f49e15dd218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f49e23ac058 RCX: 00007f49e228c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f49e23ac058
RBP: 00007f49e23ac050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f49e23ac05c
R13: 00007ffe4d1f3a2f R14: 00007f49e15dd300 R15: 0000000000022000
</TASK>
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12a8ed16480000
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Hillf Danton
Jan 13, 2023, 7:07:03 AM1/13/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 12 Jan 2023 07:42:34 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
>
> HEAD commit: 0a093b2893c7 Add linux-next specific files for 20230112
> git tree: linux-next
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b3995a480000
Serialize poll and release pathes with mutex.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 0a093b2893c7
--- x/sound/core/rawmidi.c
+++ y/sound/core/rawmidi.c
@@ -188,6 +188,10 @@ static int snd_rawmidi_runtime_free(stru
Serialize poll and release pathes with mutex.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 0a093b2893c7
--- x/sound/core/rawmidi.c
+++ y/sound/core/rawmidi.c
{
struct snd_rawmidi_runtime *runtime = substream->runtime;
+ while (wq_has_sleeper(&runtime->sleep)) {
struct snd_rawmidi_runtime *runtime = substream->runtime;
+ wake_up(&runtime->sleep);
+ schedule_timeout_idle(HZ *5);
+ }
kvfree(runtime->buffer);
kfree(runtime);
substream->runtime = NULL;
@@ -607,13 +611,19 @@ int snd_rawmidi_kernel_release(struct sn
kfree(runtime);
substream->runtime = NULL;
}
EXPORT_SYMBOL(snd_rawmidi_kernel_release);
+static DEFINE_MUTEX(rawmidi_poll_mutex);
+
static int snd_rawmidi_release(struct inode *inode, struct file *file)
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi *rmidi;
struct module *module;
+ mutex_lock(&rawmidi_poll_mutex);
rfile = file->private_data;
+ file->private_data = NULL;
+ mutex_unlock(&rawmidi_poll_mutex);
+
rmidi = rfile->rmidi;
rawmidi_release_priv(rfile);
kfree(rfile);
@@ -1649,7 +1659,11 @@ static __poll_t snd_rawmidi_poll(struct
EXPORT_SYMBOL(snd_rawmidi_kernel_release);
+static DEFINE_MUTEX(rawmidi_poll_mutex);
+
static int snd_rawmidi_release(struct inode *inode, struct file *file)
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi *rmidi;
struct module *module;
+ mutex_lock(&rawmidi_poll_mutex);
rfile = file->private_data;
+ file->private_data = NULL;
+ mutex_unlock(&rawmidi_poll_mutex);
+
rmidi = rfile->rmidi;
rawmidi_release_priv(rfile);
kfree(rfile);
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi_runtime *runtime;
- __poll_t mask;
+ __poll_t mask = 0;
+
+ mutex_lock(&rawmidi_poll_mutex);
+ if (!file->private_data)
+ goto out;
rfile = file->private_data;
if (rfile->input != NULL) {
@@ -1661,7 +1675,6 @@ static __poll_t snd_rawmidi_poll(struct
struct snd_rawmidi_file *rfile;
struct snd_rawmidi_runtime *runtime;
- __poll_t mask;
+ __poll_t mask = 0;
+
+ mutex_lock(&rawmidi_poll_mutex);
+ if (!file->private_data)
+ goto out;
rfile = file->private_data;
if (rfile->input != NULL) {
runtime = rfile->output->runtime;
poll_wait(file, &runtime->sleep, wait);
}
- mask = 0;
if (rfile->input != NULL) {
if (snd_rawmidi_ready(rfile->input))
mask |= EPOLLIN | EPOLLRDNORM;
@@ -1670,6 +1683,8 @@ static __poll_t snd_rawmidi_poll(struct
poll_wait(file, &runtime->sleep, wait);
}
- mask = 0;
if (rfile->input != NULL) {
if (snd_rawmidi_ready(rfile->input))
mask |= EPOLLIN | EPOLLRDNORM;
syzbot
Jan 13, 2023, 7:32:19 AM1/13/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: refcount bug in mm_update_next_owner
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 5598 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 5598 Comm: syz-executor.0 Not tainted 6.2.0-rc3-next-20230112-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Code: 0a 31 ff 89 de e8 d4 13 78 fd 84 db 0f 85 2e ff ff ff e8 57 17 78 fd 48 c7 c7 60 87 a6 8a c6 05 60 d0 54 0a 01 e8 98 a7 b2 05 <0f> 0b e9 0f ff ff ff e8 38 17 78 fd 0f b6 1d 4a d0 54 0a 31 ff 89
RSP: 0018:ffffc90005befb68 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88807d2f57c0 RSI: ffffffff8166972c RDI: fffff52000b7df5f
RBP: ffff88807d2f3aa8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff8880764ee300
R13: ffff88807d2f3fa8 R14: 0000000000000000 R15: ffff88807d2f3aa8
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000021000000 CR3: 000000007673f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
get_task_struct include/linux/sched/task.h:110 [inline]
mm_update_next_owner+0x585/0x7b0 kernel/exit.c:504
exit_mm kernel/exit.c:562 [inline]
do_exit+0x9a4/0x2a90 kernel/exit.c:854
do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
get_signal+0x225f/0x24f0 kernel/signal.c:2859
arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f9d6f48c0c9
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x11f/0x240 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f9d6f48c09f.
RSP: 002b:00007f9d70279218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f9d6f5abf88 RCX: 00007f9d6f48c0c9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f9d6f5abf88
RBP: 00007f9d6f5abf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9d6f5abf8c
R13: 00007ffd0405f78f R14: 00007f9d70279300 R15: 0000000000022000
</TASK>
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=116f295a480000
Tested on:
commit: 0a093b28 Add linux-next specific files for 20230112
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config: https://syzkaller.appspot.com/x/.config?x=835f3591019836d5
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=104b995a480000
dashboard link: https://syzkaller.appspot.com/bug?extid=e3ec01fd2d18c9264c3b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syzbot
Jul 5, 2023, 6:29:46 AM7/5/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages