WARNING in snd_timer_user_info_compat
瀏覽次數:11 次
跳到第一則未讀訊息
syzbot
2017年11月21日 上午10:27:592017/11/21
收件者:alsa-...@alsa-project.org、linux-...@vger.kernel.org、pe...@perex.cz、syzkall...@googlegroups.com、ti...@suse.com
Hello,
syzkaller hit the following crash on
c8a0739b185d11d6e2ca7ad9f5835841d1cfc765
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3039 Comm: syzkaller881964 Not tainted 4.14.0+ #98
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
fixup_bug arch/x86/kernel/traps.c:246 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:926
RIP: 0010:snd_timer_user_info_compat.isra.6+0x3be/0x490
sound/core/timer_compat.c:69
RSP: 0018:ffff8801cd037a70 EFLAGS: 00010293
RAX: ffff8801cd96a280 RBX: 1ffff10039a06f51 RCX: ffffffff8402d83e
RDX: 0000000000000000 RSI: 0000000020a73000 RDI: ffff8801cd2b6eb0
RBP: ffff8801cd037bd0 R08: ffffffff8403ab4b R09: 0000000000000000
R10: ffff8801cd037bd0 R11: ffffffff8747dd60 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8801cd037ba8 R15: ffff8801cd037d18
__snd_timer_user_ioctl_compat sound/core/timer_compat.c:161 [inline]
snd_timer_user_ioctl_compat+0x4a6/0x890 sound/core/timer_compat.c:179
C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f8dc79
RSP: 002b:00000000ffcd112c EFLAGS: 00000282 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000080e05411
RDX: 0000000020a73000 RSI: 00000000080ef00c RDI: 000000000000003f
RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
c8a0739b185d11d6e2ca7ad9f5835841d1cfc765
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3039 Comm: syzkaller881964 Not tainted 4.14.0+ #98
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
fixup_bug arch/x86/kernel/traps.c:246 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:926
RIP: 0010:snd_timer_user_info_compat.isra.6+0x3be/0x490
sound/core/timer_compat.c:69
RSP: 0018:ffff8801cd037a70 EFLAGS: 00010293
RAX: ffff8801cd96a280 RBX: 1ffff10039a06f51 RCX: ffffffff8402d83e
RDX: 0000000000000000 RSI: 0000000020a73000 RDI: ffff8801cd2b6eb0
RBP: ffff8801cd037bd0 R08: ffffffff8403ab4b R09: 0000000000000000
R10: ffff8801cd037bd0 R11: ffffffff8747dd60 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8801cd037ba8 R15: ffff8801cd037d18
__snd_timer_user_ioctl_compat sound/core/timer_compat.c:161 [inline]
snd_timer_user_ioctl_compat+0x4a6/0x890 sound/core/timer_compat.c:179
C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f8dc79
RSP: 002b:00000000ffcd112c EFLAGS: 00000282 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000080e05411
RDX: 0000000020a73000 RSI: 00000000080ef00c RDI: 000000000000003f
RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Takashi Iwai
2017年11月21日 上午10:42:182017/11/21
收件者:syzbot、alsa-...@alsa-project.org、syzkall...@googlegroups.com、pe...@perex.cz、linux-...@vger.kernel.org
Now syzkaller turned on CONFIG_SND_DEBUG=y, so this surfaced.
The fix patch is below. I'm going to queue this.
#syz fix: ALSA: timer: Remove kernel warning at compat ioctl error paths
thanks,
Takashi
---
From: Takashi Iwai <ti...@suse.de>
Subject: [PATCH] ALSA: timer: Remove kernel warning at compat ioctl error
paths
Some timer compat ioctls have NULL checks of timer instance with
snd_BUG_ON() that bring up WARN_ON() when the debug option is set.
Actually the condition can be met in the normal situation and it's
confusing and bad to spew kernel warnings with stack trace there.
Let's remove snd_BUG_ON() invocation and replace with the simple
checks. Also, correct the error code to EBADFD to follow the native
ioctl error handling.
Reported-by: syzbot <syzk...@googlegroups.com>
Cc: <sta...@vger.kernel.org>
Signed-off-by: Takashi Iwai <ti...@suse.de>
---
sound/core/timer_compat.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/sound/core/timer_compat.c b/sound/core/timer_compat.c
index 59127b6ef39e..e00f7e399e46 100644
--- a/sound/core/timer_compat.c
+++ b/sound/core/timer_compat.c
@@ -66,11 +66,11 @@ static int snd_timer_user_info_compat(struct file *file,
struct snd_timer *t;
tu = file->private_data;
- if (snd_BUG_ON(!tu->timeri))
- return -ENXIO;
+ if (!tu->timeri)
+ return -EBADFD;
t = tu->timeri->timer;
- if (snd_BUG_ON(!t))
- return -ENXIO;
+ if (!t)
+ return -EBADFD;
memset(&info, 0, sizeof(info));
info.card = t->card ? t->card->number : -1;
if (t->hw.flags & SNDRV_TIMER_HW_SLAVE)
@@ -99,8 +99,8 @@ static int snd_timer_user_status_compat(struct file *file,
struct snd_timer_status32 status;
tu = file->private_data;
- if (snd_BUG_ON(!tu->timeri))
- return -ENXIO;
+ if (!tu->timeri)
+ return -EBADFD;
memset(&status, 0, sizeof(status));
status.tstamp.tv_sec = tu->tstamp.tv_sec;
status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
--
2.15.0
回覆所有人
回覆作者
轉寄
0 則新訊息