From patchwork Thu Nov 30 09:15:02 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 10084449
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6DC0160234 for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu, 30 Nov 2017 09:15:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D15E29ABF
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu, 30 Nov 2017 09:15:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6046A29B0F; Thu, 30 Nov 2017 09:15:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 86EA729ABF
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu, 30 Nov 2017 09:15:08 +0000 (UTC)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id 707D5267AB4;
	Thu, 30 Nov 2017 10:15:06 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 6D005267AB5; Thu, 30 Nov 2017 10:15:05 +0100 (CET)
Received: from mx2.suse.de (mx2.suse.de [195.135.220.15])
	by alsa0.perex.cz (Postfix) with ESMTP id C8816266A74
	for <alsa-devel@alsa-project.org>;
	Thu, 30 Nov 2017 10:15:03 +0100 (CET)
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id EAF2BAD70;
	Thu, 30 Nov 2017 09:15:02 +0000 (UTC)
Date: Thu, 30 Nov 2017 10:15:02 +0100
Message-ID: <s5h1skgi0vd.wl-tiwai@suse.de>
From: Takashi Iwai <tiwai@suse.de>
To: syzbot
	<bot+f33bd65ef82b2dac666f0d0b79813c222cddb2e9@syzkaller.appspotmail.com>
In-Reply-To: <001a1148cc3adcd1e9055f2cf29a@google.com>
References: <001a1148cc3adcd1e9055f2cf29a@google.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
	FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
	(x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Cc: alsa-devel@alsa-project.org, syzkaller-bugs@googlegroups.com,
	linux-kernel@vger.kernel.org
Subject: Re: [alsa-devel] WARNING in initialize_timer
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Thu, 30 Nov 2017 06:59:01 +0100,
syzbot wrote:
> 
> Hello,
> 
> syzkaller hit the following crash on
> 43570f0383d6d5879ae585e6c3cf027ba321546f
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> 
> Unfortunately, I don't have any reproducer for this bug yet.
> 
> 
> binder: 4519:4521 ioctl 40046205 2 returned -22
> binder: 4519:4521 ioctl c0106403 20008ff0 returned -22
> WARNING: CPU: 0 PID: 4528 at sound/core/seq/seq_timer.c:358
> initialize_timer+0x22d/0x290 sound/core/seq/seq_timer.c:358

This must be a spurious WARN_ON() when a slave timer is used while the
master is freed.

I'm going to queue the patch below.

#syz fix: ALSA: seq: Remove spurious WARN_ON() at timer check


thanks,

Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: seq: Remove spurious WARN_ON() at timer check

The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
WARN_ON() when a slave timer is deployed as its backend and a
corresponding master timer stops meanwhile.  The symptom was triggered
by syzkaller spontaneously.

Since the NULL timer is valid there, rip off snd_BUG_ON().

Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/seq/seq_timer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c
index 37d9cfbc29f9..b80985fbc334 100644
--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_seq_timer *tmr)
 	unsigned long freq;
 
 	t = tmr->timeri->timer;
-	if (snd_BUG_ON(!t))
+	if (!t)
 		return -EINVAL;
 
 	freq = tmr->preferred_resolution;