From patchwork Tue Apr 5 14:18:42 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 8752621 Return-Path: X-Original-To: patchwork-alsa-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id D1AACC0553 for ; Tue, 5 Apr 2016 14:19:08 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A9065203AB for ; Tue, 5 Apr 2016 14:19:07 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.kernel.org (Postfix) with ESMTP id EB17B20383 for ; Tue, 5 Apr 2016 14:19:05 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 59CA426575E; Tue, 5 Apr 2016 16:19:03 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id 4D7E2265161; Tue, 5 Apr 2016 16:18:55 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id B2CA9265262; Tue, 5 Apr 2016 16:18:53 +0200 (CEST) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by alsa0.perex.cz (Postfix) with ESMTP id 869EB26511F for ; Tue, 5 Apr 2016 16:18:46 +0200 (CEST) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id BBBECAB5D; Tue, 5 Apr 2016 14:18:42 +0000 (UTC) Date: Tue, 05 Apr 2016 16:18:42 +0200 Message-ID: From: Takashi Iwai To: "Baozeng Ding" In-Reply-To: <5703C2E2.306@gmail.com> References: <5703C2E2.306@gmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/24.5 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Cc: koro.chen@mediatek.com, lars@metafoo.de, alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org Subject: Re: [alsa-devel] Sound: BUG: KASAN: use-after-free in kill_fasync X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP On Tue, 05 Apr 2016 15:51:30 +0200, Baozeng Ding wrote: > > Hi all, > I've got the following report (use-after-free in kill_fasync) while > running syzkaller. > Unfortunately no reproducer.The kernel version is 4.5 (on Mar 16 commit > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > > ================================================================== > BUG: KASAN: use-after-free in kill_fasync+0x3fb/0x420 at addr > ffff880067691d88 > Read of size 8 by task swapper/2/0 > ============================================================================= > BUG kmalloc-2048 (Not tainted): kasan: bad access detected > ----------------------------------------------------------------------------- > > Disabling lock debugging due to kernel taint > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446678412249576073 > cpu=2245704320 pid=-1 > [< inline >] kmalloc /kernel/include/linux/slab.h:472 > [< inline >] kzalloc /kernel/include/linux/slab.h:616 > [< none >] snd_pcm_attach_substream+0x3b4/0xb10 > /kernel/sound/core/pcm.c:966 > [< none >] ___slab_alloc+0x4c7/0x500 /kernel/mm/slub.c:2446 > [< none >] __slab_alloc+0x4c/0x90 /kernel/mm/slub.c:2475 > [< inline >] slab_alloc_node /kernel/mm/slub.c:2538 > [< inline >] slab_alloc /kernel/mm/slub.c:2580 > [< none >] kmem_cache_alloc_trace+0x262/0x300 > /kernel/mm/slub.c:2597 > [< inline >] kmalloc /kernel/include/linux/slab.h:472 > [< inline >] kzalloc /kernel/include/linux/slab.h:616 > [< none >] snd_pcm_attach_substream+0x3b4/0xb10 > /kernel/sound/core/pcm.c:966 > [< none >] snd_pcm_open_substream+0x84/0x450 > /kernel/sound/core/pcm_native.c:2262 > [< inline >] snd_pcm_oss_open_file > /kernel/sound/core/oss/pcm_oss.c:2346 > [< none >] snd_pcm_oss_open.part.17+0x5a4/0x1100 > /kernel/sound/core/oss/pcm_oss.c:2428 > [< none >] snd_pcm_oss_open+0x35/0x50 > /kernel/sound/core/oss/pcm_oss.c:2392 > [< none >] soundcore_open+0x30f/0x640 > /kernel/sound/sound_core.c:639 > [< none >] chrdev_open+0x22a/0x4c0 /kernel/fs/char_dev.c:388 > [< none >] do_dentry_open+0x6a2/0xcb0 /kernel/fs/open.c:736 > [< none >] vfs_open+0x17b/0x1f0 /kernel/fs/open.c:853 > [< inline >] do_last /kernel/fs/namei.c:3258 > [< none >] path_openat+0x4837/0x5830 /kernel/fs/namei.c:3394 > [< none >] do_filp_open+0x18e/0x250 /kernel/fs/namei.c:3429 > [< none >] do_sys_open+0x201/0x420 /kernel/fs/open.c:1022 > [< inline >] SYSC_open /kernel/fs/open.c:1040 > [< none >] SyS_open+0x2d/0x40 /kernel/fs/open.c:1035 > INFO: Freed in 0x10000b076 age=18446678416544543380 cpu=0 pid=0 > [< none >] snd_pcm_detach_substream+0x134/0x280 > /kernel/sound/core/pcm.c:1017 > [< none >] __slab_free+0x1e8/0x300 /kernel/mm/slub.c:2657 > [< inline >] slab_free /kernel/mm/slub.c:2810 > [< none >] kfree+0x24e/0x2d0 /kernel/mm/slub.c:3661 > [< none >] snd_pcm_detach_substream+0x134/0x280 > /kernel/sound/core/pcm.c:1017 > [< none >] snd_pcm_release_substream.part.38+0x219/0x2f0 > /kernel/sound/core/pcm_native.c:2250 > [< none >] snd_pcm_release_substream+0x59/0x70 > /kernel/sound/core/pcm_native.c:2251 > [< none >] snd_pcm_oss_release_file+0x45/0xb0 > /kernel/sound/core/oss/pcm_oss.c:2305 > [< none >] snd_pcm_oss_release+0xfa/0x250 > /kernel/sound/core/oss/pcm_oss.c:2485 > [< none >] __fput+0x236/0x780 /kernel/fs/file_table.c:208 > [< none >] ____fput+0x15/0x20 /kernel/fs/file_table.c:244 > [< none >] task_work_run+0x16b/0x200 > /kernel/kernel/task_work.c:115 > [< inline >] exit_task_work /kernel/include/linux/task_work.h:21 > [< none >] do_exit+0x87f/0x2c90 /kernel/kernel/exit.c:748 > [< none >] do_group_exit+0x108/0x330 /kernel/kernel/exit.c:878 > [< inline >] SYSC_exit_group /kernel/kernel/exit.c:889 > [< none >] SyS_exit_group+0x1d/0x20 /kernel/kernel/exit.c:887 > [< none >] entry_SYSCALL_64_fastpath+0x23/0xc1 > /kernel/arch/x86/entry/entry_64.S:207 > INFO: Slab 0xffffea00019da400 objects=13 used=8 fp=0xffff880067691be0 > flags=0x5fffc0000004080 > INFO: Object 0xffff880067691bd8 @offset=7128 fp=0xbbbbbbbbbbbbbbbb > Call Trace: > [< inline >] __dump_stack /kernel/lib/dump_stack.c:15 > [] dump_stack+0xb3/0x112 > /kernel/lib/dump_stack.c:51 > [] print_trailer+0x10d/0x190 /kernel/mm/slub.c:668 > [] object_err+0x2f/0x40 /kernel/mm/slub.c:675 > [< inline >] print_address_description > /kernel/mm/kasan/report.c:138 > [] kasan_report_error+0x215/0x530 > /kernel/mm/kasan/report.c:236 > [< inline >] ? spin_lock /kernel/include/linux/spinlock.h:302 > [] ? snd_pcm_stream_lock+0x80/0xd0 > /kernel/sound/core/pcm_native.c:104 > [< inline >] kasan_report /kernel/mm/kasan/report.c:259 > [] __asan_report_load8_noabort+0x3e/0x40 > /kernel/mm/kasan/report.c:280 > [] ? kill_fasync+0x3fb/0x420 /kernel/fs/fcntl.c:729 > [] kill_fasync+0x3fb/0x420 /kernel/fs/fcntl.c:729 > [] snd_pcm_period_elapsed+0x1c8/0x230 > /kernel/sound/core/pcm_lib.c:1890 > [] ? get_bound_vga.isra.21.part.22+0x140/0x140 > /kernel/sound/pci/hda/hda_intel.c:1327 > [] stream_update+0xad/0xe0 > /kernel/sound/pci/hda/hda_controller.c:923 > [] snd_hdac_bus_handle_stream_irq+0x24e/0x350 > /kernel/sound/hda/hdac_controller.c:449 > [] ? azx_init_chip+0x100/0x100 > /kernel/sound/pci/hda/hda_controller.c:890 > [] ? azx_interrupt+0x14/0x4d0 > /kernel/sound/pci/hda/hda_controller.c:929 > [] azx_interrupt+0x1de/0x4d0 > /kernel/sound/pci/hda/hda_controller.c:954 > [] ? azx_stop_chip+0x20/0x20 > /kernel/sound/pci/hda/hda_controller.c:908 > [] handle_irq_event_percpu+0xf3/0x790 > /kernel/kernel/irq/handle.c:145 > [] handle_irq_event+0xa7/0x140 > /kernel/kernel/irq/handle.c:192 > [] handle_edge_irq+0x1e1/0x8d0 > /kernel/kernel/irq/chip.c:623 > [< inline >] generic_handle_irq_desc > /kernel/include/linux/irqdesc.h:146 > [] handle_irq+0x109/0x2a0 > /kernel/arch/x86/kernel/irq_64.c:78 > [< inline >] ? rcu_lock_release > /kernel/include/linux/rcupdate.h:491 > [< inline >] ? rcu_read_unlock > /kernel/include/linux/rcupdate.h:926 > [< inline >] ? __atomic_notifier_call_chain > /kernel/kernel/notifier.c:184 > [] ? atomic_notifier_call_chain+0xbf/0x140 > /kernel/kernel/notifier.c:193 > [] ? __atomic_notifier_call_chain+0x150/0x150 > /kernel/include/linux/rcupdate.h:922 > [] do_IRQ+0x7d/0x1a0 /kernel/arch/x86/kernel/irq.c:240 > [] common_interrupt+0x8c/0x8c > /kernel/arch/x86/entry/entry_64.S:454 > [] ? native_safe_halt+0x6/0x10 > /kernel/./arch/x86/include/asm/irqflags.h:49 > [] ? trace_hardirqs_on+0xd/0x10 > /kernel/kernel/locking/lockdep.c:2635 > [< inline >] arch_safe_halt > /kernel/./arch/x86/include/asm/paravirt.h:117 > [] default_idle+0x22/0x2d0 > /kernel/arch/x86/kernel/process.c:307 > [] arch_cpu_idle+0xa/0x10 > /kernel/arch/x86/kernel/process.c:298 > [] default_idle_call+0x48/0x70 > /kernel/kernel/sched/idle.c:93 > [< inline >] cpuidle_idle_call /kernel/kernel/sched/idle.c:151 > [< inline >] cpu_idle_loop /kernel/kernel/sched/idle.c:242 > [] cpu_startup_entry+0x467/0x600 > /kernel/kernel/sched/idle.c:291 > [] start_secondary+0x2b2/0x380 > /kernel/arch/x86/kernel/smpboot.c:259 > [] ? set_cpu_sibling_map+0x18a0/0x18a0 > /kernel/include/linux/topology.h:80 > Memory state around the buggy address: > ffff880067691c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff880067691d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff880067691d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff880067691e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff880067691e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > It seems that in function snd_pcm_detach_substream, when freeing runtime > structure, it did not handle its fasync > data pointer. Any ideas? Thanks. Well, fasync doesn't need a cleanup usually. Do you have a proper reproducer code? In anyway, try the patch below. I'm not sure whether this would help, but if the path is via kill_fasync(), it'd be good to put in the protected context. Takashi diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index 3a9b66c6e09c..0aca39762ed0 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c @@ -1886,8 +1886,8 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream) snd_timer_interrupt(substream->timer, 1); #endif _end: - snd_pcm_stream_unlock_irqrestore(substream, flags); kill_fasync(&runtime->fasync, SIGIO, POLL_IN); + snd_pcm_stream_unlock_irqrestore(substream, flags); } EXPORT_SYMBOL(snd_pcm_period_elapsed);