Re: [syzbot] [alsa?] memory leak in snd_seq_create_port

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Takashi Iwai <tiwai@suse.de>
To: syzbot <syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com>
Cc: alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
	perex@perex.cz, syzkaller-bugs@googlegroups.com, tiwai@suse.com
Subject: Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
Date: Sun, 16 Jul 2023 15:07:23 +0200	[thread overview]
Message-ID: <87v8ekattg.wl-tiwai@suse.de> (raw)
In-Reply-To: <00000000000098ed3a0600965f89@google.com>

On Sun, 16 Jul 2023 10:21:49 +0200,
syzbot wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
> dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> 
> Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff888100877000 (size 512):
>   comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
>   hex dump (first 32 bytes):
>     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
>     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
>     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
>     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
>     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
>     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
>     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
>     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
>     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
>     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
>     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
>     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> BUG: memory leak
> unreferenced object 0xffff888106742c00 (size 512):
>   comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
>   hex dump (first 32 bytes):
>     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
>     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
>     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
>     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
>     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
>     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
>     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
>     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
>     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
>     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
>     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
>     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Likely a forgotten kfree() at the error path.
The patch below should fix it.


Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: seq: Fix memory leak at error path in
 snd_seq_create_port()

We forgot to release a newly allocated item at the error path in
snd_seq_create_port().  This patch fixes it.

Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/00000000000098ed3a0600965f89@google.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/seq/seq_ports.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 9b80f8275026..f3f14ff0f80f 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -149,6 +149,7 @@ int snd_seq_create_port(struct snd_seq_client *client, int port,
 	write_lock_irq(&client->ports_lock);
 	list_for_each_entry(p, &client->ports_list_head, list) {
 		if (p->addr.port == port) {
+			kfree(new_port);
 			num = -EBUSY;
 			goto unlock;
 		}
-- 
2.35.3

next prev parent reply	other threads:[~2023-07-16 13:08 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-16  8:21 [syzbot] [alsa?] memory leak in snd_seq_create_port syzbot
2023-07-16 13:07 ` Takashi Iwai [this message]
2023-07-16 19:06   ` Geraldo Nascimento
2023-07-17  6:27     ` Takashi Iwai
2023-07-17 13:29       ` Geraldo Nascimento
2023-07-17  7:02     ` Dmitry Vyukov
2023-07-17 13:31       ` Geraldo Nascimento
2023-07-17 21:05       ` Geraldo Nascimento

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9b80f827502 dfblob:f3f14ff0f80 )
 OR (
bs:"ALSA: seq: Fix memory leak at error path in" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87v8ekattg.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=alsa-devel@alsa-project.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.