Re: [syzbot] [alsa?] memory leak in snd_seq_create_port

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Takashi Iwai <tiwai@suse.de>
To: Geraldo Nascimento <geraldogabriel@gmail.com>
Cc: syzbot <syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com>,
	alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
	perex@perex.cz, syzkaller-bugs@googlegroups.com, tiwai@suse.com
Subject: Re: [syzbot] [alsa?] memory leak in snd_seq_create_port
Date: Mon, 17 Jul 2023 08:27:48 +0200	[thread overview]
Message-ID: <87y1jfjbmj.wl-tiwai@suse.de> (raw)
In-Reply-To: <ZLQ/zKgTGMHy/6Jn@geday>

On Sun, 16 Jul 2023 21:06:52 +0200,
Geraldo Nascimento wrote:
> 
> On Sun, Jul 16, 2023 at 03:07:23PM +0200, Takashi Iwai wrote:
> > On Sun, 16 Jul 2023 10:21:49 +0200,
> > syzbot wrote:
> > > 
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > > 
> > > HEAD commit:    3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12905004a80000
> > > 
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz
> > > 
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com
> > > 
> > > Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts.
> > > executing program
> > > executing program
> > > BUG: memory leak
> > > unreferenced object 0xffff888100877000 (size 512):
> > >   comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s)
> > >   hex dump (first 32 bytes):
> > >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >   backtrace:
> > >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> > >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> > >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> > >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> > >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> > >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> > >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> > >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> > >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> > >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> > >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> > >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > > 
> > > BUG: memory leak
> > > unreferenced object 0xffff888106742c00 (size 512):
> > >   comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s)
> > >   hex dump (first 32 bytes):
> > >     80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > >   backtrace:
> > >     [<ffffffff8154bf94>] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076
> > >     [<ffffffff83d29e28>] kmalloc include/linux/slab.h:582 [inline]
> > >     [<ffffffff83d29e28>] kzalloc include/linux/slab.h:703 [inline]
> > >     [<ffffffff83d29e28>] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135
> > >     [<ffffffff83d1f681>] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324
> > >     [<ffffffff83d20e5e>] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327
> > >     [<ffffffff81685173>] vfs_ioctl fs/ioctl.c:51 [inline]
> > >     [<ffffffff81685173>] __do_sys_ioctl fs/ioctl.c:870 [inline]
> > >     [<ffffffff81685173>] __se_sys_ioctl fs/ioctl.c:856 [inline]
> > >     [<ffffffff81685173>] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856
> > >     [<ffffffff84a77ff9>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >     [<ffffffff84a77ff9>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> > >     [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > 
> > Likely a forgotten kfree() at the error path.
> > The patch below should fix it.
> > 
> > 
> > Takashi
> > 
> > -- 8< --
> > From: Takashi Iwai <tiwai@suse.de>
> > Subject: [PATCH] ALSA: seq: Fix memory leak at error path in
> >  snd_seq_create_port()
> > 
> > We forgot to release a newly allocated item at the error path in
> > snd_seq_create_port().  This patch fixes it.
> 
> Thanks for the clarification and quick proposed resolution Takashi. As
> an ALSA novice these bots always stunt me, personally. I understand how
> helpful they are however, even if cryptic.
> 
> But shouldn't this be reported to security? It's always prone to bad
> stuff when we forget a kfree()

It's a bug that happened only on 6.5-rc1, so no need to bother too
much with security issue fiasco for distros.


Takashi

next prev parent reply	other threads:[~2023-07-17  6:29 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-16  8:21 [syzbot] [alsa?] memory leak in snd_seq_create_port syzbot
2023-07-16 13:07 ` Takashi Iwai
2023-07-16 19:06   ` Geraldo Nascimento
2023-07-17  6:27     ` Takashi Iwai [this message]
2023-07-17 13:29       ` Geraldo Nascimento
2023-07-17  7:02     ` Dmitry Vyukov
2023-07-17 13:31       ` Geraldo Nascimento
2023-07-17 21:05       ` Geraldo Nascimento

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y1jfjbmj.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=alsa-devel@alsa-project.org \
    --cc=geraldogabriel@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.