Re: general protection fault in snd_ctl_release

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Takashi Iwai <tiwai@suse.de>
To: maz@kernel.org
Cc: alsa-devel@alsa-project.org, tiwai@suse.com,
	syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
	viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
	dan.carpenter@oracle.com
Subject: Re: general protection fault in snd_ctl_release
Date: Wed, 02 Sep 2020 17:22:00 +0200	[thread overview]
Message-ID: <s5h36409pbb.wl-tiwai@suse.de> (raw)
In-Reply-To: <000000000000c15ee205ae4f2531@google.com>

On Wed, 02 Sep 2020 08:57:22 +0200,
syzbot wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    b51594df Merge tag 'docs-5.9-3' of git://git.lwn.net/linux
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=172fea15900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299
> dashboard link: https://syzkaller.appspot.com/bug?extid=dd94e1d44f61c258d538
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=179811c1900000
> 
> The issue was bisected to:
> 
> commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
> Author: Marc Zyngier <maz@kernel.org>
> Date:   Wed Aug 19 16:12:17 2020 +0000
> 
>     epoll: Keep a reference on files added to the check list

Luckily, this one could be easily reproduced locally, and I confirmed
that the commit above indeed brought a regression.

It seems that the same file gets closed twice after this patch, and
KASAN caught the double-free.  With the debug patch below, the syz
reproducer hits occasionally the first check point; it indicates that
we're calling get_file() to the file being deleted.  Then fput() will
be called again to this file, and it's deleted again in the end.

Marc, Al, could you guys check this bug?


Thanks!

Takashi

--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1995,9 +1995,13 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
 			 * during ep_insert().
 			 */
 			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
+				if (!file_count(epi->ffd.file)) {
+					pr_err("XXX file being deleted\n");
+				} else {
 				get_file(epi->ffd.file);
 				list_add(&epi->ffd.file->f_tfile_llink,
 					 &tfile_check_list);
+				}
 			}
 		}
 	}
@@ -2205,6 +2209,8 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 				error = -ELOOP;
 				if (ep_loop_check(ep, tf.file) != 0)
 					goto error_tgt_fput;
+			} else if (!file_count(tf.file)) {
+				pr_err("XXX file being deleted #2\n");
 			} else {
 				get_file(tf.file);
 				list_add(&tf.file->f_tfile_llink,

WARNING: multiple messages have this Message-ID (diff)

From: Takashi Iwai <tiwai@suse.de>
To: maz@kernel.org
Cc: alsa-devel@alsa-project.org, dan.carpenter@oracle.com,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	o-takashi@sakamocchi.jp, perex@perex.cz,
	syzkaller-bugs@googlegroups.com, tiwai@suse.com,
	viro@zeniv.linux.org.uk
Subject: Re: general protection fault in snd_ctl_release
Date: Wed, 02 Sep 2020 17:22:00 +0200	[thread overview]
Message-ID: <s5h36409pbb.wl-tiwai@suse.de> (raw)
In-Reply-To: <000000000000c15ee205ae4f2531@google.com>

On Wed, 02 Sep 2020 08:57:22 +0200,
syzbot wrote:
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    b51594df Merge tag 'docs-5.9-3' of git://git.lwn.net/linux
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=172fea15900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299
> dashboard link: https://syzkaller.appspot.com/bug?extid=dd94e1d44f61c258d538
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=179811c1900000
> 
> The issue was bisected to:
> 
> commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
> Author: Marc Zyngier <maz@kernel.org>
> Date:   Wed Aug 19 16:12:17 2020 +0000
> 
>     epoll: Keep a reference on files added to the check list

Luckily, this one could be easily reproduced locally, and I confirmed
that the commit above indeed brought a regression.

It seems that the same file gets closed twice after this patch, and
KASAN caught the double-free.  With the debug patch below, the syz
reproducer hits occasionally the first check point; it indicates that
we're calling get_file() to the file being deleted.  Then fput() will
be called again to this file, and it's deleted again in the end.

Marc, Al, could you guys check this bug?


Thanks!

Takashi

--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1995,9 +1995,13 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
 			 * during ep_insert().
 			 */
 			if (list_empty(&epi->ffd.file->f_tfile_llink)) {
+				if (!file_count(epi->ffd.file)) {
+					pr_err("XXX file being deleted\n");
+				} else {
 				get_file(epi->ffd.file);
 				list_add(&epi->ffd.file->f_tfile_llink,
 					 &tfile_check_list);
+				}
 			}
 		}
 	}
@@ -2205,6 +2209,8 @@ int do_epoll_ctl(int epfd, int op, int fd, struct epoll_event *epds,
 				error = -ELOOP;
 				if (ep_loop_check(ep, tf.file) != 0)
 					goto error_tgt_fput;
+			} else if (!file_count(tf.file)) {
+				pr_err("XXX file being deleted #2\n");
 			} else {
 				get_file(tf.file);
 				list_add(&tf.file->f_tfile_llink,

next prev parent reply	other threads:[~2020-09-02 15:23 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-02  6:57 general protection fault in snd_ctl_release syzbot
2020-09-02 15:22 ` Takashi Iwai [this message]
2020-09-02 15:22   ` Takashi Iwai
2020-09-02 15:35   ` Al Viro
2020-09-02 15:35     ` Al Viro
2020-09-02 15:46     ` Takashi Iwai
2020-09-02 15:46       ` Takashi Iwai
2020-09-02 17:23       ` Takashi Iwai
2020-09-02 17:23         ` Takashi Iwai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=s5h36409pbb.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=alsa-devel@alsa-project.org \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maz@kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.