Re: KASAN tool mem leak issue

From: Takashi Iwai <tiwai@suse.de>
To: b_lkasam@codeaurora.org
Cc: rohkumar@qti.qualcomm.com, alsa-devel@alsa-project.org,
	lkasam@qti.qualcomm.com
Subject: Re: KASAN tool mem leak issue
Date: Fri, 29 Dec 2017 10:05:14 +0100	[thread overview]
Message-ID: <s5hincprjjp.wl-tiwai@suse.de> (raw)
In-Reply-To: <5c1e3d2f911602ada500b2dedd7ea2c5@codeaurora.org>

On Thu, 28 Dec 2017 07:43:36 +0100,
b_lkasam@codeaurora.org wrote:
> 
> hi ALSA team,
> Recently when running KASAN on our devices,
> we found below KASAN failure wrt uninitialized mem access(or null-ptr
> deref) in file sound/core/timer.c.
> 
> And our codebase already have this fix
> https://www.spinics.net/lists/alsa-devel/msg63410.html
> Seems issue is still present, please help check and comment.
> 
> Let me know if you need any other inputs.

Could you check whether 4.15-rc kernel still shows the issue?
Judging from the line number in sound/core/timer.c, the code you're
testing isn't the latest one, and some fixes might be missing.

Takashi

> 
> Observed Result:-
> ==================================================================
> sde_rotator ae00000.qcom,mdss_rotator: <SDEROT_WARN> invalid ioctl
> type c040563d
> sde_rotator ae00000.qcom,mdss_rotator: <SDEROT_WARN> invalid ioctl
> type 4c81
> BUG: KASAN: null-ptr-deref in copy_to_user
> arch/arm64/include/asm/uaccess.h:398 [inline]
> BUG: KASAN: null-ptr-deref in snd_timer_user_read+0x33c/0x458
> sound/core/timer.c:2010
> Read of size 32 at addr           (null) by task syz-executor/2171
> sde_rotator ae00000.qcom,mdss_rotator: <SDEROT_WARN> invalid output
> format 0x00000000 7x2305
> CPU: 6 PID: 2171 Comm: syz-executor Tainted: G    B   W  O    4.9.65+ #1
> Hardware name: Qualcomm Technologies, Inc. SDM670 PM660 + PM660L MTP
> (DT)
> Call trace:
> [<ffffff9ed988d390>] dump_backtrace+0x0/0x428
> arch/arm64/kernel/traps.c:76
> [<ffffff9ed988d7e0>] show_stack+0x28/0x38 arch/arm64/kernel/traps.c:226
> [<ffffff9ed9e2d9b8>] __dump_stack lib/dump_stack.c:15 [inline]
> [<ffffff9ed9e2d9b8>] dump_stack+0xd4/0x124 lib/dump_stack.c:51
> [<ffffff9ed9b1d77c>] kasan_report_error mm/kasan/report.c:345 [inline]
> [<ffffff9ed9b1d77c>] kasan_report.part.2+0xdc/0x2f0
> mm/kasan/report.c:371
> [<ffffff9ed9b1df44>] kasan_report+0x5c/0x70 mm/kasan/report.c:372
> [<ffffff9ed9b1c434>] check_memory_region_inline mm/kasan/kasan.c:301
> [inline]
> [<ffffff9ed9b1c434>] check_memory_region+0x12c/0x1c0
> mm/kasan/kasan.c:315
> [<ffffff9ed9b1c4e0>] kasan_check_read+0x18/0x20 mm/kasan/kasan.c:320
> [<ffffff9edad44144>] copy_to_user arch/arm64/include/asm/uaccess.h:398
> [inline]
> [<ffffff9edad44144>] snd_timer_user_read+0x33c/0x458
> sound/core/timer.c:2010
> [<ffffff9ed9b425e0>] __vfs_read+0xe0/0x2a0 fs/read_write.c:452
> [<ffffff9ed9b43e68>] vfs_read+0xb8/0x1c0 fs/read_write.c:475
> [<ffffff9ed9b461d4>] SYSC_read fs/read_write.c:591 [inline]
> [<ffffff9ed9b461d4>] SyS_read+0xcc/0x170 fs/read_write.c:584
> [<ffffff9ed9883f70>] el0_svc_naked+0x24/0x28
> ==================================================================
> 
> Thank You,
> Laxminath Kasam
> _______________________________________________
> Alsa-devel mailing list
> Alsa-devel@alsa-project.org
> http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
> 