From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.7 56/59] ALSA: timer: fix NULL pointer dereference on memory allocation failure
Date: Mon, 12 Sep 2016 17:30:16 +0200 [thread overview]
Message-ID: <20160912152131.116318785@linuxfoundation.org> (raw)
In-Reply-To: <20160912152128.765864031@linuxfoundation.org>
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream.
I hit this with syzkaller:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
task: ffff88011278d600 task.stack: ffff8801120c0000
RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
Stack:
ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
Call Trace:
[<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
[<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
[<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
[<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
[<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
[<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
[<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
[<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
[<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
[<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
[<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
[<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
[<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
[<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
[<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
[<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
[<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
[<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
RSP <ffff8801120c7a60>
---[ end trace 5955b08db7f2b029 ]---
This can happen if snd_hrtimer_open() fails to allocate memory and
returns an error, which is currently not checked by snd_timer_open():
ioctl(SNDRV_TIMER_IOCTL_SELECT)
- snd_timer_user_tselect()
- snd_timer_close()
- snd_hrtimer_close()
- (struct snd_timer *) t->private_data = NULL
- snd_timer_open()
- snd_hrtimer_open()
- kzalloc() fails; t->private_data is still NULL
ioctl(SNDRV_TIMER_IOCTL_START)
- snd_timer_user_start()
- snd_timer_start()
- snd_timer_start1()
- snd_hrtimer_start()
- t->private_data == NULL // boom
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -294,8 +294,21 @@ int snd_timer_open(struct snd_timer_inst
get_device(&timer->card->card_dev);
timeri->slave_class = tid->dev_sclass;
timeri->slave_id = slave_id;
- if (list_empty(&timer->open_list_head) && timer->hw.open)
- timer->hw.open(timer);
+
+ if (list_empty(&timer->open_list_head) && timer->hw.open) {
+ int err = timer->hw.open(timer);
+ if (err) {
+ kfree(timeri->owner);
+ kfree(timeri);
+
+ if (timer->card)
+ put_device(&timer->card->card_dev);
+ module_put(timer->module);
+ mutex_unlock(®ister_mutex);
+ return err;
+ }
+ }
+
list_add_tail(&timeri->open_list, &timer->open_list_head);
snd_timer_check_master(timeri);
mutex_unlock(®ister_mutex);
next prev parent reply other threads:[~2016-09-12 15:32 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160912153038uscas1p166159f601d12fb1e6621d90d3ef5d311@uscas1p1.samsung.com>
[not found] ` <20160912152128.765864031@linuxfoundation.org>
2016-09-12 15:29 ` [PATCH 4.7 01/59] Revert "floppy: refactor open() flags handling" Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 02/59] apparmor: fix refcount race when finding a child profile Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 03/59] kernel: Add noaudit variant of ns_capable() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 04/59] net: Use ns_capable_noaudit() when determining net sysctl permissions Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 05/59] fs: Check for invalid i_uid in may_follow_link() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 06/59] cred: Reject inodes with invalid ids in set_create_file_as() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 07/59] ext4: validate that metadata blocks do not overlap superblock Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 08/59] ext4: fix xattr shifting when expanding inodes Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 09/59] ext4: fix xattr shifting when expanding inodes part 2 Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 10/59] ext4: properly align shifted xattrs when expanding inodes Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 11/59] ext4: avoid deadlock when expanding inode size Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 13/59] block: Fix race triggered by blk_set_queue_dying() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 14/59] block: make sure a big bio is split into at most 256 bvecs Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 15/59] cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 16/59] cdc-acm: added sanity checking for probe() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 19/59] drm/atomic: Dont potentially reset color_mgmt_changed on successive property updates Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 20/59] drm: Reject page_flip for !DRIVER_MODESET Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 21/59] drm/msm: fix use of copy_from_user() while holding spinlock Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 22/59] drm/vc4: Use drm_free_large() on handles to match its allocation Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 23/59] drm/vc4: Fix overflow mem unreferencing when the binner runs dry Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 24/59] drm/vc4: Fix oops when userspace hands in a bad BO Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 25/59] ASoC: atmel_ssc_dai: Dont unconditionally reset SSC on stream startup Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 26/59] xfs: fix superblock inprogress check Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 27/59] timekeeping: Cap array access in timekeeping_debug Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 28/59] timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 30/59] ovl: proper cleanup of workdir Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 31/59] ovl: dont copy up opaqueness Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 32/59] ovl: remove posix_acl_default from workdir Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 33/59] ovl: listxattr: use strnlen() Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 34/59] ovl: fix workdir creation Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 35/59] mei: me: disable driver on SPT SPS firmware Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 36/59] ubifs: Fix xattr generic handler usage Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 38/59] bdev: fix NULL pointer dereference Greg Kroah-Hartman
2016-09-12 15:29 ` [PATCH 4.7 39/59] bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 40/59] irqchip/mips-gic: Cleanup chip and handler setup Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 41/59] irqchip/mips-gic: Implement activate op for device domain Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 42/59] vhost/scsi: fix reuse of &vq->iov[out] in response Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 43/59] x86/apic: Do not init irq remapping if ioapic is disabled Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 44/59] xprtrdma: Create common scatterlist fields in rpcrdma_mw Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 46/59] fscrypto: add authorization check for setting encryption policy Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 47/59] fscrypto: only allow setting encryption policy on directories Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 48/59] ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 49/59] ALSA: firewire-tascam: accessing to user space outside spinlock Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 50/59] ALSA: fireworks: " Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 51/59] ALSA: rawmidi: Fix possible deadlock with virmidi registration Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 52/59] ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 53/59] ALSA: hda - Enable subwoofer on Dell Inspiron 7559 Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 54/59] ALSA: timer: fix NULL pointer dereference in read()/ioctl() race Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 55/59] ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE Greg Kroah-Hartman
2016-09-12 15:30 ` Greg Kroah-Hartman [this message]
2016-09-12 15:30 ` [PATCH 4.7 57/59] ALSA: timer: Fix zero-division by continue of uninitialized instance Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 58/59] scsi: fix upper bounds check of sense key in scsi_sense_key_string() Greg Kroah-Hartman
2016-09-12 15:30 ` [PATCH 4.7 59/59] cpufreq: dt: Add terminate entry for of_device_id tables Greg Kroah-Hartman
2016-09-13 3:07 ` [PATCH 4.7 00/59] 4.7.4-stable review Guenter Roeck
2016-09-13 8:57 ` Greg Kroah-Hartman
[not found] ` <57d7cc1f.0d8d1c0a.df2d3.a693@mx.google.com>
2016-09-13 12:12 ` Greg Kroah-Hartman
2016-09-13 17:40 ` Kevin Hilman
2016-09-13 18:32 ` Shuah Khan
2016-09-15 6:19 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160912152131.116318785@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).