Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp18539imu; Thu, 8 Nov 2018 14:01:30 -0800 (PST) X-Google-Smtp-Source: AJdET5eODR3eK6daoGuMWH6VfPRux2sNOQDBJqaOMWtwd469BtkQg3yXzUYx3qyHSxzZf6DHNC5a X-Received: by 2002:a17:902:f08f:: with SMTP id go15mr2177456plb.332.1541714490290; Thu, 08 Nov 2018 14:01:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541714490; cv=none; d=google.com; s=arc-20160816; b=x+V9qmHOVIwQ7GnYuVKcoTog0Q9urBT2SvcGyQmRPDUJ/UmSg3M/9LdP9D7LA+KeDs Fgi5/094BwN3TTxyNBXqFd0xVpk0LRYb6x48M+J/rzZs8QjXjNW32a40A4xCVOLuuoEm es+ZaTGIMq3aeOdpQjZjWlNJwIwwgo2cWOC6S4wcYLfCdjouF7ZSHuULh5FTOs/Fr3cl UJrA0fqnyavCHvBHB/+BEm7aIz+nIAu0qGY/lA609Svqa/UuhBVHJap4p7DnBqV+/MTw EFIh534HhrBmmeRuESFwAtZShawAn2B5rtyW86V1hbNVi5h/GAssJpwRb/nBZkiuZrMq 6yRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dRq9Iqr0gG4OLrhCtjiyAU7lIkqySjqNbKE3lrjJrTc=; b=EgMsuvnhOlya14nGUZJzXAaGKNJBWQuLFji0V7aUuhJw4QVy6KBBmfKSUewYHFxSZV a2qE3onWlWR5QQRWnujUGNfWAnWJ4rawwB2jsNTCvtfDh1WhENdPQgJIRW62FUtHgQ3E zfUTE1YsJ7SNZty55/+nhMrb0G4KvczpCKiW6KuijHI6DOOn5EoL+XT9PMacN+D4EMOY ZWB8ddj9fD5LP6JL/DELqchRnMtDw924IGhLQz9ygdUj1YrOYUjxGzDmOsxR5UtoQFca Ia4qoWhqFaQIOwA5rXgBnM7pfBYrXrzGhvbFt7TH4SOSxGU/DUqjwCzabuUmFiy10H/1 CNdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AXL0BNOx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 14si5182877pgt.386.2018.11.08.14.01.12; Thu, 08 Nov 2018 14:01:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AXL0BNOx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730307AbeKIHha (ORCPT + 99 others); Fri, 9 Nov 2018 02:37:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:55702 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730267AbeKIHh2 (ORCPT ); Fri, 9 Nov 2018 02:37:28 -0500 Received: from localhost (unknown [208.72.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4F0742146D; Thu, 8 Nov 2018 21:59:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541714399; bh=llQSn8jdR4TmSPBOwb/SuQOCuVXKhTnJuvC5o1s5hhI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AXL0BNOxOqyGVixPBo1zjnSEro+yh04V73rYsHksdfjLa6JAnxfXq9kU+j/NSEm4N L8atd1+PF/IBhOojB1eVxq5wOEB6Q1UmWsTi6mZOzAJ9rUGnPtAMq2a5XrTD+yIKRX BCJafRsB2lL9zwr3UVpGC5CCiXwZHnmRunR55Nto= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dmitry Vyukov , Takashi Iwai , Sasha Levin Subject: [PATCH 4.4 059/114] ALSA: timer: Fix zero-division by continue of uninitialized instance Date: Thu, 8 Nov 2018 13:51:14 -0800 Message-Id: <20181108215106.440129375@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181108215059.051093652@linuxfoundation.org> References: <20181108215059.051093652@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b ] When a user timer instance is continued without the explicit start beforehand, the system gets eventually zero-division error like: divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003c9b2280 task.stack: ffff880027280000 RIP: 0010:[] [< inline >] ktime_divns include/linux/ktime.h:195 RIP: 0010:[] [] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62 Call Trace: [< inline >] __run_hrtimer kernel/time/hrtimer.c:1238 [] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302 [] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336 [] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933 [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487 ..... Although a similar issue was spotted and a fix patch was merged in commit [6b760bb2c63a: ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of iceberg. In this patch, we fix the issue a bit more drastically. Basically the continue of an uninitialized timer is supposed to be a fresh start, so we do it for user timers. For the direct snd_timer_continue() call, there is no way to pass the initial tick value, so we kick out for the uninitialized case. Reported-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/core/timer.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/sound/core/timer.c b/sound/core/timer.c index ef850a99d64a..f989adb98a22 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -35,6 +35,9 @@ #include #include +/* internal flags */ +#define SNDRV_TIMER_IFLG_PAUSED 0x00010000 + #if IS_ENABLED(CONFIG_SND_HRTIMER) #define DEFAULT_TIMER_LIMIT 4 #elif IS_ENABLED(CONFIG_SND_RTCTIMER) @@ -547,6 +550,10 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) } } timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); + if (stop) + timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED; + else + timeri->flags |= SNDRV_TIMER_IFLG_PAUSED; snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : SNDRV_TIMER_EVENT_PAUSE); unlock: @@ -608,6 +615,10 @@ int snd_timer_stop(struct snd_timer_instance *timeri) */ int snd_timer_continue(struct snd_timer_instance *timeri) { + /* timer can continue only after pause */ + if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED)) + return -EINVAL; + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) return snd_timer_start_slave(timeri, false); else @@ -1837,6 +1848,9 @@ static int snd_timer_user_continue(struct file *file) tu = file->private_data; if (!tu->timeri) return -EBADFD; + /* start timer instead of continue if it's not used before */ + if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED)) + return snd_timer_user_start(file); tu->timeri->lost = 0; return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0; } -- 2.17.1