Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp5245507rwp; Sun, 16 Jul 2023 23:56:20 -0700 (PDT) X-Google-Smtp-Source: APBJJlH57wBLfFOr1NoiR6GQNVoqMH/ZX6xf5J0m5F/QKNdLuEVI3ZLo26YbNuOo3MfG5eLWoduC X-Received: by 2002:a17:902:d2cd:b0:1b8:5827:8763 with SMTP id n13-20020a170902d2cd00b001b858278763mr6644193plc.4.1689576980378; Sun, 16 Jul 2023 23:56:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689576980; cv=none; d=google.com; s=arc-20160816; b=GbM9fkyE1haTwMcWZWwrdYxpvepTlsTJrO+xy9YEUVKV6RBporP+4SCJZgG3KvAiqf c+yGXwNuC4cnqkEbNrMSAlj5EpinKhGYS/2AJp7/PLWT/W5AV9F99/qitaRixrh8LZh9 cWVvsj7gZfcyGnEdvsis8RQhR0pH5ACmaitPt7DkZsxRjTmk23IPJUgZllZui1SF4hON SRP2QIkyZvWUWSlZOxWARMITPSfq6Rdp8Kn/bfqpvzcafd0Ns8/Ua4C1yq6ULwJ2bnWr /XTPcvR28xftMggqz/2Ph91bO7sSjn6KqeXbCcARuftPFJlhi+1LT8XpQnzIK3X25ALo gUFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=EsNv4azKi3xSr19TxcmgMG50aAmTKzfOB5hspGkaUKk=; fh=M6b33Am0uoUw45jGYg4zEk3MSk3Hn2st8mAdrvrsfHg=; b=RUxg1c9WWcd1u/oOBQI+y0TMGr2occQh04NqnTU7MJOfksUFY5GFzVFAIaY74EZIFq ylLznR0iIhyuxtvwDyCiEHbgDlLxVKlEsSdSiKGIAz3Vbo5aYlvUV09BXDRL9UrMUsLr N0PaY96wUMUvml7s6K7VmQTwkCM5kCJ7S1Lwvwb588Y0naV6ZsmL0CnS69sgi0q2LZJ+ 49q4rPFjRLrc/sblVVpEPs0qjVd7mVGs0Vk5v4pm38EzswiptpS7nl8Oeu5TF91TZSil w43DntnWF/Gj2qd1dKVdzCoSyxTmuxB8SfpEo4lXC4Z5KEzPWJvthhWge5w/X2WVkSIL Tyaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=JOSnKJXG; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u7-20020a170902714700b001badbeac8d0si8519223plm.423.2023.07.16.23.56.07; Sun, 16 Jul 2023 23:56:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=JOSnKJXG; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231448AbjGQG21 (ORCPT + 99 others); Mon, 17 Jul 2023 02:28:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33136 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231635AbjGQG2Q (ORCPT ); Mon, 17 Jul 2023 02:28:16 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1223511F for ; Sun, 16 Jul 2023 23:27:55 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 4CFC41F74C; Mon, 17 Jul 2023 06:27:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1689575269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EsNv4azKi3xSr19TxcmgMG50aAmTKzfOB5hspGkaUKk=; b=JOSnKJXGqNPWF/p4DPpYQGBv/GgIqvVs5hWmllhitm0OIuRv/Yn0aDLLpcwZ6Y1OE/j7WE CJDL1gLTKtTI78LnQTCtGIMMMnFxCz7hQ8+VqvRMMrBFL0BmTS1FsElgTQXqaqdMu93gRg jXx7Zd3teNgGFUIqkfZ2c4hSrmQRpxY= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1689575269; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EsNv4azKi3xSr19TxcmgMG50aAmTKzfOB5hspGkaUKk=; b=CrR3EsCP4rZJh8WfIl8qjG6jszkMsy5ePMyEp4RL5Tt2VbVCJwkG6R9mswuj+5YJGL3hq8 fNzw4UTcGDdu/iDA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 270AD13276; Mon, 17 Jul 2023 06:27:49 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id n3axCGXftGT2awAAMHmgww (envelope-from ); Mon, 17 Jul 2023 06:27:49 +0000 Date: Mon, 17 Jul 2023 08:27:48 +0200 Message-ID: <87y1jfjbmj.wl-tiwai@suse.de> From: Takashi Iwai To: Geraldo Nascimento Cc: syzbot , alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, perex@perex.cz, syzkaller-bugs@googlegroups.com, tiwai@suse.com Subject: Re: [syzbot] [alsa?] memory leak in snd_seq_create_port In-Reply-To: References: <00000000000098ed3a0600965f89@google.com> <87v8ekattg.wl-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 16 Jul 2023 21:06:52 +0200, Geraldo Nascimento wrote: > > On Sun, Jul 16, 2023 at 03:07:23PM +0200, Takashi Iwai wrote: > > On Sun, 16 Jul 2023 10:21:49 +0200, > > syzbot wrote: > > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 3f01e9fed845 Merge tag 'linux-watchdog-6.5-rc2' of git://w.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14b07344a80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=75da4f0a455bdbd3 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=cf8e7fa4eeec59b3d485 > > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15877dc2a80000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12905004a80000 > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/441fb7ea58b8/disk-3f01e9fe.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/8fa7790ba0c3/vmlinux-3f01e9fe.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/5e7a6471dadf/bzImage-3f01e9fe.xz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+cf8e7fa4eeec59b3d485@syzkaller.appspotmail.com > > > > > > Warning: Permanently added '10.128.1.1' (ED25519) to the list of known hosts. > > > executing program > > > executing program > > > BUG: memory leak > > > unreferenced object 0xffff888100877000 (size 512): > > > comm "syz-executor257", pid 5012, jiffies 4294941742 (age 12.790s) > > > hex dump (first 32 bytes): > > > 80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > > backtrace: > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > > [] kmalloc include/linux/slab.h:582 [inline] > > > [] kzalloc include/linux/slab.h:703 [inline] > > > [] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135 > > > [] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324 > > > [] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327 > > > [] vfs_ioctl fs/ioctl.c:51 [inline] > > > [] __do_sys_ioctl fs/ioctl.c:870 [inline] > > > [] __se_sys_ioctl fs/ioctl.c:856 [inline] > > > [] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856 > > > [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > > [] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 > > > [] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > > > > > BUG: memory leak > > > unreferenced object 0xffff888106742c00 (size 512): > > > comm "syz-executor257", pid 5013, jiffies 4294942276 (age 7.450s) > > > hex dump (first 32 bytes): > > > 80 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > > backtrace: > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > > [] kmalloc include/linux/slab.h:582 [inline] > > > [] kzalloc include/linux/slab.h:703 [inline] > > > [] snd_seq_create_port+0x78/0x300 sound/core/seq/seq_ports.c:135 > > > [] snd_seq_ioctl_create_port+0xe1/0x2a0 sound/core/seq/seq_clientmgr.c:1324 > > > [] snd_seq_ioctl+0x13e/0x290 sound/core/seq/seq_clientmgr.c:2327 > > > [] vfs_ioctl fs/ioctl.c:51 [inline] > > > [] __do_sys_ioctl fs/ioctl.c:870 [inline] > > > [] __se_sys_ioctl fs/ioctl.c:856 [inline] > > > [] __x64_sys_ioctl+0x103/0x140 fs/ioctl.c:856 > > > [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > > [] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 > > > [] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > > > Likely a forgotten kfree() at the error path. > > The patch below should fix it. > > > > > > Takashi > > > > -- 8< -- > > From: Takashi Iwai > > Subject: [PATCH] ALSA: seq: Fix memory leak at error path in > > snd_seq_create_port() > > > > We forgot to release a newly allocated item at the error path in > > snd_seq_create_port(). This patch fixes it. > > Thanks for the clarification and quick proposed resolution Takashi. As > an ALSA novice these bots always stunt me, personally. I understand how > helpful they are however, even if cryptic. > > But shouldn't this be reported to security? It's always prone to bad > stuff when we forget a kfree() It's a bug that happened only on 6.5-rc1, so no need to bother too much with security issue fiasco for distros. Takashi