android_kernel_samsung_universal7885

a7y18lte-ubports/android_kernel_samsung_universal7885

History

Vegard Nossum f5b004e4ed ALSA: timer: fix NULL pointer dereference on memory allocation failure commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream. I hit this with syzkaller: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 task: ffff88011278d600 task.stack: ffff8801120c0000 RIP: 0010:[<ffffffff82c8ba07>] [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100 RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048 RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790 R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980 R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286 FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0 Stack: ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0 ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000 ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0 Call Trace: [<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670 [<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0 [<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830 [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430 [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80 [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90 [<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0 [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80 [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050 [<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0 [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200 [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0 [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0 [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190 [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0 [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0 [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0 [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050 [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0 [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25 Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46 RIP [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100 RSP <ffff8801120c7a60> ---[ end trace 5955b08db7f2b029 ]--- This can happen if snd_hrtimer_open() fails to allocate memory and returns an error, which is currently not checked by snd_timer_open(): ioctl(SNDRV_TIMER_IOCTL_SELECT) - snd_timer_user_tselect() - snd_timer_close() - snd_hrtimer_close() - (struct snd_timer *) t->private_data = NULL - snd_timer_open() - snd_hrtimer_open() - kzalloc() fails; t->private_data is still NULL ioctl(SNDRV_TIMER_IOCTL_START) - snd_timer_user_start() - snd_timer_start() - snd_timer_start1() - snd_hrtimer_start() - t->private_data == NULL // boom Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2016-09-15 08:27:54 +02:00
..
oss	ALSA: pcm: Fix potential deadlock in OSS emulation	2016-02-17 12:30:59 -08:00
seq	ALSA: seq: oss: Don't drain at closing a client	2016-03-09 15:34:54 -08:00
compress_offload.c	ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures	2016-02-17 12:30:58 -08:00
control_compat.c	ALSA: ctl: Fix ioctls for X32 ABI	2016-03-09 15:34:53 -08:00
control.c	ALSA: ctl: Stop notification after disconnection	2016-07-27 09:47:38 -07:00
ctljack.c	ALSA: jack: Fix endless loop at unique index detection	2015-06-26 06:59:57 +02:00
device.c
hrtimer.c	ALSA: hrtimer: Fix stall by hrtimer_cancel()	2016-01-31 11:28:57 -08:00
hwdep_compat.c
hwdep.c	ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS	2015-05-27 21:25:19 +02:00
info_oss.c
info.c
init.c	ALSA: Fix uninintialized error return	2015-06-29 19:08:31 +02:00
isadma.c
jack.c
Kconfig	ALSA: timer: add config item to export PCM timer disabling for expert	2015-10-16 14:31:38 +02:00
Makefile	ALSA: timer: add config item to export PCM timer disabling for expert	2015-10-16 14:31:38 +02:00
memalloc.c	genalloc: rename of_get_named_gen_pool() to of_gen_pool_get()	2015-06-30 19:45:01 -07:00
memory.c
misc.c
pcm_compat.c	ALSA: pcm: Fix ioctls for X32 ABI	2016-03-09 15:34:54 -08:00
pcm_dmaengine.c
pcm_drm_eld.c
pcm_iec958.c
pcm_lib.c	ALSA: pcm: Avoid "BUG:" string for warnings again	2016-04-12 09:08:52 -07:00
pcm_memory.c
pcm_misc.c
pcm_native.c	ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream	2016-02-25 12:01:13 -08:00
pcm_timer.c
pcm_trace.h
pcm.c	ALSA: pcm: Free chmap at PCM free callback, too	2016-07-27 09:47:38 -07:00
rawmidi_compat.c	ALSA: rawmidi: Fix ioctls X32 ABI	2016-03-09 15:34:54 -08:00
rawmidi.c	ALSA: rawmidi: Fix possible deadlock with virmidi registration	2016-09-15 08:27:53 +02:00
rtctimer.c
sgbuf.c
sound_oss.c	ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS	2015-05-27 21:25:19 +02:00
sound.c	ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS	2015-05-27 21:25:19 +02:00
timer_compat.c	ALSA: timer: Fix broken compat timer user status ioctl	2016-03-09 15:34:55 -08:00
timer.c	ALSA: timer: fix NULL pointer dereference on memory allocation failure	2016-09-15 08:27:54 +02:00
vmaster.c