From patchwork Sat Sep  3 12:35:15 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dmitry Vyukov <dvyukov@google.com>
X-Patchwork-Id: 9311997
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4D2CB60756 for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat,  3 Sep 2016 12:35:54 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D7B82900B
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat,  3 Sep 2016 12:35:54 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 323372932C; Sat,  3 Sep 2016 12:35:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=no version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F9F82900B
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Sat,  3 Sep 2016 12:35:52 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 8D72A2676EB; Sat,  3 Sep 2016 14:35:51 +0200 (CEST)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id 4C5BC267663;
	Sat,  3 Sep 2016 14:35:44 +0200 (CEST)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id ED208267668; Sat,  3 Sep 2016 14:35:41 +0200 (CEST)
Received: from mail-lf0-f45.google.com (mail-lf0-f45.google.com
	[209.85.215.45])
	by alsa0.perex.cz (Postfix) with ESMTP id 979D026764C
	for <alsa-devel@alsa-project.org>;
	Sat,  3 Sep 2016 14:35:36 +0200 (CEST)
Received: by mail-lf0-f45.google.com with SMTP id g62so100069845lfe.3
	for <alsa-devel@alsa-project.org>;
	Sat, 03 Sep 2016 05:35:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=20120113;
	h=mime-version:from:date:message-id:subject:to:cc;
	bh=+Ti9fFDkO1QCBbu68qCeOMdC5zYPPseyU4adEz/aRYA=;
	b=U0P0VEemgyCgg+z9PhSGILPFaGhCe+6NrWLzGpMd04z38RwSoUOscARUrwjpeiLkfn
	/zfNKAhXQiC2/p87aIgJtoYtU/0xHP4pH5fpRfsadz9rWIkzVhdvBX1fRz34dmcYmagH
	TUbvnxL8il0hi/kdUjt8supm/1UNIiwD+wg6TDClANyBdOtDOCpMGl9MbpTb41rO8Uib
	coz2g2lTRu+vsZIXpRAvW0gIdyFUDCf/qKpUiUma133xqkkG1oPsi6rEmKh/8GscoTVV
	3fnWdRkHcdhEb+39uHBkhJaVsbQ2FAc7dmtIoGWEoU8IyCN4DGrt1vvTbihU16MGWHb1
	Z+kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
	bh=+Ti9fFDkO1QCBbu68qCeOMdC5zYPPseyU4adEz/aRYA=;
	b=F0e4D7T53OA8o1P6WRVcVslxCBN1ILSvYEm+fVgVic80JOv87wxCvB7qJTbhW1Lmqu
	Udpn32RdjVD7rijTRD1ARCqss5YKpsugvV9tcYj5yCHnIyzPKEAXy+Sjc/a4OTslDkz5
	OEWhgJmnarywicDzwxHYY6WMHmAXWA6gcjnjkBRlOa4bNgQAG+ZxcXWXKehg81t+Vfcv
	04QUZ3uoRrpVR6t522mCJjmNG6nEqUAQHOzutuaRZQOmLet/rxzoXpiECSnqDn0cJHBh
	SihQqVFRYEsTWO14466OPRMTErikhi+X+jJcRTsNb9BaMGVcBZfhAZSB7Sbjq4msEpxs
	EiMQ==
X-Gm-Message-State: 
 AE9vXwM0rFvv17F7NHpgC+G6tiOnmCqGV/9R/sWV20bV7lPdgd4cXFroFZYKeT/nkpMJV8HJ4Iz2rRLSutDmWoLNWBlBQyrXg294j45Y+PWKPBrFGKBGfdHYELpFq4xRbkDyHZm6dAqK3/mw6WoxQVc2
X-Received: by 10.46.0.167 with SMTP id e39mr8041543lji.55.1472906135824;
	Sat, 03 Sep 2016 05:35:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.196.11 with HTTP; Sat, 3 Sep 2016 05:35:15 -0700 (PDT)
From: Dmitry Vyukov <dvyukov@google.com>
Date: Sat, 3 Sep 2016 14:35:15 +0200
Message-ID: 
 <CACT4Y+Yw_05S47dEYLWbwMCJvfB4cb9Mdb3q1qOYLyKfJMK1bA@mail.gmail.com>
To: Takashi Iwai <tiwai@suse.de>, Vegard Nossum <vegard.nossum@gmail.com>,
	Vegard Nossum <vegard.nossum@oracle.com>,
	Jaroslav Kysela <perex@perex.cz>, kangjielu@gmail.com,
	alsa-devel@alsa-project.org, LKML <linux-kernel@vger.kernel.org>
X-ccpol: medium
Cc: syzkaller <syzkaller@googlegroups.com>
Subject: [alsa-devel] sound: divide by 0 in snd_hrtimer_callback (or hang)
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

Hello,

The following program causes either division error or hangs kernel:

https://gist.githubusercontent.com/dvyukov/b1f33be3bfcc15d629e10db483bee1e4/raw/1574b407e0456bf8277bee423e7731641f5f2c14/gistfile1.txt


divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003c9b2280 task.stack: ffff880027280000
RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns
include/linux/ktime.h:195
RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>]
snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
RSP: 0018:ffff88003ed07dd8  EFLAGS: 00010006
RAX: 0000000000004801 RBX: ffff88003d3a0a88 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88003d3a0aa0 RDI: ffffffff886b69a8
RBP: ffff88003ed07e30 R08: 0000010e85417665 R09: ffff88007fff7048
R10: ffff88007fff7058 R11: ffff88007fff7050 R12: ffff88003d00f840
R13: ffff88003d00f8f4 R14: ffff88003d00f970 R15: ffff88003d3a0a80
FS:  0000000000000000(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4152126db8 CR3: 000000006b896000 CR4: 00000000000006e0
DR0: 000000000000001e DR1: 000000000000001e DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
 0000000000000000 ffff88003d3a0aa0 ffff88003d00f8f8 0000000000004801
 ffff88003d3a0ae0 0000000000000000 ffff88003d3a0a88 0000000000000001
 ffff88003ed1b400 dffffc0000000000 0000000000000001 ffff88003ed07f28
Call Trace:
 <IRQ>
 [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
 [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70
kernel/time/hrtimer.c:1302
 [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
 [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0
arch/x86/kernel/apic/apic.c:933
 [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0
arch/x86/kernel/apic/apic.c:957
 [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:487
 <EOI>
 [<     inline     >] rcu_lock_release include/linux/rcupdate.h:494
 [<     inline     >] rcu_read_unlock include/linux/rcupdate.h:927
 [<ffffffff81839f55>] unlock_page_memcg+0x95/0x130 mm/memcontrol.c:1680
 [<     inline     >] page_remove_file_rmap mm/rmap.c:1343
 [<ffffffff817b742c>] page_remove_rmap+0x1cc/0x8e0 mm/rmap.c:1394
 [<     inline     >] zap_pte_range mm/memory.c:1170
 [<     inline     >] zap_pmd_range mm/memory.c:1257
 [<     inline     >] zap_pud_range mm/memory.c:1278
 [<ffffffff81789119>] unmap_page_range+0xf89/0x1ba0 mm/memory.c:1299
 [<ffffffff81789e31>] unmap_single_vma+0x101/0x260 mm/memory.c:1344
 [<ffffffff8178a741>] unmap_vmas+0xf1/0x1b0
 [<ffffffff817a5aab>] exit_mmap+0x22b/0x420 mm/mmap.c:2787
 [<     inline     >] __mmput kernel/fork.c:770
 [<ffffffff8137c576>] mmput+0xd6/0x3c0 kernel/fork.c:790
 [<     inline     >] exit_mm kernel/exit.c:512
 [<ffffffff813940e8>] do_exit+0x738/0x2e70 kernel/exit.c:815
 [<ffffffff81396998>] do_group_exit+0x108/0x330 kernel/exit.c:958
 [<ffffffff813ba4aa>] get_signal+0x62a/0x15d0 kernel/signal.c:2307
 [<ffffffff81202333>] do_signal+0x83/0x1f60 arch/x86/kernel/signal.c:805
 [<ffffffff81006345>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:163
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:198
 [<     inline     >] syscall_return_slowpath arch/x86/entry/common.c:267
 [<ffffffff81008be0>] do_syscall_64+0x4c0/0x640 arch/x86/entry/common.c:293
 [<ffffffff86e107c3>] entry_SYSCALL64_slow_path+0x25/0x25
Code: cb a2 ce fb 8b 0d f5 21 70 05 48 0f af 4d d0 48 85 c9 0f 88 6a
01 00 00 48 89 4d a8 e8 ae a2 ce fb 48 8b 45 c0 48 8b 4d a8 48 99 <48>
f7 f9 48 01 45 d0 e8 98 a2 ce fb 4c 89 fa 48 b8 00 00 00 00
RIP  [<     inline     >] ktime_divns include/linux/ktime.h:195
RIP  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0
sound/core/hrtimer.c:62
 RSP <ffff88003ed07dd8>
---[ end trace e1a6d1e5a6136d50 ]---


or:

INFO: rcu_sched detected stalls on CPUs/tasks:
0-...: (1 GPs behind) idle=203/140000000000001/0 softirq=923090/923091 fqs=6490
(detected by 1, t=26002 jiffies, g=508022, c=508021, q=20)
Task dump for CPU 0:
a.out           R  running task    28848 31756   4047 0x0000000a
 0000000000000000 0000000000000282 0000000000000000 ffff880066a9b430
 ffff880066a9b430 ffff8800667cfae0 0000000000000282 0000000000000000
 0000000000000000 0000000000000000 000003a0184674dd dffffc0000000000
Call Trace:
 [<     inline     >] spin_unlock_irqrestore ./include/linux/spinlock.h:362
 [<ffffffff858db3dd>] snd_timer_start1+0xdd/0x740 sound/core/timer.c:477
 [<ffffffff858dbb25>] snd_timer_continue+0x45/0x80 sound/core/timer.c:606
 [<     inline     >] snd_timer_user_continue sound/core/timer.c:1835
 [<     inline     >] __snd_timer_user_ioctl sound/core/timer.c:1902
 [<ffffffff858df299>] snd_timer_user_ioctl+0xe99/0x2470 sound/core/timer.c:1917
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
 [<     inline     >] SYSC_ioctl fs/ioctl.c:690
 [<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
 [<ffffffff86e10700>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:208



I am on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of linux-next with
the following diff in sound/core/timer.c (one is a fix for another
division by 0):

        INIT_LIST_HEAD(&timer->active_list_head);
@@ -1958,6 +1959,7 @@ static ssize_t snd_timer_user_read(struct file
*file, char __user *buffer,
                tu->qused--;
                spin_unlock_irq(&tu->qlock);

+               mutex_lock(&tu->ioctl_lock);
                if (tu->tread) {
                        if (copy_to_user(buffer, &tu->tqueue[qhead],
                                         sizeof(struct snd_timer_tread)))
@@ -1967,6 +1969,7 @@ static ssize_t snd_timer_user_read(struct file
*file, char __user *buffer,
                                         sizeof(struct snd_timer_read)))
                                err = -EFAULT;
                }
+               mutex_unlock(&tu->ioctl_lock);

                spin_lock_irq(&tu->qlock);
                if (err < 0)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 9a6157e..3e55c6d 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -813,6 +813,7 @@ int snd_timer_new(struct snd_card *card, char *id,
struct snd_timer_id *tid,
        timer->tmr_subdevice = tid->subdevice;
        if (id)
                strlcpy(timer->id, id, sizeof(timer->id));
+       timer->sticks = 1;
        INIT_LIST_HEAD(&timer->device_list);
        INIT_LIST_HEAD(&timer->open_list_head);