torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code
master
linux/sound/core
History
Dewei Meng 5003a65790 ALSA: timer: fix ida_free call while not allocated 
In the snd_utimer_create() function, if the kasprintf() function return
NULL, snd_utimer_put_id() will be called, finally use ida_free()
to free the unallocated id 0.

the syzkaller reported the following information:
  ------------[ cut here ]------------
  ida_free called for id=0 which is not allocated.
  WARNING: CPU: 1 PID: 1286 at lib/idr.c:592 ida_free+0x1fd/0x2f0 lib/idr.c:592
  Modules linked in:
  CPU: 1 UID: 0 PID: 1286 Comm: syz-executor164 Not tainted 6.15.8 #3 PREEMPT(lazy)
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
  RIP: 0010:ida_free+0x1fd/0x2f0 lib/idr.c:592
  Code: f8 fc 41 83 fc 3e 76 69 e8 70 b2 f8 (...)
  RSP: 0018:ffffc900007f79c8 EFLAGS: 00010282
  RAX: 0000000000000000 RBX: 1ffff920000fef3b RCX: ffffffff872176a5
  RDX: ffff88800369d200 RSI: 0000000000000000 RDI: ffff88800369d200
  RBP: 0000000000000000 R08: ffffffff87ba60a5 R09: 0000000000000000
  R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
  R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000
  FS:  00007f6f1abc1740(0000) GS:ffff8880d76a0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f6f1ad7a784 CR3: 000000007a6e2000 CR4: 00000000000006f0
  Call Trace:
   <TASK>
   snd_utimer_put_id sound/core/timer.c:2043 [inline] [snd_timer]
   snd_utimer_create+0x59b/0x6a0 sound/core/timer.c:2184 [snd_timer]
   snd_utimer_ioctl_create sound/core/timer.c:2202 [inline] [snd_timer]
   __snd_timer_user_ioctl.isra.0+0x724/0x1340 sound/core/timer.c:2287 [snd_timer]
   snd_timer_user_ioctl+0x75/0xc0 sound/core/timer.c:2298 [snd_timer]
   vfs_ioctl fs/ioctl.c:51 [inline]
   __do_sys_ioctl fs/ioctl.c:907 [inline]
   __se_sys_ioctl fs/ioctl.c:893 [inline]
   __x64_sys_ioctl+0x198/0x200 fs/ioctl.c:893
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0x7b/0x160 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x76/0x7e
  [...]

The utimer->id should be set properly before the kasprintf() function,
ensures the snd_utimer_put_id() function will free the allocated id.

Fixes: 37745918e0 ("ALSA: timer: Introduce virtual userspace-driven timers")
Signed-off-by: Dewei Meng <mengdewei@cqsoftware.com.cn>
Link: https://patch.msgid.link/20250821014317.40786-1-mengdewei@cqsoftware.com.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2025-08-21 09:12:24 +02:00
..
oss ALSA: mixer_oss: Remove deprecated strcpy() function calls 2025-06-23 17:10:32 +02:00
seq ALSA: seq: Use safer strscpy() instead of strcpy() 2025-07-11 09:51:08 +02:00
.kunitconfig ALSA: core: add kunitconfig 2024-03-17 09:36:45 +01:00
compress_offload.c ALSA: compress_offload: tighten ioctl command number checks 2025-07-10 10:10:08 +02:00
control_compat.c Merge branch 'topic/control-lookup-rwlock' into for-next 2024-08-09 14:25:24 +02:00
control_led.c ALSA: control: Avoid WARN() for symlink errors 2024-12-10 12:32:34 +01:00
control.c ALSA: control: Use safer strscpy() instead of strcpy() 2025-07-11 09:51:08 +02:00
ctljack.c ALSA: Convert strlcpy to strscpy when return value is unused 2021-01-08 09:30:05 +01:00
device.c ALSA: core: Remove unused snd_device_get_state 2025-05-05 12:36:29 +02:00
hrtimer.c ALSA: hrtimer: Replace deprecated strcpy() with strscpy() 2025-06-30 14:08:07 +02:00
hwdep_compat.c ALSA: compat_ioctl: avoid compat_alloc_user_space 2020-09-21 10:37:07 +02:00
hwdep.c ALSA: hwdep: Move put_user() call out of scoped_guard() in snd_hwdep_control_ioctl() 2024-03-01 18:10:57 +01:00
info_oss.c ALSA: info: Use guard() for locking 2024-02-28 15:01:21 +01:00
info.c ALSA: info: Use guard() for locking 2024-02-28 15:01:21 +01:00
init.c ALSA: core: Copy string more safely 2025-07-11 09:53:36 +02:00
isadma.c sound updates for 6.0-rc1 2022-08-06 10:19:51 -07:00
jack.c USB/Thunderbolt changes for 6.16-rc1 2025-06-06 12:45:35 -07:00
Kconfig ALSA: compress_offload: introduce accel operation mode 2024-10-25 10:53:20 +02:00
Makefile ALSA: core: Use *-y instead of *-objs in Makefile 2024-05-08 18:17:32 +02:00
memalloc.c ALSA: memalloc: prefer dma_mapping_error() over explicit address checking 2024-12-20 09:54:12 +01:00
memory.c ALSA: Align the syntax of iov_iter helpers with standard ones 2024-12-30 12:50:04 +01:00
misc.c ALSA: core: Drop snd_print stuff and co 2024-08-08 07:49:47 +02:00
pcm_compat.c ALSA: pcm: Replace [audio_]tstamp_[n]sec by struct __snd_timespec in struct snd_pcm_mmap_status32 2025-06-16 08:25:27 +02:00
pcm_dmaengine.c ALSA: pcm: Remove unused snd_dmaengine_pcm_open_request_chan 2025-05-05 12:36:29 +02:00
pcm_drm_eld.c ALSA: hda/hdmi: extract common interface for ELD handling 2025-02-05 13:04:00 +01:00
pcm_iec958.c ALSA: iec958: Split status creation and fill 2021-06-08 17:05:41 +02:00
pcm_lib.c ALSA: pcm: Add xrun counter for snd_pcm_substream 2024-08-10 10:40:58 +02:00
pcm_local.h ALSA: pcm: Revert "ALSA: pcm: rewrite snd_pcm_playback_silence()" 2023-05-05 18:23:48 +02:00
pcm_memory.c ALSA: pcm: Make snd_pcm_lib_malloc_pages() debug message say "allocate" 2025-04-22 15:00:24 +02:00
pcm_misc.c ALSA: pcm: Remove unused snd_pcm_rate_range_to_bits 2025-05-05 12:36:29 +02:00
pcm_native.c ALSA: pcm: Convert snd_pcm_sync_ptr() to user_access_begin/user_access_end() 2025-06-16 08:25:32 +02:00
pcm_param_trace.h
pcm_timer.c ALSA: pcm_timer: use snd_pcm_direction_name() 2024-08-01 12:50:13 +02:00
pcm_trace.h tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
pcm.c ALSA: pcm: Convert to SYSTEM_SLEEP_PM_OPS() 2025-03-14 11:07:13 +01:00
rawmidi_compat.c ALSA: rawmidi: Replace with __packed attribute 2023-10-26 09:42:55 +02:00
rawmidi.c ALSA: rawmidi: Use safer strscpy() instead of strcpy() 2025-07-11 09:51:08 +02:00
seq_device.c ALSA: core: fix up bus match const issues. 2025-05-22 20:29:45 +02:00
sound_kunit.c ALSA: core: Fix possible NULL dereference caused by kunit_kzalloc() 2024-11-27 08:06:31 +01:00
sound_oss.c ALSA: core: Use guard() for locking 2024-02-28 15:01:21 +01:00
sound.c ALSA: Fix typos in comments across various files 2024-09-30 09:52:31 +02:00
timer_compat.c ALSA: timer: Use guard() for locking 2024-02-28 15:01:20 +01:00
timer.c ALSA: timer: fix ida_free call while not allocated 2025-08-21 09:12:24 +02:00
ump_convert.c ALSA: ump: Explicitly reset RPN with Null RPN 2024-07-31 15:08:39 +02:00
ump.c ALSA: rawmidi: Make tied_device=0 as default / unknown 2025-01-14 16:52:07 +01:00
vmaster.c ALSA: vmaster: Return error for invalid input values 2024-06-18 12:00:18 +02:00