Re: [REGRESSION] rust midir MIDI library causes kernel oops

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 04 Sep 2023 20:10:45 +0200,
Ash Holland wrote:
> 
> Hello,
> 
> I upgraded to Linux 6.5 and found that my MIDI-input application no longer
> works, and causes an oops when I launch it.
> 
> The application can be found at https://github.com/sersorrel/lp; `cargo run` is
> enough to cause the oops, though it has many undocumented dependencies, sorry
> (including a Novation Launchpad Mini Mk3). Once the oops occurs, it seems like
> it can still send MIDI to the Launchpad (i.e. display things on it), but input
> from the Launchpad doesn't work. I use NixOS with minimally-altered kernel
> configuration (blacklisted r8152 module and `amdgpu.reset_method=4` parameter),
> and was happily using kernel 6.4.9 or so before upgrading to 6.5.
> 
> I bisected this to:
> 
> commit f80e6d60d677be1d4dbbcdbf97379b8fbcf97ff0
> Author: Takashi Iwai <tiwai@xxxxxxx>
> Date:   2023-05-23 09:53:38 +0200
> 
>     ALSA: seq: Clear padded bytes at expanding events
> 
>     There can be a small memory hole that may not be cleared at expanding
>     an event with the variable length type.  Make sure to clear it.
> 
>     Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx>
>     Link: https://lore.kernel.org/r/20230523075358.9672-18-tiwai@xxxxxxx
>     Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> 
> #regzbot introduced: f80e6d60d677be1d4dbbcdbf97379b8fbcf97ff0
> 
> I guess the problematic part is the `memset(buf + len, 0, newlen - len)`, which
> tries to memset a buffer that can be allocated in userspace.

Yes, that was a bad change.  Could you try the fix below?


thanks,

Takashi

-- 8< --
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -187,8 +187,12 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char
 	err = expand_var_event(event, 0, len, buf, in_kernel);
 	if (err < 0)
 		return err;
-	if (len != newlen)
-		memset(buf + len, 0, newlen - len);
+	if (len != newlen) {
+		if (in_kernel)
+			memset(buf + len, 0, newlen - len);
+		else
+			clear_user((__force void __user *)buf + len, newlen - len);
+	}
 	return newlen;
 }
 EXPORT_SYMBOL(snd_seq_expand_var_event);



[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Pulse Audio]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux