On Mon, 4 Sep 2023, Takashi Iwai wrote: > On Mon, 04 Sep 2023 20:10:45 +0200, > Ash Holland wrote: > > I upgraded to Linux 6.5 and found that my MIDI-input application no longer > > works, and causes an oops when I launch it. [...] > > I bisected this to: > > > > commit f80e6d60d677be1d4dbbcdbf97379b8fbcf97ff0 > > Author: Takashi Iwai <tiwai@xxxxxxx> > > Date: 2023-05-23 09:53:38 +0200 > > > > ALSA: seq: Clear padded bytes at expanding events > > > > There can be a small memory hole that may not be cleared at expanding > > an event with the variable length type. Make sure to clear it. > > > > Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx> > > Link: https://lore.kernel.org/r/20230523075358.9672-18-tiwai@xxxxxxx > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > > > > #regzbot introduced: f80e6d60d677be1d4dbbcdbf97379b8fbcf97ff0 > > > > I guess the problematic part is the `memset(buf + len, 0, newlen - len)`, which > > tries to memset a buffer that can be allocated in userspace. > > Yes, that was a bad change. Could you try the fix below? I think this problem is recurring -- page_fault_oops triggered via MIDI. But with the new fix. I upgraded from 6.1.0 to 6.5.3 and Reaper now crashes or hangs on startup with the trace below in dmesg. The newer kernel already includes a fix very similar to below, so I think an issue remains. I did not dig deeper than capturing information and finding this related thread. Thanks -- Mark > -- 8< -- > --- a/sound/core/seq/seq_memory.c > +++ b/sound/core/seq/seq_memory.c > @@ -187,8 +187,12 @@ int snd_seq_expand_var_event(const struct snd_seq_event *event, int count, char > err = expand_var_event(event, 0, len, buf, in_kernel); > if (err < 0) > return err; > - if (len != newlen) > - memset(buf + len, 0, newlen - len); > + if (len != newlen) { > + if (in_kernel) > + memset(buf + len, 0, newlen - len); > + else > + clear_user((__force void __user *)buf + len, newlen - len); > + } > return newlen; > } > EXPORT_SYMBOL(snd_seq_expand_var_event); > [ 72.601440] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 72.601443] #PF: supervisor read access in kernel mode [ 72.601445] #PF: error_code(0x0000) - not-present page [ 72.601446] PGD 800000010506c067 P4D 800000010506c067 PUD 10506d067 PMD 0 [ 72.601449] Oops: 0000 [#2] PREEMPT SMP PTI [ 72.601451] CPU: 3 PID: 1944 Comm: reaper Tainted: G D 6.5.3-mh #159 [ 72.601454] Hardware name: Gigabyte Technology Co., Ltd. H170-D3HP/H170-D3HP-CF, BIOS F20g 03/09/2018 [ 72.601455] RIP: 0010:snd_rawmidi_proc_info_read+0x35/0x220 [snd_rawmidi] [ 72.601461] Code: 55 48 89 f5 48 c7 c6 aa 26 15 a0 53 48 83 ec 18 4c 8b 67 40 48 8b 7d 00 49 8d 54 24 60 e8 f3 43 0b e1 49 8b 84 24 b0 00 00 00 <48> 8b 40 20 48 85 c0 74 0b 48 89 ee 4c 89 ef ff d0 0f 1f 00 4d 8d [ 72.601463] RSP: 0018:ffffc9000053fd10 EFLAGS: 00010246 [ 72.601465] RAX: 0000000000000000 RBX: ffff888102cfa1e0 RCX: 0000000000000002 [ 72.601466] RDX: 0000000000001000 RSI: ffffffffa01526ac RDI: ffff888103f9d007 [ 72.601467] RBP: ffff888102e800a0 R08: 000000000000000a R09: 000000000000000a [ 72.601469] R10: ffffffffffffffff R11: 0000000000000000 R12: ffff8881020c6000 [ 72.601470] R13: ffff888101c4b0c0 R14: ffff888102cfa208 R15: 0000000000000001 [ 72.601471] FS: 00007ff035e83740(0000) GS:ffff888a16d80000(0000) knlGS:0000000000000000 [ 72.601472] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.601473] CR2: 0000000000000020 CR3: 000000010f0f6003 CR4: 00000000003706e0 [ 72.601475] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.601476] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.601477] Call Trace: [ 72.601478] <TASK> [ 72.601479] ? __die+0x1b/0x60 [ 72.601482] ? page_fault_oops+0x154/0x420 [ 72.601485] ? mas_update_gap.part.0+0xac/0x1f0 [ 72.601488] ? sched_clock_cpu+0xb/0x190 [ 72.601491] ? __smp_call_single_queue+0x2f/0x50 [ 72.601493] ? exc_page_fault+0x37a/0x560 [ 72.601495] ? seq_open+0x4b/0x70 [ 72.601497] ? asm_exc_page_fault+0x22/0x30 [ 72.601501] ? snd_rawmidi_proc_info_read+0x35/0x220 [snd_rawmidi] [ 72.601505] snd_info_seq_show+0x21/0x40 [snd] [ 72.601511] seq_read_iter+0x105/0x4a0 [ 72.601514] seq_read+0x9e/0xd0 [ 72.601516] proc_reg_read+0x50/0xa0 [ 72.601518] vfs_read+0xa4/0x300 [ 72.601521] ? __do_sys_newfstatat+0x35/0x60 [ 72.601524] ksys_read+0x5a/0xe0 [ 72.601526] do_syscall_64+0x38/0x90 [ 72.601528] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 72.601531] RIP: 0033:0x7ff0359d53fe [ 72.601532] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 4e 53 0a 00 e8 59 ea 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28 [ 72.601534] RSP: 002b:00007fff08e0f898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 72.601536] RAX: ffffffffffffffda RBX: 0000000001c10e20 RCX: 00007ff0359d53fe [ 72.601537] RDX: 0000000000000400 RSI: 0000000001bf3bf0 RDI: 0000000000000007 [ 72.601538] RBP: 00007ff035aaa520 R08: 0000000000000007 R09: 0000000000000000 [ 72.601539] R10: 0000000000001000 R11: 0000000000000246 R12: 0000000001c10e20 [ 72.601540] R13: 0000000000000d68 R14: 00007ff035aa9920 R15: 0000000000000d68 [ 72.601541] </TASK> [ 72.601542] Modules linked in: nfsd lockd grace sunrpc tun snd_aloop bridge stp llc ipv6 wacom reiserfs uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 snd_usb_audio videodev snd_usbmidi_lib snd_hwdep videobuf2_common mousedev input_leds mc led_class radeon dm_cache_smq dm_cache dm_persistent_data drm_ttm_helper dm_bio_prison ttm dm_bufio drm_suballoc_helper libcrc32c drm_display_helper dm_mod drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops x86_pkg_temp_thermal drm coretemp kvm_intel drm_panel_orientation_quirks agpgart snd_echo3g cfbfillrect kvm cfbimgblt snd_pcm cfbcopyarea i2c_algo_bit snd_timer fb snd_rawmidi irqbypass i2c_i801 snd_seq_device e1000e font crc32_pclmul sr_mod xhci_pci i2c_smbus fbdev crc32c_intel snd mei_me cdrom i2c_core xhci_pci_renesas soundcore mei xhci_hcd fan thermal evdev video wmi rtc_cmos backlight acpi_pad button [ 72.601588] CR2: 0000000000000020 [ 72.601589] ---[ end trace 0000000000000000 ]--- [ 72.601590] RIP: 0010:snd_rawmidi_proc_info_read+0x35/0x220 [snd_rawmidi] [ 72.601594] Code: 55 48 89 f5 48 c7 c6 aa 26 15 a0 53 48 83 ec 18 4c 8b 67 40 48 8b 7d 00 49 8d 54 24 60 e8 f3 43 0b e1 49 8b 84 24 b0 00 00 00 <48> 8b 40 20 48 85 c0 74 0b 48 89 ee 4c 89 ef ff d0 0f 1f 00 4d 8d [ 72.601596] RSP: 0018:ffffc90000557d10 EFLAGS: 00010246 [ 72.601597] RAX: 0000000000000000 RBX: ffff888102cfa168 RCX: 0000000000000002 [ 72.601598] RDX: 0000000000001000 RSI: ffffffffa01526ac RDI: ffff888103f9b007 [ 72.601599] RBP: ffff888102e80340 R08: 000000000000000a R09: 000000000000000a [ 72.601600] R10: ffffffffffffffff R11: 0000000000000000 R12: ffff8881020c6000 [ 72.601601] R13: ffff888101c4b0c0 R14: ffff888102cfa190 R15: 0000000000000001 [ 72.601602] FS: 00007ff035e83740(0000) GS:ffff888a16d80000(0000) knlGS:0000000000000000 [ 72.601603] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.601605] CR2: 0000000000000020 CR3: 000000010f0f6003 CR4: 00000000003706e0 [ 72.601606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.601607] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.601608] note: reaper[1944] exited with irqs disabled $ strace -f -- reaper [...] stat("/home/mark/.config/REAPER/reaper.ini", {st_mode=S_IFREG|0644, st_size=12579, ...}) = 0 openat(AT_FDCWD, "/proc/asound/cards", O_RDONLY) = 6 newfstatat(6, "", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_EMPTY_PATH) = 0 read(6, " 0 [Layla3G ]: Echo_Echo3"..., 1024) = 392 openat(AT_FDCWD, "/proc/asound/card0/midi0", O_RDONLY) = 7 newfstatat(7, "", {st_mode=S_IFREG|0444, st_size=0, ...}, AT_EMPTY_PATH) = 0 read(7, <unfinished ...>) = ? +++ killed by SIGKILL +++ Killed
