Hello, The following program triggers GPF in snd_timer_user_params: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> long r[108]; void *thr(void *arg) { switch ((long)arg) { case 0: r[0] = syscall(SYS_mmap, 0x20000000ul, 0xf000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); break; case 1: memcpy((void*)0x20000990, "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x74\x69\x6d\x65\x72", 14); r[2] = syscall(SYS_open, 0x20000990ul, 0x40ul, 0x0ul, 0, 0, 0); break; case 2: r[3] = syscall(SYS_ioctl, r[2], 0x54a0ul, 0, 0, 0, 0); break; case 3: *(uint32_t*)0x20000000 = (uint32_t)0x1; *(uint32_t*)0x20000004 = (uint32_t)0x7; *(uint32_t*)0x20000008 = (uint32_t)0x3; *(uint32_t*)0x2000000c = (uint32_t)0x0; *(uint32_t*)0x20000010 = (uint32_t)0x0; *(uint8_t*)0x20000014 = (uint8_t)0x0; *(uint8_t*)0x20000015 = (uint8_t)0x0; *(uint8_t*)0x20000016 = (uint8_t)0x0; *(uint8_t*)0x20000017 = (uint8_t)0x0; *(uint8_t*)0x20000018 = (uint8_t)0x0; *(uint8_t*)0x20000019 = (uint8_t)0x0; *(uint8_t*)0x2000001a = (uint8_t)0x0; *(uint8_t*)0x2000001b = (uint8_t)0x0; *(uint8_t*)0x2000001c = (uint8_t)0x0; *(uint8_t*)0x2000001d = (uint8_t)0x0; *(uint8_t*)0x2000001e = (uint8_t)0x0; *(uint8_t*)0x2000001f = (uint8_t)0x0; *(uint8_t*)0x20000020 = (uint8_t)0x0; *(uint8_t*)0x20000021 = (uint8_t)0x0; *(uint8_t*)0x20000022 = (uint8_t)0x0; *(uint8_t*)0x20000023 = (uint8_t)0x0; *(uint8_t*)0x20000024 = (uint8_t)0x0; *(uint8_t*)0x20000025 = (uint8_t)0x0; *(uint8_t*)0x20000026 = (uint8_t)0x0; *(uint8_t*)0x20000027 = (uint8_t)0x0; *(uint8_t*)0x20000028 = (uint8_t)0x0; *(uint8_t*)0x20000029 = (uint8_t)0x0; *(uint8_t*)0x2000002a = (uint8_t)0x0; *(uint8_t*)0x2000002b = (uint8_t)0x0; *(uint8_t*)0x2000002c = (uint8_t)0x0; *(uint8_t*)0x2000002d = (uint8_t)0x0; *(uint8_t*)0x2000002e = (uint8_t)0x0; *(uint8_t*)0x2000002f = (uint8_t)0x0; *(uint8_t*)0x20000030 = (uint8_t)0x0; *(uint8_t*)0x20000031 = (uint8_t)0x0; *(uint8_t*)0x20000032 = (uint8_t)0x0; *(uint8_t*)0x20000033 = (uint8_t)0x0; r[41] = syscall(SYS_ioctl, r[2], 0x40345410ul, 0x20000000ul, 0, 0, 0); break; case 4: *(uint32_t*)0x20005731 = (uint32_t)0x5; *(uint32_t*)0x20005735 = (uint32_t)0x7; *(uint32_t*)0x20005739 = (uint32_t)0x0; *(uint32_t*)0x2000573d = (uint32_t)0x0; *(uint32_t*)0x20005741 = (uint32_t)0x5; *(uint8_t*)0x20005745 = (uint8_t)0x0; *(uint8_t*)0x20005746 = (uint8_t)0x0; *(uint8_t*)0x20005747 = (uint8_t)0x0; *(uint8_t*)0x20005748 = (uint8_t)0x0; *(uint8_t*)0x20005749 = (uint8_t)0x0; *(uint8_t*)0x2000574a = (uint8_t)0x0; *(uint8_t*)0x2000574b = (uint8_t)0x0; *(uint8_t*)0x2000574c = (uint8_t)0x0; *(uint8_t*)0x2000574d = (uint8_t)0x0; *(uint8_t*)0x2000574e = (uint8_t)0x0; *(uint8_t*)0x2000574f = (uint8_t)0x0; *(uint8_t*)0x20005750 = (uint8_t)0x0; *(uint8_t*)0x20005751 = (uint8_t)0x0; *(uint8_t*)0x20005752 = (uint8_t)0x0; *(uint8_t*)0x20005753 = (uint8_t)0x0; *(uint8_t*)0x20005754 = (uint8_t)0x0; *(uint8_t*)0x20005755 = (uint8_t)0x0; *(uint8_t*)0x20005756 = (uint8_t)0x0; *(uint8_t*)0x20005757 = (uint8_t)0x0; *(uint8_t*)0x20005758 = (uint8_t)0x0; *(uint8_t*)0x20005759 = (uint8_t)0x0; *(uint8_t*)0x2000575a = (uint8_t)0x0; *(uint8_t*)0x2000575b = (uint8_t)0x0; *(uint8_t*)0x2000575c = (uint8_t)0x0; *(uint8_t*)0x2000575d = (uint8_t)0x0; *(uint8_t*)0x2000575e = (uint8_t)0x0; *(uint8_t*)0x2000575f = (uint8_t)0x0; *(uint8_t*)0x20005760 = (uint8_t)0x0; *(uint8_t*)0x20005761 = (uint8_t)0x0; *(uint8_t*)0x20005762 = (uint8_t)0x0; *(uint8_t*)0x20005763 = (uint8_t)0x0; *(uint8_t*)0x20005764 = (uint8_t)0x0; *(uint8_t*)0x20005765 = (uint8_t)0x0; *(uint8_t*)0x20005766 = (uint8_t)0x0; *(uint8_t*)0x20005767 = (uint8_t)0x0; *(uint8_t*)0x20005768 = (uint8_t)0x0; *(uint8_t*)0x20005769 = (uint8_t)0x0; *(uint8_t*)0x2000576a = (uint8_t)0x0; *(uint8_t*)0x2000576b = (uint8_t)0x0; *(uint8_t*)0x2000576c = (uint8_t)0x0; *(uint8_t*)0x2000576d = (uint8_t)0x0; *(uint8_t*)0x2000576e = (uint8_t)0x0; *(uint8_t*)0x2000576f = (uint8_t)0x0; *(uint8_t*)0x20005770 = (uint8_t)0x0; *(uint8_t*)0x20005771 = (uint8_t)0x0; *(uint8_t*)0x20005772 = (uint8_t)0x0; *(uint8_t*)0x20005773 = (uint8_t)0x0; *(uint8_t*)0x20005774 = (uint8_t)0x0; *(uint8_t*)0x20005775 = (uint8_t)0x0; *(uint8_t*)0x20005776 = (uint8_t)0x0; *(uint8_t*)0x20005777 = (uint8_t)0x0; *(uint8_t*)0x20005778 = (uint8_t)0x0; *(uint8_t*)0x20005779 = (uint8_t)0x0; *(uint8_t*)0x2000577a = (uint8_t)0x0; *(uint8_t*)0x2000577b = (uint8_t)0x0; *(uint8_t*)0x2000577c = (uint8_t)0x0; *(uint8_t*)0x2000577d = (uint8_t)0x0; *(uint8_t*)0x2000577e = (uint8_t)0x0; *(uint8_t*)0x2000577f = (uint8_t)0x0; *(uint8_t*)0x20005780 = (uint8_t)0x0; r[107] = syscall(SYS_ioctl, r[2], 0x40505412ul, 0x20005731ul, 0, 0, 0); break; } return 0; } int main() { long i; pthread_t th[5]; memset(r, -1, sizeof(r)); for (i = 0; i < 5; i++) { pthread_create(&th[i], 0, thr, (void*)i); usleep(10000); } for (i = 0; i < 5; i++) { pthread_create(&th[i], 0, thr, (void*)i); if (i%2==0) usleep(10000); } usleep(100000); return 0; } kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 3 PID: 6811 Comm: syz-executor Not tainted 4.4.0+ #240 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880033ca97c0 ti: ffff8800337b8000 task.ti: ffff8800337b8000 RIP: 0010:[<ffffffff84ec20fb>] [<ffffffff84ec20fb>] snd_timer_user_params.isra.17+0x5fb/0x9f0 RSP: 0018:ffff8800337bf9a0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88003578c000 RCX: ffff880033ca97c0 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88003578c030 RBP: ffff8800337bfad0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff100066f7f39 R13: ffff8800337bfaa8 R14: 0000000000000000 R15: 0000000020005731 FS: 00007fd5971aa700(0000) GS:ffff88006d700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000020000990 CR3: 0000000063509000 CR4: 00000000000006e0 Stack: dffffc0000000000 ffffffff814ef860 ffff8800337bfbc0 ffff88003607c508 ffff8800337bfa28 0000000041b58ab3 ffffffff873dff68 ffffffff84ec1b00 ffffffff00000000 0000000000000000 1ffff100067952f9 ffff880033ca97c0 Call Trace: [<ffffffff84ec51ca>] snd_timer_user_ioctl+0x163a/0x2540 sound/core/timer.c:1813 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff817cbd3c>] do_vfs_ioctl+0x18c/0xfa0 fs/ioctl.c:674 [< inline >] SYSC_ioctl fs/ioctl.c:689 [<ffffffff817ccbdf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 [<ffffffff86272ff6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 60 03 00 00 4c 8b 73 30 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RIP [<ffffffff84ec20fb>] snd_timer_user_params.isra.17+0x5fb/0x9f0 sound/core/timer.c:1680 RSP <ffff8800337bf9a0> ---[ end trace 34f31d6e8ce26f6b ]--- On commit 67990608c8b95d2b8ccc29932376ae73d5818727 (Jan 12). _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel