Contextual adjustments were made to apply to 5.4 stable tree. Testing ------- Running the PoC from [1] on 5.4.191 kernel produces the following oops: qemu-system-x86_64 -nographic -serial mon:stdio -serial null -enable-kvm \ -net user,hostname=qemu0,hostfwd=tcp::36074-:22 -net nic \ -drive file=rootfs.ext4,format=raw -cpu host -m 4096 -kernel bzImage \ -append "console=ttyS0,115200 root=/dev/sda rw ip=dhcp " -soundhw ac97 -smp 2 root@intel-x86-64:~# ./poc ... [ 95.839647] BUG: Bad page state in process poc pfn:bb860 [ 95.841277] page:ffffea0002ee1800 refcount:-1 mapcount:0 mapping:0000000000000000 index:0x0 [ 95.843521] flags: 0x100000000000000() [ 95.844539] raw: 0100000000000000 dead000000000100 dead000000000122 0000000000000000 [ 95.846306] raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000 [ 95.847164] page dumped because: nonzero _refcount [ 95.847705] Modules linked in: [ 95.848063] CPU: 0 PID: 357 Comm: poc Tainted: G W 5.4.191 #6 [ 95.848839] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 95.849847] Call Trace: [ 95.850145] dump_stack+0x76/0x9c [ 95.850549] bad_page.cold+0xff/0x124 [ 95.850980] ? si_mem_available+0x2f0/0x2f0 [ 95.851464] ? _raw_spin_trylock_bh+0x120/0x120 [ 95.851988] ? __module_text_address+0xe/0x140 [ 95.852494] get_page_from_freelist+0x16f9/0x35b0 [ 95.853034] ? __isolate_free_page+0x460/0x460 [ 95.853543] ? save_stack+0x4c/0x80 [ 95.853938] ? save_stack+0x1b/0x80 [ 95.854343] ? __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 95.854897] ? snd_pcm_lib_malloc_pages+0x2b8/0x680 [ 95.855433] ? snd_intel8x0_hw_params+0x106/0x550 [ 95.855964] ? snd_pcm_hw_params+0x2b5/0x1290 [ 95.856438] ? snd_pcm_common_ioctl+0x332/0x1a20 [ 95.856954] __alloc_pages_nodemask+0x274/0x610 [ 95.857460] ? __alloc_pages_slowpath+0x1ff0/0x1ff0 [ 95.857992] ? snd_pcm_hw_refine+0x8de/0xdd0 [ 95.858467] ? kfree+0x8c/0x230 [ 95.858823] __dma_direct_alloc_pages+0x18d/0x390 [ 95.859339] dma_direct_alloc_pages+0x1b/0x170 [ 95.859827] snd_dma_alloc_pages+0x1ae/0x380 [ 95.860294] snd_pcm_lib_malloc_pages+0x371/0x680 [ 95.860812] snd_intel8x0_hw_params+0x106/0x550 [ 95.861311] snd_pcm_hw_params+0x2b5/0x1290 [ 95.861780] ? _copy_from_user+0x70/0xa0 [ 95.862214] snd_pcm_common_ioctl+0x332/0x1a20 [ 95.862699] ? up_read+0x10/0x90 [ 95.863070] ? n_tty_write+0x7ba/0xf70 [ 95.863484] ? snd_pcm_status_user+0x120/0x120 [ 95.863974] ? _raw_spin_lock_irqsave+0x7b/0xd0 [ 95.864473] ? _raw_spin_trylock_bh+0x120/0x120 [ 95.864975] snd_pcm_ioctl+0x62/0xa0 [ 95.865382] do_vfs_ioctl+0x9af/0xf30 [ 95.865790] ? selinux_file_ioctl+0x3ca/0x530 [ 95.866271] ? ioctl_preallocate+0x1a0/0x1a0 [ 95.866739] ? selinux_capable+0x20/0x20 [ 95.867172] ? __fget_light+0xab/0x4c0 [ 95.867588] ? syscall_trace_enter+0x50e/0xb40 [ 95.868074] ? iterate_fd+0x180/0x180 [ 95.868478] ksys_ioctl+0x59/0x90 [ 95.868853] __x64_sys_ioctl+0x6a/0xb0 [ 95.869278] do_syscall_64+0x89/0x2e0 [ 95.869681] ? prepare_exit_to_usermode+0xec/0x190 [ 95.870213] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 95.870764] RIP: 0033:0x7f6f375c8717 [ 95.871157] Code: 00 00 90 48 8b 05 69 57 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 8 [ 95.873187] RSP: 002b:00007ffdbdb71b48 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 95.874009] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f375c8717 [ 95.874780] RDX: 0000564d6f23c2a0 RSI: 00000000c2604111 RDI: 0000000000000003 [ 95.875555] RBP: 00007ffdbdb71c20 R08: 0000000000000000 R09: 0000000000000010 [ 95.876322] R10: 00007ffdbdb71a27 R11: 0000000000000206 R12: 0000564d6f15e120 [ 95.877093] R13: 00007ffdbdb71d00 R14: 0000000000000000 R15: 0000000000000000 [ 95.877864] Disabling lock debugging due to kernel taint [ 95.881630] ================================================================== [ 95.883522] BUG: KASAN: double-free or invalid-free in snd_pcm_lib_free_pages+0xe1/0x230 [ 95.885570] [ 95.885976] CPU: 1 PID: 371 Comm: poc Tainted: G B W 5.4.191 #6 [ 95.887787] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 95.890095] Call Trace: [ 95.890505] dump_stack+0x76/0x9c [ 95.890859] print_address_description.constprop.0+0x16/0x200 [ 95.891454] ? snd_pcm_lib_free_pages+0xe1/0x230 [ 95.891940] kasan_report_invalid_free+0x61/0xa0 [ 95.892429] ? snd_pcm_lib_free_pages+0xe1/0x230 [ 95.892921] __kasan_slab_free+0x15e/0x170 [ 95.893350] ? snd_pcm_lib_free_pages+0xe1/0x230 [ 95.893843] kfree+0x8c/0x230 [ 95.894163] snd_pcm_lib_free_pages+0xe1/0x230 [ 95.894633] snd_pcm_common_ioctl+0x599/0x1a20 [ 95.895089] ? snd_pcm_status_user+0x120/0x120 [ 95.895543] snd_pcm_ioctl+0x62/0xa0 [ 95.895912] do_vfs_ioctl+0x9af/0xf30 [ 95.896292] ? selinux_file_ioctl+0x3ca/0x530 [ 95.896752] ? ioctl_preallocate+0x1a0/0x1a0 [ 95.897184] ? selinux_capable+0x20/0x20 [ 95.897589] ? __fget_light+0x2ab/0x4c0 [ 95.898002] ? iterate_fd+0x180/0x180 [ 95.898385] ksys_ioctl+0x59/0x90 [ 95.898739] __x64_sys_ioctl+0x6a/0xb0 [ 95.899139] do_syscall_64+0x89/0x2e0 [ 95.899521] ? syscall_return_slowpath+0x17a/0x1e0 [ 95.900013] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 95.900532] RIP: 0033:0x7f6f375c8717 [ 95.900905] Code: 00 00 90 48 8b 05 69 57 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 8 [ 95.902809] RSP: 002b:00007f6f30b72ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 95.903572] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f375c8717 [ 95.904294] RDX: 0000000000000000 RSI: 0000000000004112 RDI: 0000000000000003 [ 95.905009] RBP: 00007f6f30b72f00 R08: 00007f6f30b73700 R09: 00007f6f30b73700 [ 95.905723] R10: 00007f6f30b739d0 R11: 0000000000000246 R12: 00007ffdbdb71ace [ 95.906442] R13: 00007ffdbdb71acf R14: 00007f6f30b72fc0 R15: 00007f6f30b73700 The testcase runs successfully after applying this patchset. [1] https://www.openwall.com/lists/oss-security/2022/03/28/4 Takashi Iwai (5): ALSA: pcm: Fix races among concurrent hw_params and hw_free calls ALSA: pcm: Fix races among concurrent read/write and buffer changes ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls ALSA: pcm: Fix races among concurrent prealloc proc writes ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock include/sound/pcm.h | 2 + sound/core/pcm.c | 3 ++ sound/core/pcm_lib.c | 5 ++ sound/core/pcm_memory.c | 11 ++-- sound/core/pcm_native.c | 110 ++++++++++++++++++++++++++++------------ 5 files changed, 95 insertions(+), 36 deletions(-) -- 2.36.0