sound: BUG in snd_ctl_find_numid
From: Dmitry Vyukov
Date: Mon Jan 18 2016 - 08:00:41 EST
Hello,
The following program triggers a BUG in snd_ctl_find_numid:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sound/asound.h>
int main()
{
struct snd_ctl_tlv tlv;
int fd = open("/dev/snd/controlC0", O_RDWR);
tlv.numid = 0;
tlv.length = 8;
ioctl(fd, SNDRV_CTL_IOCTL_TLV_WRITE, &tlv);
return 0;
}
------------[ cut here ]------------
WARNING: CPU: 1 PID: 29204 at sound/core/control.c:668
snd_ctl_find_numid+0xff/0x130()
Modules linked in:
CPU: 1 PID: 29204 Comm: a.out Tainted: G W 4.4.0+ #259
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005e55fb30 ffffffff8298accd 0000000000000000
ffff8800647caf80 ffffffff86d23d80 ffff88005e55fb70 ffffffff81352089
ffffffff84f16b3f ffffffff86d23d80 000000000000029c ffff88002402cb60
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff8298accd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff84f16b3f>] snd_ctl_find_numid+0xff/0x130 sound/core/control.c:668
[<ffffffff84f1caf9>] snd_ctl_tlv_ioctl+0x119/0x680 sound/core/control.c:1409
[<ffffffff84f1f88b>] snd_ctl_ioctl+0x24b/0xdd0 sound/core/control.c:1501
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817ebfac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817ece5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<ffffffff863259b6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 010bca66b8d6c52a ]---
On commit 5807fcaa9bf7dd87241df739161c119cf78a6bc4.