lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 28 Feb 2017 15:08:40 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Takashi Iwai <tiwai@...e.de>
Cc:     alsa-devel@...a-project.org, Jaroslav Kysela <perex@...ex.cz>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: sound: spinlock lockup in snd_timer_user_tinterrupt

On Tue, Feb 28, 2017 at 2:58 PM, Takashi Iwai <tiwai@...e.de> wrote:
> On Mon, 27 Feb 2017 21:46:48 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program locks up system:
>> https://gist.githubusercontent.com/dvyukov/1b5cdca7f0fc6254afd4816901160e4c/raw/024c53be2112c83e5d64f3e4d5e8aa38ded727e3/gistfile1.txt
>
> Thanks.  It doesn't look like the hard lockup, but it keeps the IRQs
> too busy, resulting in a quasi-lockup.
>
> The problem is that the timer accepted the too low resolution.  A
> simple fix would be to give an error for a too short parameter.
> The fix patch is attached below.  Please give it a try.

Pushed to our bots. Thanks.

> -- 8< --
> From: Takashi Iwai <tiwai@...e.de>
> Subject: [PATCH] ALSA: timer: Reject user params with too small ticks
>
> When a user sets a too small ticks with a fine-grained timer like
> hrtimer, the kernel tries to fire up the timer irq too frequently.
> This may lead to the condensed locks, eventually the kernel spinlock
> lockup with warnings.
>
> For avoiding such a situation, we define a lower limit of the
> resolution, namely 1ms.  When the user passes a too small tick value
> that results in less than that, the kernel returns -EINVAL now.
>
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
> ---
>  sound/core/timer.c | 18 +++++++++++++++---
>  1 file changed, 15 insertions(+), 3 deletions(-)
>
> diff --git a/sound/core/timer.c b/sound/core/timer.c
> index fc144f43faa6..ad153149b231 100644
> --- a/sound/core/timer.c
> +++ b/sound/core/timer.c
> @@ -1702,9 +1702,21 @@ static int snd_timer_user_params(struct file *file,
>                 return -EBADFD;
>         if (copy_from_user(&params, _params, sizeof(params)))
>                 return -EFAULT;
> -       if (!(t->hw.flags & SNDRV_TIMER_HW_SLAVE) && params.ticks < 1) {
> -               err = -EINVAL;
> -               goto _end;
> +       if (!(t->hw.flags & SNDRV_TIMER_HW_SLAVE)) {
> +               u64 resolution;
> +
> +               if (params.ticks < 1) {
> +                       err = -EINVAL;
> +                       goto _end;
> +               }
> +
> +               /* Don't allow resolution less than 1ms */
> +               resolution = snd_timer_resolution(tu->timeri);
> +               resolution *= params.ticks;
> +               if (resolution < 1000000) {
> +                       err = -EINVAL;
> +                       goto _end;
> +               }
>         }
>         if (params.queue_size > 0 &&
>             (params.queue_size < 32 || params.queue_size > 1024)) {
> --
> 2.11.1
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@...glegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists