* sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
@ 2016-08-13 21:43 ` Dmitry Vyukov
0 siblings, 0 replies; 8+ messages in thread
From: Dmitry Vyukov @ 2016-08-13 21:43 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko
Hello,
While running syzkaller fuzzer on
f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
following deadlock report:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>]
snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430
kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers
sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890
sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170
sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0
sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330
sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq
sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750
sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40
sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0
sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110
sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590
sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170
drivers/base/platform.c:564
[< inline >] really_probe drivers/base/dd.c:377
[<ffffffff833e5993>] driver_probe_device+0x563/0xcc0
drivers/base/dd.c:499
[<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0
drivers/base/dd.c:594
[<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463
[<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651
[<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698
[<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557
[<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120
[<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0
drivers/base/platform.c:403
[<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0
drivers/base/platform.c:536
[< inline >] platform_device_register_resndata
./include/linux/platform_device.h:111
[< inline >] platform_device_register_simple
./include/linux/platform_device.h:140
[<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da
sound/drivers/virmidi.c:172
[<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778
[< inline >] do_initcall_level init/main.c:843
[< inline >] do_initcalls init/main.c:851
[< inline >] do_basic_setup init/main.c:869
[<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016
[<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942
[<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40
arch/x86/entry/entry_64.S:393
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80
kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430
kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20
kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
[<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
[<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
[<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
[< inline >] do_last fs/namei.c:3374
[<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
[<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
[<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
[< inline >] SYSC_open fs/open.c:1054
[<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
[<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
2 locks held by syz-executor/7154:
#0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>]
odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137
#1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
stack backtrace:
CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000
fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0
ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
[<ffffffff814708a8>] print_circular_bug+0x288/0x340
kernel/locking/lockdep.c:1202
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
[<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
[<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
[<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
[< inline >] do_last fs/namei.c:3374
[<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
[<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
[<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
[< inline >] SYSC_open fs/open.c:1054
[<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
[<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
^ permalink raw reply [flat|nested] 8+ messages in thread
* sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
@ 2016-08-13 21:43 ` Dmitry Vyukov
0 siblings, 0 replies; 8+ messages in thread
From: Dmitry Vyukov @ 2016-08-13 21:43 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML
Cc: Kostya Serebryany, syzkaller, Alexander Potapenko
Hello,
While running syzkaller fuzzer on
f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
following deadlock report:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>]
snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430
kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers
sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890
sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170
sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0
sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330
sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq
sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750
sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40
sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0
sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110
sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590
sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170
drivers/base/platform.c:564
[< inline >] really_probe drivers/base/dd.c:377
[<ffffffff833e5993>] driver_probe_device+0x563/0xcc0
drivers/base/dd.c:499
[<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0
drivers/base/dd.c:594
[<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463
[<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651
[<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698
[<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557
[<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120
[<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0
drivers/base/platform.c:403
[<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0
drivers/base/platform.c:536
[< inline >] platform_device_register_resndata
./include/linux/platform_device.h:111
[< inline >] platform_device_register_simple
./include/linux/platform_device.h:140
[<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da
sound/drivers/virmidi.c:172
[<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778
[< inline >] do_initcall_level init/main.c:843
[< inline >] do_initcalls init/main.c:851
[< inline >] do_basic_setup init/main.c:869
[<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016
[<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942
[<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40
arch/x86/entry/entry_64.S:393
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80
kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430
kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20
kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
[<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
[<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
[<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
[< inline >] do_last fs/namei.c:3374
[<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
[<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
[<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
[< inline >] SYSC_open fs/open.c:1054
[<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
[<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
2 locks held by syz-executor/7154:
#0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>]
odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137
#1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
stack backtrace:
CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000
fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0
ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
[<ffffffff814708a8>] print_circular_bug+0x288/0x340
kernel/locking/lockdep.c:1202
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
[<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
[<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
[<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
[< inline >] do_last fs/namei.c:3374
[<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
[<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
[<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
[< inline >] SYSC_open fs/open.c:1054
[<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
[<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
2016-08-13 21:43 ` Dmitry Vyukov
(?)
@ 2016-08-22 0:15 ` Dmitry Vyukov
2016-08-22 9:21 ` Takashi Iwai
-1 siblings, 1 reply; 8+ messages in thread
From: Dmitry Vyukov @ 2016-08-22 0:15 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko
On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> Hello,
>
> While running syzkaller fuzzer on
> f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
> following deadlock report:
>
> ======================================================
> [ INFO: possible circular locking dependency detected ]
> 4.8.0-rc1+ #11 Not tainted
> -------------------------------------------------------
> syz-executor/7154 is trying to acquire lock:
> (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>]
> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
>
> but task is already holding lock:
> (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
> check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
>
> which lock already depends on the new lock.
>
> the existing dependency chain (in reverse order) is:
>
> -> #1 (&grp->list_mutex){++++.+}:
> [<ffffffff8147a3a8>] lock_acquire+0x208/0x430
> kernel/locking/lockdep.c:3746
> [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
> [< inline >] deliver_to_subscribers
> sound/core/seq/seq_clientmgr.c:681
> [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890
> sound/core/seq/seq_clientmgr.c:822
> [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170
> sound/core/seq/seq_clientmgr.c:2418
> [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0
> sound/core/seq/seq_system.c:101
> [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330
> sound/core/seq/seq_clientmgr.c:2297
> [< inline >] snd_virmidi_dev_attach_seq
> sound/core/seq/seq_virmidi.c:383
> [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750
> sound/core/seq/seq_virmidi.c:450
> [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40
> sound/core/rawmidi.c:1645
> [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0
> sound/core/device.c:164
> [< inline >] __snd_device_register sound/core/device.c:162
> [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110
> sound/core/device.c:212
> [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
> [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590
> sound/drivers/virmidi.c:123
> [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170
> drivers/base/platform.c:564
> [< inline >] really_probe drivers/base/dd.c:377
> [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0
> drivers/base/dd.c:499
> [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0
> drivers/base/dd.c:594
> [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463
> [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651
> [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698
> [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557
> [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120
> [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0
> drivers/base/platform.c:403
> [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0
> drivers/base/platform.c:536
> [< inline >] platform_device_register_resndata
> ./include/linux/platform_device.h:111
> [< inline >] platform_device_register_simple
> ./include/linux/platform_device.h:140
> [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da
> sound/drivers/virmidi.c:172
> [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778
> [< inline >] do_initcall_level init/main.c:843
> [< inline >] do_initcalls init/main.c:851
> [< inline >] do_basic_setup init/main.c:869
> [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016
> [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942
> [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40
> arch/x86/entry/entry_64.S:393
>
> -> #0 (register_mutex#5){+.+.+.}:
> [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> [< inline >] validate_chain kernel/locking/lockdep.c:2266
> [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80
> kernel/locking/lockdep.c:3335
> [<ffffffff8147a3a8>] lock_acquire+0x208/0x430
> kernel/locking/lockdep.c:3746
> [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20
> kernel/locking/mutex.c:621
> [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
> sound/core/rawmidi.c:341
> [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
> sound/core/seq/seq_midi.c:188
> [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
> sound/core/seq/seq_ports.c:510
> [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
> sound/core/seq/seq_ports.c:579
> [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
> sound/core/seq/seq_clientmgr.c:1480
> [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
> sound/core/seq/seq_clientmgr.c:2225
> [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
> sound/core/seq/seq_clientmgr.c:2440
> [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
> sound/core/seq/oss/seq_oss_midi.c:375
> [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
> sound/core/seq/oss/seq_oss_synth.c:281
> [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
> sound/core/seq/oss/seq_oss_init.c:274
> [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
> [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
> [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
> [< inline >] do_last fs/namei.c:3374
> [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
> [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
> [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
> [< inline >] SYSC_open fs/open.c:1054
> [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
> [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
>
> other info that might help us debug this:
>
> Possible unsafe locking scenario:
>
> CPU0 CPU1
> ---- ----
> lock(&grp->list_mutex);
> lock(register_mutex#5);
> lock(&grp->list_mutex);
> lock(register_mutex#5);
>
> *** DEADLOCK ***
>
> 2 locks held by syz-executor/7154:
> #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>]
> odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137
> #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
> check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
>
> stack backtrace:
> CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000
> fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0
> ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
> [<ffffffff814708a8>] print_circular_bug+0x288/0x340
> kernel/locking/lockdep.c:1202
> [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> [< inline >] validate_chain kernel/locking/lockdep.c:2266
> [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
> [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
> [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
> [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
> sound/core/rawmidi.c:341
> [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
> sound/core/seq/seq_midi.c:188
> [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
> sound/core/seq/seq_ports.c:510
> [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
> sound/core/seq/seq_ports.c:579
> [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
> sound/core/seq/seq_clientmgr.c:1480
> [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
> sound/core/seq/seq_clientmgr.c:2225
> [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
> sound/core/seq/seq_clientmgr.c:2440
> [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
> sound/core/seq/oss/seq_oss_midi.c:375
> [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
> sound/core/seq/oss/seq_oss_synth.c:281
> [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
> sound/core/seq/oss/seq_oss_init.c:274
> [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
> [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
> [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
> [< inline >] do_last fs/namei.c:3374
> [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
> [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
> [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
> [< inline >] SYSC_open fs/open.c:1054
> [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
> [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
Ping. Still happens on HEAD.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
2016-08-22 0:15 ` Dmitry Vyukov
@ 2016-08-22 9:21 ` Takashi Iwai
0 siblings, 0 replies; 8+ messages in thread
From: Takashi Iwai @ 2016-08-22 9:21 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller
On Mon, 22 Aug 2016 02:15:48 +0200,
Dmitry Vyukov wrote:
>
> On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> > Hello,
> >
> > While running syzkaller fuzzer on
> > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
> > following deadlock report:
> >
> > ======================================================
> > [ INFO: possible circular locking dependency detected ]
> > 4.8.0-rc1+ #11 Not tainted
> > -------------------------------------------------------
> > syz-executor/7154 is trying to acquire lock:
> > (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>]
> > snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> >
> > but task is already holding lock:
> > (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
> > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
> >
> > which lock already depends on the new lock.
> >
> > the existing dependency chain (in reverse order) is:
> >
> > -> #1 (&grp->list_mutex){++++.+}:
> > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430
> > kernel/locking/lockdep.c:3746
> > [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
> > [< inline >] deliver_to_subscribers
> > sound/core/seq/seq_clientmgr.c:681
> > [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890
> > sound/core/seq/seq_clientmgr.c:822
> > [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170
> > sound/core/seq/seq_clientmgr.c:2418
> > [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0
> > sound/core/seq/seq_system.c:101
> > [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330
> > sound/core/seq/seq_clientmgr.c:2297
> > [< inline >] snd_virmidi_dev_attach_seq
> > sound/core/seq/seq_virmidi.c:383
> > [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750
> > sound/core/seq/seq_virmidi.c:450
> > [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40
> > sound/core/rawmidi.c:1645
> > [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0
> > sound/core/device.c:164
> > [< inline >] __snd_device_register sound/core/device.c:162
> > [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110
> > sound/core/device.c:212
> > [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
> > [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590
> > sound/drivers/virmidi.c:123
> > [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170
> > drivers/base/platform.c:564
> > [< inline >] really_probe drivers/base/dd.c:377
> > [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0
> > drivers/base/dd.c:499
> > [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0
> > drivers/base/dd.c:594
> > [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463
> > [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651
> > [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698
> > [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557
> > [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120
> > [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0
> > drivers/base/platform.c:403
> > [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0
> > drivers/base/platform.c:536
> > [< inline >] platform_device_register_resndata
> > ./include/linux/platform_device.h:111
> > [< inline >] platform_device_register_simple
> > ./include/linux/platform_device.h:140
> > [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da
> > sound/drivers/virmidi.c:172
> > [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778
> > [< inline >] do_initcall_level init/main.c:843
> > [< inline >] do_initcalls init/main.c:851
> > [< inline >] do_basic_setup init/main.c:869
> > [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016
> > [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942
> > [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40
> > arch/x86/entry/entry_64.S:393
> >
> > -> #0 (register_mutex#5){+.+.+.}:
> > [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> > [< inline >] validate_chain kernel/locking/lockdep.c:2266
> > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80
> > kernel/locking/lockdep.c:3335
> > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430
> > kernel/locking/lockdep.c:3746
> > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20
> > kernel/locking/mutex.c:621
> > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
> > sound/core/rawmidi.c:341
> > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
> > sound/core/seq/seq_midi.c:188
> > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
> > sound/core/seq/seq_ports.c:510
> > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
> > sound/core/seq/seq_ports.c:579
> > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
> > sound/core/seq/seq_clientmgr.c:1480
> > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
> > sound/core/seq/seq_clientmgr.c:2225
> > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
> > sound/core/seq/seq_clientmgr.c:2440
> > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
> > sound/core/seq/oss/seq_oss_midi.c:375
> > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
> > sound/core/seq/oss/seq_oss_synth.c:281
> > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
> > sound/core/seq/oss/seq_oss_init.c:274
> > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
> > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
> > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
> > [< inline >] do_last fs/namei.c:3374
> > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
> > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
> > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
> > [< inline >] SYSC_open fs/open.c:1054
> > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
> > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
> > arch/x86/entry/entry_64.S:207
> >
> > other info that might help us debug this:
> >
> > Possible unsafe locking scenario:
> >
> > CPU0 CPU1
> > ---- ----
> > lock(&grp->list_mutex);
> > lock(register_mutex#5);
> > lock(&grp->list_mutex);
> > lock(register_mutex#5);
> >
> > *** DEADLOCK ***
> >
> > 2 locks held by syz-executor/7154:
> > #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>]
> > odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137
> > #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
> > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
> >
> > stack backtrace:
> > CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000
> > fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0
> > ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8
> > Call Trace:
> > [< inline >] __dump_stack lib/dump_stack.c:15
> > [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
> > [<ffffffff814708a8>] print_circular_bug+0x288/0x340
> > kernel/locking/lockdep.c:1202
> > [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> > [< inline >] validate_chain kernel/locking/lockdep.c:2266
> > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
> > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
> > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
> > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
> > sound/core/rawmidi.c:341
> > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
> > sound/core/seq/seq_midi.c:188
> > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
> > sound/core/seq/seq_ports.c:510
> > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
> > sound/core/seq/seq_ports.c:579
> > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
> > sound/core/seq/seq_clientmgr.c:1480
> > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
> > sound/core/seq/seq_clientmgr.c:2225
> > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
> > sound/core/seq/seq_clientmgr.c:2440
> > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
> > sound/core/seq/oss/seq_oss_midi.c:375
> > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
> > sound/core/seq/oss/seq_oss_synth.c:281
> > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
> > sound/core/seq/oss/seq_oss_init.c:274
> > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
> > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
> > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
> > [< inline >] do_last fs/namei.c:3374
> > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
> > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
> > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
> > [< inline >] SYSC_open fs/open.c:1054
> > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
> > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
> > arch/x86/entry/entry_64.S:207
>
>
> Ping. Still happens on HEAD.
Sorry, I've been on vacation in the last week.
I'll take a look once after digesting the whole backlogs...
thanks,
Takashi
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
@ 2016-08-22 9:21 ` Takashi Iwai
0 siblings, 0 replies; 8+ messages in thread
From: Takashi Iwai @ 2016-08-22 9:21 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller
On Mon, 22 Aug 2016 02:15:48 +0200,
Dmitry Vyukov wrote:
>
> On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> > Hello,
> >
> > While running syzkaller fuzzer on
> > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
> > following deadlock report:
> >
> > ======================================================
> > [ INFO: possible circular locking dependency detected ]
> > 4.8.0-rc1+ #11 Not tainted
> > -------------------------------------------------------
> > syz-executor/7154 is trying to acquire lock:
> > (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>]
> > snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> >
> > but task is already holding lock:
> > (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
> > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
> >
> > which lock already depends on the new lock.
> >
> > the existing dependency chain (in reverse order) is:
> >
> > -> #1 (&grp->list_mutex){++++.+}:
> > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430
> > kernel/locking/lockdep.c:3746
> > [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
> > [< inline >] deliver_to_subscribers
> > sound/core/seq/seq_clientmgr.c:681
> > [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890
> > sound/core/seq/seq_clientmgr.c:822
> > [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170
> > sound/core/seq/seq_clientmgr.c:2418
> > [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0
> > sound/core/seq/seq_system.c:101
> > [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330
> > sound/core/seq/seq_clientmgr.c:2297
> > [< inline >] snd_virmidi_dev_attach_seq
> > sound/core/seq/seq_virmidi.c:383
> > [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750
> > sound/core/seq/seq_virmidi.c:450
> > [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40
> > sound/core/rawmidi.c:1645
> > [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0
> > sound/core/device.c:164
> > [< inline >] __snd_device_register sound/core/device.c:162
> > [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110
> > sound/core/device.c:212
> > [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
> > [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590
> > sound/drivers/virmidi.c:123
> > [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170
> > drivers/base/platform.c:564
> > [< inline >] really_probe drivers/base/dd.c:377
> > [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0
> > drivers/base/dd.c:499
> > [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0
> > drivers/base/dd.c:594
> > [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463
> > [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651
> > [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698
> > [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557
> > [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120
> > [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0
> > drivers/base/platform.c:403
> > [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0
> > drivers/base/platform.c:536
> > [< inline >] platform_device_register_resndata
> > ./include/linux/platform_device.h:111
> > [< inline >] platform_device_register_simple
> > ./include/linux/platform_device.h:140
> > [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da
> > sound/drivers/virmidi.c:172
> > [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778
> > [< inline >] do_initcall_level init/main.c:843
> > [< inline >] do_initcalls init/main.c:851
> > [< inline >] do_basic_setup init/main.c:869
> > [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016
> > [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942
> > [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40
> > arch/x86/entry/entry_64.S:393
> >
> > -> #0 (register_mutex#5){+.+.+.}:
> > [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> > [< inline >] validate_chain kernel/locking/lockdep.c:2266
> > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80
> > kernel/locking/lockdep.c:3335
> > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430
> > kernel/locking/lockdep.c:3746
> > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20
> > kernel/locking/mutex.c:621
> > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
> > sound/core/rawmidi.c:341
> > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
> > sound/core/seq/seq_midi.c:188
> > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
> > sound/core/seq/seq_ports.c:510
> > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
> > sound/core/seq/seq_ports.c:579
> > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
> > sound/core/seq/seq_clientmgr.c:1480
> > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
> > sound/core/seq/seq_clientmgr.c:2225
> > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
> > sound/core/seq/seq_clientmgr.c:2440
> > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
> > sound/core/seq/oss/seq_oss_midi.c:375
> > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
> > sound/core/seq/oss/seq_oss_synth.c:281
> > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
> > sound/core/seq/oss/seq_oss_init.c:274
> > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
> > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
> > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
> > [< inline >] do_last fs/namei.c:3374
> > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
> > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
> > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
> > [< inline >] SYSC_open fs/open.c:1054
> > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
> > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
> > arch/x86/entry/entry_64.S:207
> >
> > other info that might help us debug this:
> >
> > Possible unsafe locking scenario:
> >
> > CPU0 CPU1
> > ---- ----
> > lock(&grp->list_mutex);
> > lock(register_mutex#5);
> > lock(&grp->list_mutex);
> > lock(register_mutex#5);
> >
> > *** DEADLOCK ***
> >
> > 2 locks held by syz-executor/7154:
> > #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>]
> > odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137
> > #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
> > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
> >
> > stack backtrace:
> > CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000
> > fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0
> > ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8
> > Call Trace:
> > [< inline >] __dump_stack lib/dump_stack.c:15
> > [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
> > [<ffffffff814708a8>] print_circular_bug+0x288/0x340
> > kernel/locking/lockdep.c:1202
> > [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> > [< inline >] validate_chain kernel/locking/lockdep.c:2266
> > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
> > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
> > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
> > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
> > sound/core/rawmidi.c:341
> > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
> > sound/core/seq/seq_midi.c:188
> > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
> > sound/core/seq/seq_ports.c:510
> > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
> > sound/core/seq/seq_ports.c:579
> > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
> > sound/core/seq/seq_clientmgr.c:1480
> > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
> > sound/core/seq/seq_clientmgr.c:2225
> > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
> > sound/core/seq/seq_clientmgr.c:2440
> > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
> > sound/core/seq/oss/seq_oss_midi.c:375
> > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
> > sound/core/seq/oss/seq_oss_synth.c:281
> > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
> > sound/core/seq/oss/seq_oss_init.c:274
> > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
> > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
> > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
> > [< inline >] do_last fs/namei.c:3374
> > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
> > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
> > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
> > [< inline >] SYSC_open fs/open.c:1054
> > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
> > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
> > arch/x86/entry/entry_64.S:207
>
>
> Ping. Still happens on HEAD.
Sorry, I've been on vacation in the last week.
I'll take a look once after digesting the whole backlogs...
thanks,
Takashi
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
2016-08-22 9:21 ` Takashi Iwai
@ 2016-08-30 13:49 ` Takashi Iwai
-1 siblings, 0 replies; 8+ messages in thread
From: Takashi Iwai @ 2016-08-30 13:49 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller
On Mon, 22 Aug 2016 11:21:30 +0200,
Takashi Iwai wrote:
>
> On Mon, 22 Aug 2016 02:15:48 +0200,
> Dmitry Vyukov wrote:
> >
> > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> > > Hello,
> > >
> > > While running syzkaller fuzzer on
> > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
> > > following deadlock report:
(snip)
> >
> > Ping. Still happens on HEAD.
>
> Sorry, I've been on vacation in the last week.
> I'll take a look once after digesting the whole backlogs...
Could you try the patch below?
thanks,
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: rawmidi: Fix possible deadlock with virmidi
registration
When a seq-virmidi driver is initialized, it registers a rawmidi
instance with its callback to create an associated seq kernel client.
Currently it's done throughly in rawmidi's register_mutex context,
this may lead to a deadlock another rawmidi device that is attached
with the sequencer is accessed, since it also opens with the
register_mutex. This was actually triggered by syzkaller, as Dmitry
Vyukov reported:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
......
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
......
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
======================================================
The fix is to simply move the registration parts in
snd_rawmidi_dev_register() to the outside of the register_mutex lock.
The lock is needed only to manage the linked list, and it's not
necessarily to cover the whole initialization process.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/rawmidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 795437b10082..b450a27588c8 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
return -EBUSY;
}
list_add_tail(&rmidi->list, &snd_rawmidi_devices);
+ mutex_unlock(®ister_mutex);
err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
rmidi->card, rmidi->device,
&snd_rawmidi_f_ops, rmidi, &rmidi->dev);
if (err < 0) {
rmidi_err(rmidi, "unable to register\n");
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
if (rmidi->ops && rmidi->ops->dev_register &&
(err = rmidi->ops->dev_register(rmidi)) < 0) {
snd_unregister_device(&rmidi->dev);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
}
}
#endif /* CONFIG_SND_OSSEMUL */
- mutex_unlock(®ister_mutex);
sprintf(name, "midi%d", rmidi->device);
entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
if (entry) {
--
2.9.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
@ 2016-08-30 13:49 ` Takashi Iwai
0 siblings, 0 replies; 8+ messages in thread
From: Takashi Iwai @ 2016-08-30 13:49 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller
On Mon, 22 Aug 2016 11:21:30 +0200,
Takashi Iwai wrote:
>
> On Mon, 22 Aug 2016 02:15:48 +0200,
> Dmitry Vyukov wrote:
> >
> > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> > > Hello,
> > >
> > > While running syzkaller fuzzer on
> > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
> > > following deadlock report:
(snip)
> >
> > Ping. Still happens on HEAD.
>
> Sorry, I've been on vacation in the last week.
> I'll take a look once after digesting the whole backlogs...
Could you try the patch below?
thanks,
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: rawmidi: Fix possible deadlock with virmidi
registration
When a seq-virmidi driver is initialized, it registers a rawmidi
instance with its callback to create an associated seq kernel client.
Currently it's done throughly in rawmidi's register_mutex context,
this may lead to a deadlock another rawmidi device that is attached
with the sequencer is accessed, since it also opens with the
register_mutex. This was actually triggered by syzkaller, as Dmitry
Vyukov reported:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
......
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
......
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
======================================================
The fix is to simply move the registration parts in
snd_rawmidi_dev_register() to the outside of the register_mutex lock.
The lock is needed only to manage the linked list, and it's not
necessarily to cover the whole initialization process.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/rawmidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 795437b10082..b450a27588c8 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
return -EBUSY;
}
list_add_tail(&rmidi->list, &snd_rawmidi_devices);
+ mutex_unlock(®ister_mutex);
err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
rmidi->card, rmidi->device,
&snd_rawmidi_f_ops, rmidi, &rmidi->dev);
if (err < 0) {
rmidi_err(rmidi, "unable to register\n");
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
if (rmidi->ops && rmidi->ops->dev_register &&
(err = rmidi->ops->dev_register(rmidi)) < 0) {
snd_unregister_device(&rmidi->dev);
+ mutex_lock(®ister_mutex);
list_del(&rmidi->list);
mutex_unlock(®ister_mutex);
return err;
@@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
}
}
#endif /* CONFIG_SND_OSSEMUL */
- mutex_unlock(®ister_mutex);
sprintf(name, "midi%d", rmidi->device);
entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
if (entry) {
--
2.9.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
2016-08-30 13:49 ` Takashi Iwai
(?)
@ 2016-08-30 14:05 ` Dmitry Vyukov
-1 siblings, 0 replies; 8+ messages in thread
From: Dmitry Vyukov @ 2016-08-30 14:05 UTC (permalink / raw)
To: Takashi Iwai
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller
On Tue, Aug 30, 2016 at 3:49 PM, Takashi Iwai <tiwai@suse.de> wrote:
> On Mon, 22 Aug 2016 11:21:30 +0200,
> Takashi Iwai wrote:
>>
>> On Mon, 22 Aug 2016 02:15:48 +0200,
>> Dmitry Vyukov wrote:
>> >
>> > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> > > Hello,
>> > >
>> > > While running syzkaller fuzzer on
>> > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
>> > > following deadlock report:
> (snip)
>> >
>> > Ping. Still happens on HEAD.
>>
>> Sorry, I've been on vacation in the last week.
>> I'll take a look once after digesting the whole backlogs...
>
> Could you try the patch below?
Incorporated into my tree. I will notify if I see this again.
> thanks,
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai <tiwai@suse.de>
> Subject: [PATCH] ALSA: rawmidi: Fix possible deadlock with virmidi
> registration
>
> When a seq-virmidi driver is initialized, it registers a rawmidi
> instance with its callback to create an associated seq kernel client.
> Currently it's done throughly in rawmidi's register_mutex context,
> this may lead to a deadlock another rawmidi device that is attached
> with the sequencer is accessed, since it also opens with the
> register_mutex. This was actually triggered by syzkaller, as Dmitry
> Vyukov reported:
>
> ======================================================
> [ INFO: possible circular locking dependency detected ]
> 4.8.0-rc1+ #11 Not tainted
> -------------------------------------------------------
> syz-executor/7154 is trying to acquire lock:
> (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
>
> but task is already holding lock:
> (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
>
> which lock already depends on the new lock.
>
> the existing dependency chain (in reverse order) is:
>
> -> #1 (&grp->list_mutex){++++.+}:
> [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
> [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
> [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
> [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
> [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
> [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
> [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
> [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
> [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
> [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
> [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
> [< inline >] __snd_device_register sound/core/device.c:162
> [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
> [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
> [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
> [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
> ......
>
> -> #0 (register_mutex#5){+.+.+.}:
> [< inline >] check_prev_add kernel/locking/lockdep.c:1829
> [< inline >] check_prevs_add kernel/locking/lockdep.c:1939
> [< inline >] validate_chain kernel/locking/lockdep.c:2266
> [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
> [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
> [< inline >] __mutex_lock_common kernel/locking/mutex.c:521
> [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
> [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
> [< inline >] subscribe_port sound/core/seq/seq_ports.c:427
> [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
> [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
> [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
> [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
> [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
> [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
> [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
> [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
> [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
> [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
> ......
>
> other info that might help us debug this:
>
> Possible unsafe locking scenario:
>
> CPU0 CPU1
> ---- ----
> lock(&grp->list_mutex);
> lock(register_mutex#5);
> lock(&grp->list_mutex);
> lock(register_mutex#5);
>
> *** DEADLOCK ***
> ======================================================
>
> The fix is to simply move the registration parts in
> snd_rawmidi_dev_register() to the outside of the register_mutex lock.
> The lock is needed only to manage the linked list, and it's not
> necessarily to cover the whole initialization process.
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> sound/core/rawmidi.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
> index 795437b10082..b450a27588c8 100644
> --- a/sound/core/rawmidi.c
> +++ b/sound/core/rawmidi.c
> @@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
> return -EBUSY;
> }
> list_add_tail(&rmidi->list, &snd_rawmidi_devices);
> + mutex_unlock(®ister_mutex);
> err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
> rmidi->card, rmidi->device,
> &snd_rawmidi_f_ops, rmidi, &rmidi->dev);
> if (err < 0) {
> rmidi_err(rmidi, "unable to register\n");
> + mutex_lock(®ister_mutex);
> list_del(&rmidi->list);
> mutex_unlock(®ister_mutex);
> return err;
> @@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
> if (rmidi->ops && rmidi->ops->dev_register &&
> (err = rmidi->ops->dev_register(rmidi)) < 0) {
> snd_unregister_device(&rmidi->dev);
> + mutex_lock(®ister_mutex);
> list_del(&rmidi->list);
> mutex_unlock(®ister_mutex);
> return err;
> @@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
> }
> }
> #endif /* CONFIG_SND_OSSEMUL */
> - mutex_unlock(®ister_mutex);
> sprintf(name, "midi%d", rmidi->device);
> entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
> if (entry) {
> --
> 2.9.3
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-08-30 14:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-13 21:43 sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port Dmitry Vyukov
2016-08-13 21:43 ` Dmitry Vyukov
2016-08-22 0:15 ` Dmitry Vyukov
2016-08-22 9:21 ` Takashi Iwai
2016-08-22 9:21 ` Takashi Iwai
2016-08-30 13:49 ` Takashi Iwai
2016-08-30 13:49 ` Takashi Iwai
2016-08-30 14:05 ` Dmitry Vyukov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.