* sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port
@ 2016-08-13 21:43 ` Dmitry Vyukov
0 siblings, 0 replies; 8+ messages in thread
From: Dmitry Vyukov @ 2016-08-13 21:43 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML
Cc: syzkaller, Kostya Serebryany, Alexander Potapenko
Hello,
While running syzkaller fuzzer on
f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the
following deadlock report:
======================================================
[ INFO: possible circular locking dependency detected ]
4.8.0-rc1+ #11 Not tainted
-------------------------------------------------------
syz-executor/7154 is trying to acquire lock:
(register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>]
snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
but task is already holding lock:
(&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&grp->list_mutex){++++.+}:
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430
kernel/locking/lockdep.c:3746
[<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
[< inline >] deliver_to_subscribers
sound/core/seq/seq_clientmgr.c:681
[<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890
sound/core/seq/seq_clientmgr.c:822
[<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170
sound/core/seq/seq_clientmgr.c:2418
[<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0
sound/core/seq/seq_system.c:101
[<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330
sound/core/seq/seq_clientmgr.c:2297
[< inline >] snd_virmidi_dev_attach_seq
sound/core/seq/seq_virmidi.c:383
[<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750
sound/core/seq/seq_virmidi.c:450
[<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40
sound/core/rawmidi.c:1645
[<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0
sound/core/device.c:164
[< inline >] __snd_device_register sound/core/device.c:162
[<ffffffff84f8235d>] snd_device_register_all+0xad/0x110
sound/core/device.c:212
[<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
[<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590
sound/drivers/virmidi.c:123
[<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170
drivers/base/platform.c:564
[< inline >] really_probe drivers/base/dd.c:377
[<ffffffff833e5993>] driver_probe_device+0x563/0xcc0
drivers/base/dd.c:499
[<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0
drivers/base/dd.c:594
[<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463
[<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651
[<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698
[<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557
[<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120
[<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0
drivers/base/platform.c:403
[<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0
drivers/base/platform.c:536
[< inline >] platform_device_register_resndata
./include/linux/platform_device.h:111
[< inline >] platform_device_register_simple
./include/linux/platform_device.h:140
[<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da
sound/drivers/virmidi.c:172
[<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778
[< inline >] do_initcall_level init/main.c:843
[< inline >] do_initcalls init/main.c:851
[< inline >] do_basic_setup init/main.c:869
[<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016
[<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942
[<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40
arch/x86/entry/entry_64.S:393
-> #0 (register_mutex#5){+.+.+.}:
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80
kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430
kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20
kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
[<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
[<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
[<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
[< inline >] do_last fs/namei.c:3374
[<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
[<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
[<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
[< inline >] SYSC_open fs/open.c:1054
[<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
[<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&grp->list_mutex);
lock(register_mutex#5);
lock(&grp->list_mutex);
lock(register_mutex#5);
*** DEADLOCK ***
2 locks held by syz-executor/7154:
#0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>]
odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137
#1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>]
check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
stack backtrace:
CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000
fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0
ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
[<ffffffff814708a8>] print_circular_bug+0x288/0x340
kernel/locking/lockdep.c:1202
[< inline >] check_prev_add kernel/locking/lockdep.c:1829
[< inline >] check_prevs_add kernel/locking/lockdep.c:1939
[< inline >] validate_chain kernel/locking/lockdep.c:2266
[<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
[<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
[< inline >] __mutex_lock_common kernel/locking/mutex.c:521
[<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
[<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
[<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350
sound/core/seq/seq_midi.c:188
[< inline >] subscribe_port sound/core/seq/seq_ports.c:427
[<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0
sound/core/seq/seq_ports.c:510
[<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500
sound/core/seq/seq_ports.c:579
[<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0
sound/core/seq/seq_clientmgr.c:1480
[<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0
sound/core/seq/seq_clientmgr.c:2225
[<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110
sound/core/seq/seq_clientmgr.c:2440
[<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610
sound/core/seq/oss/seq_oss_midi.c:375
[<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0
sound/core/seq/oss/seq_oss_synth.c:281
[<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0
sound/core/seq/oss/seq_oss_init.c:274
[<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
[<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
[<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392
[<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736
[<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849
[< inline >] do_last fs/namei.c:3374
[<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497
[<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532
[<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036
[< inline >] SYSC_open fs/open.c:1054
[<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049
[<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
^ permalink raw reply [flat|nested] 8+ messages in thread* sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port @ 2016-08-13 21:43 ` Dmitry Vyukov 0 siblings, 0 replies; 8+ messages in thread From: Dmitry Vyukov @ 2016-08-13 21:43 UTC (permalink / raw) To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML Cc: Kostya Serebryany, syzkaller, Alexander Potapenko Hello, While running syzkaller fuzzer on f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the following deadlock report: ====================================================== [ INFO: possible circular locking dependency detected ] 4.8.0-rc1+ #11 Not tainted ------------------------------------------------------- syz-executor/7154 is trying to acquire lock: (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 but task is already holding lock: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&grp->list_mutex){++++.+}: [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 [< inline >] __snd_device_register sound/core/device.c:162 [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212 [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 [< inline >] really_probe drivers/base/dd.c:377 [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0 drivers/base/dd.c:499 [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0 drivers/base/dd.c:594 [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463 [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651 [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698 [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557 [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120 [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0 drivers/base/platform.c:403 [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0 drivers/base/platform.c:536 [< inline >] platform_device_register_resndata ./include/linux/platform_device.h:111 [< inline >] platform_device_register_simple ./include/linux/platform_device.h:140 [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da sound/drivers/virmidi.c:172 [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778 [< inline >] do_initcall_level init/main.c:843 [< inline >] do_initcalls init/main.c:851 [< inline >] do_basic_setup init/main.c:869 [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016 [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942 [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 -> #0 (register_mutex#5){+.+.+.}: [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 [< inline >] do_last fs/namei.c:3374 [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 [< inline >] SYSC_open fs/open.c:1054 [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&grp->list_mutex); lock(register_mutex#5); lock(&grp->list_mutex); lock(register_mutex#5); *** DEADLOCK *** 2 locks held by syz-executor/7154: #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>] odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137 #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 stack backtrace: CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000 fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0 ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51 [<ffffffff814708a8>] print_circular_bug+0x288/0x340 kernel/locking/lockdep.c:1202 [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 [< inline >] do_last fs/namei.c:3374 [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 [< inline >] SYSC_open fs/open.c:1054 [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port 2016-08-13 21:43 ` Dmitry Vyukov (?) @ 2016-08-22 0:15 ` Dmitry Vyukov 2016-08-22 9:21 ` Takashi Iwai -1 siblings, 1 reply; 8+ messages in thread From: Dmitry Vyukov @ 2016-08-22 0:15 UTC (permalink / raw) To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML Cc: syzkaller, Kostya Serebryany, Alexander Potapenko On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote: > Hello, > > While running syzkaller fuzzer on > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the > following deadlock report: > > ====================================================== > [ INFO: possible circular locking dependency detected ] > 4.8.0-rc1+ #11 Not tainted > ------------------------------------------------------- > syz-executor/7154 is trying to acquire lock: > (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] > snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 > > but task is already holding lock: > (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #1 (&grp->list_mutex){++++.+}: > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 > kernel/locking/lockdep.c:3746 > [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 > [< inline >] deliver_to_subscribers > sound/core/seq/seq_clientmgr.c:681 > [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 > sound/core/seq/seq_clientmgr.c:822 > [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170 > sound/core/seq/seq_clientmgr.c:2418 > [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 > sound/core/seq/seq_system.c:101 > [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 > sound/core/seq/seq_clientmgr.c:2297 > [< inline >] snd_virmidi_dev_attach_seq > sound/core/seq/seq_virmidi.c:383 > [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 > sound/core/seq/seq_virmidi.c:450 > [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 > sound/core/rawmidi.c:1645 > [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 > sound/core/device.c:164 > [< inline >] __snd_device_register sound/core/device.c:162 > [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 > sound/core/device.c:212 > [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 > [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 > sound/drivers/virmidi.c:123 > [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 > drivers/base/platform.c:564 > [< inline >] really_probe drivers/base/dd.c:377 > [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0 > drivers/base/dd.c:499 > [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0 > drivers/base/dd.c:594 > [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463 > [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651 > [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698 > [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557 > [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120 > [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0 > drivers/base/platform.c:403 > [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0 > drivers/base/platform.c:536 > [< inline >] platform_device_register_resndata > ./include/linux/platform_device.h:111 > [< inline >] platform_device_register_simple > ./include/linux/platform_device.h:140 > [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da > sound/drivers/virmidi.c:172 > [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778 > [< inline >] do_initcall_level init/main.c:843 > [< inline >] do_initcalls init/main.c:851 > [< inline >] do_basic_setup init/main.c:869 > [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016 > [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942 > [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40 > arch/x86/entry/entry_64.S:393 > > -> #0 (register_mutex#5){+.+.+.}: > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 > kernel/locking/lockdep.c:3335 > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 > kernel/locking/lockdep.c:3746 > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 > kernel/locking/mutex.c:621 > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 > sound/core/rawmidi.c:341 > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 > sound/core/seq/seq_midi.c:188 > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 > sound/core/seq/seq_ports.c:510 > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 > sound/core/seq/seq_ports.c:579 > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 > sound/core/seq/seq_clientmgr.c:1480 > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 > sound/core/seq/seq_clientmgr.c:2225 > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 > sound/core/seq/seq_clientmgr.c:2440 > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 > sound/core/seq/oss/seq_oss_midi.c:375 > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 > sound/core/seq/oss/seq_oss_synth.c:281 > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 > sound/core/seq/oss/seq_oss_init.c:274 > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 > [< inline >] do_last fs/namei.c:3374 > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 > [< inline >] SYSC_open fs/open.c:1054 > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 > arch/x86/entry/entry_64.S:207 > > other info that might help us debug this: > > Possible unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > lock(&grp->list_mutex); > lock(register_mutex#5); > lock(&grp->list_mutex); > lock(register_mutex#5); > > *** DEADLOCK *** > > 2 locks held by syz-executor/7154: > #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>] > odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137 > #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > stack backtrace: > CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000 > fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0 > ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8 > Call Trace: > [< inline >] __dump_stack lib/dump_stack.c:15 > [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51 > [<ffffffff814708a8>] print_circular_bug+0x288/0x340 > kernel/locking/lockdep.c:1202 > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 > sound/core/rawmidi.c:341 > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 > sound/core/seq/seq_midi.c:188 > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 > sound/core/seq/seq_ports.c:510 > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 > sound/core/seq/seq_ports.c:579 > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 > sound/core/seq/seq_clientmgr.c:1480 > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 > sound/core/seq/seq_clientmgr.c:2225 > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 > sound/core/seq/seq_clientmgr.c:2440 > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 > sound/core/seq/oss/seq_oss_midi.c:375 > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 > sound/core/seq/oss/seq_oss_synth.c:281 > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 > sound/core/seq/oss/seq_oss_init.c:274 > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 > [< inline >] do_last fs/namei.c:3374 > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 > [< inline >] SYSC_open fs/open.c:1054 > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 > arch/x86/entry/entry_64.S:207 Ping. Still happens on HEAD. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port 2016-08-22 0:15 ` Dmitry Vyukov @ 2016-08-22 9:21 ` Takashi Iwai 0 siblings, 0 replies; 8+ messages in thread From: Takashi Iwai @ 2016-08-22 9:21 UTC (permalink / raw) To: Dmitry Vyukov Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller On Mon, 22 Aug 2016 02:15:48 +0200, Dmitry Vyukov wrote: > > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote: > > Hello, > > > > While running syzkaller fuzzer on > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the > > following deadlock report: > > > > ====================================================== > > [ INFO: possible circular locking dependency detected ] > > 4.8.0-rc1+ #11 Not tainted > > ------------------------------------------------------- > > syz-executor/7154 is trying to acquire lock: > > (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] > > snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 > > > > but task is already holding lock: > > (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] > > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > > > which lock already depends on the new lock. > > > > the existing dependency chain (in reverse order) is: > > > > -> #1 (&grp->list_mutex){++++.+}: > > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 > > kernel/locking/lockdep.c:3746 > > [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 > > [< inline >] deliver_to_subscribers > > sound/core/seq/seq_clientmgr.c:681 > > [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 > > sound/core/seq/seq_clientmgr.c:822 > > [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170 > > sound/core/seq/seq_clientmgr.c:2418 > > [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 > > sound/core/seq/seq_system.c:101 > > [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 > > sound/core/seq/seq_clientmgr.c:2297 > > [< inline >] snd_virmidi_dev_attach_seq > > sound/core/seq/seq_virmidi.c:383 > > [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 > > sound/core/seq/seq_virmidi.c:450 > > [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 > > sound/core/rawmidi.c:1645 > > [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 > > sound/core/device.c:164 > > [< inline >] __snd_device_register sound/core/device.c:162 > > [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 > > sound/core/device.c:212 > > [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 > > [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 > > sound/drivers/virmidi.c:123 > > [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 > > drivers/base/platform.c:564 > > [< inline >] really_probe drivers/base/dd.c:377 > > [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0 > > drivers/base/dd.c:499 > > [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0 > > drivers/base/dd.c:594 > > [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463 > > [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651 > > [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698 > > [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557 > > [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120 > > [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0 > > drivers/base/platform.c:403 > > [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0 > > drivers/base/platform.c:536 > > [< inline >] platform_device_register_resndata > > ./include/linux/platform_device.h:111 > > [< inline >] platform_device_register_simple > > ./include/linux/platform_device.h:140 > > [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da > > sound/drivers/virmidi.c:172 > > [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778 > > [< inline >] do_initcall_level init/main.c:843 > > [< inline >] do_initcalls init/main.c:851 > > [< inline >] do_basic_setup init/main.c:869 > > [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016 > > [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942 > > [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40 > > arch/x86/entry/entry_64.S:393 > > > > -> #0 (register_mutex#5){+.+.+.}: > > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 > > kernel/locking/lockdep.c:3335 > > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 > > kernel/locking/lockdep.c:3746 > > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 > > kernel/locking/mutex.c:621 > > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 > > sound/core/rawmidi.c:341 > > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 > > sound/core/seq/seq_midi.c:188 > > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 > > sound/core/seq/seq_ports.c:510 > > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 > > sound/core/seq/seq_ports.c:579 > > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 > > sound/core/seq/seq_clientmgr.c:1480 > > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 > > sound/core/seq/seq_clientmgr.c:2225 > > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 > > sound/core/seq/seq_clientmgr.c:2440 > > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 > > sound/core/seq/oss/seq_oss_midi.c:375 > > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 > > sound/core/seq/oss/seq_oss_synth.c:281 > > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 > > sound/core/seq/oss/seq_oss_init.c:274 > > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 > > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 > > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 > > [< inline >] do_last fs/namei.c:3374 > > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 > > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 > > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 > > [< inline >] SYSC_open fs/open.c:1054 > > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 > > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 > > arch/x86/entry/entry_64.S:207 > > > > other info that might help us debug this: > > > > Possible unsafe locking scenario: > > > > CPU0 CPU1 > > ---- ---- > > lock(&grp->list_mutex); > > lock(register_mutex#5); > > lock(&grp->list_mutex); > > lock(register_mutex#5); > > > > *** DEADLOCK *** > > > > 2 locks held by syz-executor/7154: > > #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>] > > odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137 > > #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] > > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > > > stack backtrace: > > CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > > ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000 > > fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0 > > ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8 > > Call Trace: > > [< inline >] __dump_stack lib/dump_stack.c:15 > > [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51 > > [<ffffffff814708a8>] print_circular_bug+0x288/0x340 > > kernel/locking/lockdep.c:1202 > > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 > > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 > > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 > > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 > > sound/core/rawmidi.c:341 > > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 > > sound/core/seq/seq_midi.c:188 > > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 > > sound/core/seq/seq_ports.c:510 > > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 > > sound/core/seq/seq_ports.c:579 > > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 > > sound/core/seq/seq_clientmgr.c:1480 > > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 > > sound/core/seq/seq_clientmgr.c:2225 > > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 > > sound/core/seq/seq_clientmgr.c:2440 > > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 > > sound/core/seq/oss/seq_oss_midi.c:375 > > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 > > sound/core/seq/oss/seq_oss_synth.c:281 > > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 > > sound/core/seq/oss/seq_oss_init.c:274 > > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 > > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 > > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 > > [< inline >] do_last fs/namei.c:3374 > > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 > > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 > > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 > > [< inline >] SYSC_open fs/open.c:1054 > > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 > > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 > > arch/x86/entry/entry_64.S:207 > > > Ping. Still happens on HEAD. Sorry, I've been on vacation in the last week. I'll take a look once after digesting the whole backlogs... thanks, Takashi ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port @ 2016-08-22 9:21 ` Takashi Iwai 0 siblings, 0 replies; 8+ messages in thread From: Takashi Iwai @ 2016-08-22 9:21 UTC (permalink / raw) To: Dmitry Vyukov Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller On Mon, 22 Aug 2016 02:15:48 +0200, Dmitry Vyukov wrote: > > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote: > > Hello, > > > > While running syzkaller fuzzer on > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the > > following deadlock report: > > > > ====================================================== > > [ INFO: possible circular locking dependency detected ] > > 4.8.0-rc1+ #11 Not tainted > > ------------------------------------------------------- > > syz-executor/7154 is trying to acquire lock: > > (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] > > snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 > > > > but task is already holding lock: > > (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] > > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > > > which lock already depends on the new lock. > > > > the existing dependency chain (in reverse order) is: > > > > -> #1 (&grp->list_mutex){++++.+}: > > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 > > kernel/locking/lockdep.c:3746 > > [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 > > [< inline >] deliver_to_subscribers > > sound/core/seq/seq_clientmgr.c:681 > > [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 > > sound/core/seq/seq_clientmgr.c:822 > > [<ffffffff85006e96>] snd_seq_kernel_client_dispatch+0x126/0x170 > > sound/core/seq/seq_clientmgr.c:2418 > > [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 > > sound/core/seq/seq_system.c:101 > > [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 > > sound/core/seq/seq_clientmgr.c:2297 > > [< inline >] snd_virmidi_dev_attach_seq > > sound/core/seq/seq_virmidi.c:383 > > [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 > > sound/core/seq/seq_virmidi.c:450 > > [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 > > sound/core/rawmidi.c:1645 > > [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 > > sound/core/device.c:164 > > [< inline >] __snd_device_register sound/core/device.c:162 > > [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 > > sound/core/device.c:212 > > [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 > > [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 > > sound/drivers/virmidi.c:123 > > [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 > > drivers/base/platform.c:564 > > [< inline >] really_probe drivers/base/dd.c:377 > > [<ffffffff833e5993>] driver_probe_device+0x563/0xcc0 > > drivers/base/dd.c:499 > > [<ffffffff833e653d>] __device_attach_driver+0x21d/0x2e0 > > drivers/base/dd.c:594 > > [<ffffffff833df38f>] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:463 > > [<ffffffff833e51ef>] __device_attach+0x1ef/0x300 drivers/base/dd.c:651 > > [<ffffffff833e669a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:698 > > [<ffffffff833e2999>] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:557 > > [<ffffffff833dc459>] device_add+0xc49/0x14c0 drivers/base/core.c:1120 > > [<ffffffff833eb629>] platform_device_add+0x2f9/0x7b0 > > drivers/base/platform.c:403 > > [<ffffffff833ed3b2>] platform_device_register_full+0x392/0x4b0 > > drivers/base/platform.c:536 > > [< inline >] platform_device_register_resndata > > ./include/linux/platform_device.h:111 > > [< inline >] platform_device_register_simple > > ./include/linux/platform_device.h:140 > > [<ffffffff8870fabd>] alsa_card_virmidi_init+0x104/0x1da > > sound/drivers/virmidi.c:172 > > [<ffffffff81002330>] do_one_initcall+0xa0/0x2b0 init/main.c:778 > > [< inline >] do_initcall_level init/main.c:843 > > [< inline >] do_initcalls init/main.c:851 > > [< inline >] do_basic_setup init/main.c:869 > > [<ffffffff88604d11>] kernel_init_freeable+0x47b/0x534 init/main.c:1016 > > [<ffffffff863e2f53>] kernel_init+0x13/0x180 init/main.c:942 > > [<ffffffff863fbdcf>] ret_from_fork+0x1f/0x40 > > arch/x86/entry/entry_64.S:393 > > > > -> #0 (register_mutex#5){+.+.+.}: > > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 > > kernel/locking/lockdep.c:3335 > > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 > > kernel/locking/lockdep.c:3746 > > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 > > kernel/locking/mutex.c:621 > > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 > > sound/core/rawmidi.c:341 > > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 > > sound/core/seq/seq_midi.c:188 > > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 > > sound/core/seq/seq_ports.c:510 > > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 > > sound/core/seq/seq_ports.c:579 > > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 > > sound/core/seq/seq_clientmgr.c:1480 > > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 > > sound/core/seq/seq_clientmgr.c:2225 > > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 > > sound/core/seq/seq_clientmgr.c:2440 > > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 > > sound/core/seq/oss/seq_oss_midi.c:375 > > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 > > sound/core/seq/oss/seq_oss_synth.c:281 > > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 > > sound/core/seq/oss/seq_oss_init.c:274 > > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 > > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 > > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 > > [< inline >] do_last fs/namei.c:3374 > > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 > > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 > > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 > > [< inline >] SYSC_open fs/open.c:1054 > > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 > > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 > > arch/x86/entry/entry_64.S:207 > > > > other info that might help us debug this: > > > > Possible unsafe locking scenario: > > > > CPU0 CPU1 > > ---- ---- > > lock(&grp->list_mutex); > > lock(register_mutex#5); > > lock(&grp->list_mutex); > > lock(register_mutex#5); > > > > *** DEADLOCK *** > > > > 2 locks held by syz-executor/7154: > > #0: (register_mutex#4){+.+.+.}, at: [<ffffffff85019d7f>] > > odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137 > > #1: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] > > check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > > > stack backtrace: > > CPU: 0 PID: 7154 Comm: syz-executor Not tainted 4.8.0-rc1+ #11 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > > ffffffff878b7680 ffff880038b670f0 ffffffff82a5f719 ffffffff00000000 > > fffffbfff0f16ed0 ffffffff8901a0d0 ffffffff8901a0d0 ffffffff890191a0 > > ffff88003da2cf08 ffff88003da2c6c0 ffff880038b67140 ffffffff814708a8 > > Call Trace: > > [< inline >] __dump_stack lib/dump_stack.c:15 > > [<ffffffff82a5f719>] dump_stack+0x12e/0x185 lib/dump_stack.c:51 > > [<ffffffff814708a8>] print_circular_bug+0x288/0x340 > > kernel/locking/lockdep.c:1202 > > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 > > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 > > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 > > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 > > sound/core/rawmidi.c:341 > > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 > > sound/core/seq/seq_midi.c:188 > > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 > > sound/core/seq/seq_ports.c:510 > > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 > > sound/core/seq/seq_ports.c:579 > > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 > > sound/core/seq/seq_clientmgr.c:1480 > > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 > > sound/core/seq/seq_clientmgr.c:2225 > > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 > > sound/core/seq/seq_clientmgr.c:2440 > > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 > > sound/core/seq/oss/seq_oss_midi.c:375 > > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 > > sound/core/seq/oss/seq_oss_synth.c:281 > > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 > > sound/core/seq/oss/seq_oss_init.c:274 > > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > > [<ffffffff818069ea>] chrdev_open+0x22a/0x4c0 fs/char_dev.c:392 > > [<ffffffff817f146f>] do_dentry_open+0x69f/0xca0 fs/open.c:736 > > [<ffffffff817f4aa5>] vfs_open+0x105/0x220 fs/open.c:849 > > [< inline >] do_last fs/namei.c:3374 > > [<ffffffff8182c35d>] path_openat+0x1efd/0x2f60 fs/namei.c:3497 > > [<ffffffff81830b6e>] do_filp_open+0x18e/0x250 fs/namei.c:3532 > > [<ffffffff817f53c1>] do_sys_open+0x201/0x420 fs/open.c:1036 > > [< inline >] SYSC_open fs/open.c:1054 > > [<ffffffff817f560d>] SyS_open+0x2d/0x40 fs/open.c:1049 > > [<ffffffff863fbb80>] entry_SYSCALL_64_fastpath+0x23/0xc1 > > arch/x86/entry/entry_64.S:207 > > > Ping. Still happens on HEAD. Sorry, I've been on vacation in the last week. I'll take a look once after digesting the whole backlogs... thanks, Takashi ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port 2016-08-22 9:21 ` Takashi Iwai @ 2016-08-30 13:49 ` Takashi Iwai -1 siblings, 0 replies; 8+ messages in thread From: Takashi Iwai @ 2016-08-30 13:49 UTC (permalink / raw) To: Dmitry Vyukov Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller On Mon, 22 Aug 2016 11:21:30 +0200, Takashi Iwai wrote: > > On Mon, 22 Aug 2016 02:15:48 +0200, > Dmitry Vyukov wrote: > > > > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote: > > > Hello, > > > > > > While running syzkaller fuzzer on > > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the > > > following deadlock report: (snip) > > > > Ping. Still happens on HEAD. > > Sorry, I've been on vacation in the last week. > I'll take a look once after digesting the whole backlogs... Could you try the patch below? thanks, Takashi -- 8< -- From: Takashi Iwai <tiwai@suse.de> Subject: [PATCH] ALSA: rawmidi: Fix possible deadlock with virmidi registration When a seq-virmidi driver is initialized, it registers a rawmidi instance with its callback to create an associated seq kernel client. Currently it's done throughly in rawmidi's register_mutex context, this may lead to a deadlock another rawmidi device that is attached with the sequencer is accessed, since it also opens with the register_mutex. This was actually triggered by syzkaller, as Dmitry Vyukov reported: ====================================================== [ INFO: possible circular locking dependency detected ] 4.8.0-rc1+ #11 Not tainted ------------------------------------------------------- syz-executor/7154 is trying to acquire lock: (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 but task is already holding lock: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&grp->list_mutex){++++.+}: [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 [< inline >] __snd_device_register sound/core/device.c:162 [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212 [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 ...... -> #0 (register_mutex#5){+.+.+.}: [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 ...... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&grp->list_mutex); lock(register_mutex#5); lock(&grp->list_mutex); lock(register_mutex#5); *** DEADLOCK *** ====================================================== The fix is to simply move the registration parts in snd_rawmidi_dev_register() to the outside of the register_mutex lock. The lock is needed only to manage the linked list, and it's not necessarily to cover the whole initialization process. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> --- sound/core/rawmidi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c index 795437b10082..b450a27588c8 100644 --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c @@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device) return -EBUSY; } list_add_tail(&rmidi->list, &snd_rawmidi_devices); + mutex_unlock(®ister_mutex); err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device, &snd_rawmidi_f_ops, rmidi, &rmidi->dev); if (err < 0) { rmidi_err(rmidi, "unable to register\n"); + mutex_lock(®ister_mutex); list_del(&rmidi->list); mutex_unlock(®ister_mutex); return err; @@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device) if (rmidi->ops && rmidi->ops->dev_register && (err = rmidi->ops->dev_register(rmidi)) < 0) { snd_unregister_device(&rmidi->dev); + mutex_lock(®ister_mutex); list_del(&rmidi->list); mutex_unlock(®ister_mutex); return err; @@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device) } } #endif /* CONFIG_SND_OSSEMUL */ - mutex_unlock(®ister_mutex); sprintf(name, "midi%d", rmidi->device); entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root); if (entry) { -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port @ 2016-08-30 13:49 ` Takashi Iwai 0 siblings, 0 replies; 8+ messages in thread From: Takashi Iwai @ 2016-08-30 13:49 UTC (permalink / raw) To: Dmitry Vyukov Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller On Mon, 22 Aug 2016 11:21:30 +0200, Takashi Iwai wrote: > > On Mon, 22 Aug 2016 02:15:48 +0200, > Dmitry Vyukov wrote: > > > > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote: > > > Hello, > > > > > > While running syzkaller fuzzer on > > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the > > > following deadlock report: (snip) > > > > Ping. Still happens on HEAD. > > Sorry, I've been on vacation in the last week. > I'll take a look once after digesting the whole backlogs... Could you try the patch below? thanks, Takashi -- 8< -- From: Takashi Iwai <tiwai@suse.de> Subject: [PATCH] ALSA: rawmidi: Fix possible deadlock with virmidi registration When a seq-virmidi driver is initialized, it registers a rawmidi instance with its callback to create an associated seq kernel client. Currently it's done throughly in rawmidi's register_mutex context, this may lead to a deadlock another rawmidi device that is attached with the sequencer is accessed, since it also opens with the register_mutex. This was actually triggered by syzkaller, as Dmitry Vyukov reported: ====================================================== [ INFO: possible circular locking dependency detected ] 4.8.0-rc1+ #11 Not tainted ------------------------------------------------------- syz-executor/7154 is trying to acquire lock: (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 but task is already holding lock: (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&grp->list_mutex){++++.+}: [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 [< inline >] __snd_device_register sound/core/device.c:162 [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212 [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 ...... -> #0 (register_mutex#5){+.+.+.}: [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 ...... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&grp->list_mutex); lock(register_mutex#5); lock(&grp->list_mutex); lock(register_mutex#5); *** DEADLOCK *** ====================================================== The fix is to simply move the registration parts in snd_rawmidi_dev_register() to the outside of the register_mutex lock. The lock is needed only to manage the linked list, and it's not necessarily to cover the whole initialization process. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> --- sound/core/rawmidi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c index 795437b10082..b450a27588c8 100644 --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c @@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device) return -EBUSY; } list_add_tail(&rmidi->list, &snd_rawmidi_devices); + mutex_unlock(®ister_mutex); err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device, &snd_rawmidi_f_ops, rmidi, &rmidi->dev); if (err < 0) { rmidi_err(rmidi, "unable to register\n"); + mutex_lock(®ister_mutex); list_del(&rmidi->list); mutex_unlock(®ister_mutex); return err; @@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device) if (rmidi->ops && rmidi->ops->dev_register && (err = rmidi->ops->dev_register(rmidi)) < 0) { snd_unregister_device(&rmidi->dev); + mutex_lock(®ister_mutex); list_del(&rmidi->list); mutex_unlock(®ister_mutex); return err; @@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device) } } #endif /* CONFIG_SND_OSSEMUL */ - mutex_unlock(®ister_mutex); sprintf(name, "midi%d", rmidi->device); entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root); if (entry) { -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port 2016-08-30 13:49 ` Takashi Iwai (?) @ 2016-08-30 14:05 ` Dmitry Vyukov -1 siblings, 0 replies; 8+ messages in thread From: Dmitry Vyukov @ 2016-08-30 14:05 UTC (permalink / raw) To: Takashi Iwai Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller On Tue, Aug 30, 2016 at 3:49 PM, Takashi Iwai <tiwai@suse.de> wrote: > On Mon, 22 Aug 2016 11:21:30 +0200, > Takashi Iwai wrote: >> >> On Mon, 22 Aug 2016 02:15:48 +0200, >> Dmitry Vyukov wrote: >> > >> > On Sat, Aug 13, 2016 at 2:43 PM, Dmitry Vyukov <dvyukov@google.com> wrote: >> > > Hello, >> > > >> > > While running syzkaller fuzzer on >> > > f31494bd05b06b0cdb4da6aebe92eaafab970df6 (Aug 12), I've got the >> > > following deadlock report: > (snip) >> > >> > Ping. Still happens on HEAD. >> >> Sorry, I've been on vacation in the last week. >> I'll take a look once after digesting the whole backlogs... > > Could you try the patch below? Incorporated into my tree. I will notify if I see this again. > thanks, > > Takashi > > -- 8< -- > From: Takashi Iwai <tiwai@suse.de> > Subject: [PATCH] ALSA: rawmidi: Fix possible deadlock with virmidi > registration > > When a seq-virmidi driver is initialized, it registers a rawmidi > instance with its callback to create an associated seq kernel client. > Currently it's done throughly in rawmidi's register_mutex context, > this may lead to a deadlock another rawmidi device that is attached > with the sequencer is accessed, since it also opens with the > register_mutex. This was actually triggered by syzkaller, as Dmitry > Vyukov reported: > > ====================================================== > [ INFO: possible circular locking dependency detected ] > 4.8.0-rc1+ #11 Not tainted > ------------------------------------------------------- > syz-executor/7154 is trying to acquire lock: > (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 > > but task is already holding lock: > (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 > > which lock already depends on the new lock. > > the existing dependency chain (in reverse order) is: > > -> #1 (&grp->list_mutex){++++.+}: > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 > [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 > [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 > [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 > [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 > [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 > [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 > [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 > [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 > [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 > [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 > [< inline >] __snd_device_register sound/core/device.c:162 > [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212 > [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749 > [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 > [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 > ...... > > -> #0 (register_mutex#5){+.+.+.}: > [< inline >] check_prev_add kernel/locking/lockdep.c:1829 > [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 > [< inline >] validate_chain kernel/locking/lockdep.c:2266 > [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 > [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 > [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 > [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 > [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 > [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 > [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 > [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 > [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 > [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 > [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 > [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 > [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 > [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 > [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 > [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > ...... > > other info that might help us debug this: > > Possible unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > lock(&grp->list_mutex); > lock(register_mutex#5); > lock(&grp->list_mutex); > lock(register_mutex#5); > > *** DEADLOCK *** > ====================================================== > > The fix is to simply move the registration parts in > snd_rawmidi_dev_register() to the outside of the register_mutex lock. > The lock is needed only to manage the linked list, and it's not > necessarily to cover the whole initialization process. > > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > sound/core/rawmidi.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c > index 795437b10082..b450a27588c8 100644 > --- a/sound/core/rawmidi.c > +++ b/sound/core/rawmidi.c > @@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device) > return -EBUSY; > } > list_add_tail(&rmidi->list, &snd_rawmidi_devices); > + mutex_unlock(®ister_mutex); > err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI, > rmidi->card, rmidi->device, > &snd_rawmidi_f_ops, rmidi, &rmidi->dev); > if (err < 0) { > rmidi_err(rmidi, "unable to register\n"); > + mutex_lock(®ister_mutex); > list_del(&rmidi->list); > mutex_unlock(®ister_mutex); > return err; > @@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device) > if (rmidi->ops && rmidi->ops->dev_register && > (err = rmidi->ops->dev_register(rmidi)) < 0) { > snd_unregister_device(&rmidi->dev); > + mutex_lock(®ister_mutex); > list_del(&rmidi->list); > mutex_unlock(®ister_mutex); > return err; > @@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device) > } > } > #endif /* CONFIG_SND_OSSEMUL */ > - mutex_unlock(®ister_mutex); > sprintf(name, "midi%d", rmidi->device); > entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root); > if (entry) { > -- > 2.9.3 > ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-08-30 14:06 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-08-13 21:43 sound: deadlock snd_rawmidi_kernel_open/check_and_subscribe_port Dmitry Vyukov 2016-08-13 21:43 ` Dmitry Vyukov 2016-08-22 0:15 ` Dmitry Vyukov 2016-08-22 9:21 ` Takashi Iwai 2016-08-22 9:21 ` Takashi Iwai 2016-08-30 13:49 ` Takashi Iwai 2016-08-30 13:49 ` Takashi Iwai 2016-08-30 14:05 ` Dmitry Vyukov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.