* sound: list corruption in delete_and_unsubscribe_port
@ 2016-02-16 9:41 Dmitry Vyukov
2016-02-16 10:00 ` Takashi Iwai
0 siblings, 1 reply; 4+ messages in thread
From: Dmitry Vyukov @ 2016-02-16 9:41 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, alsa-devel, LKML
Cc: Alexander Potapenko, Kostya Serebryany, Sasha Levin, syzkaller
Hello,
Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865
(4.5-rc4). But need to note that sound become much more stable, I've
seen only 2 of these over night.
The following program causes list corruption:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0()
list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100)
Modules linked in:
CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8
fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780
0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139
Call Trace:
[<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
[<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60
[<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86
[<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0
sound/core/seq/seq_ports.c:545
[<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260
sound/core/seq/seq_ports.c:250
[<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266
[<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350
sound/core/seq/seq_ports.c:330
[<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290
sound/core/seq/seq_clientmgr.c:272
[<ffffffff852ae495>] seq_free_client+0x65/0x160
sound/core/seq/seq_clientmgr.c:299
[<ffffffff852b118d>] snd_seq_release+0x4d/0xb0
sound/core/seq/seq_clientmgr.c:380
[<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208
[<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115
[< inline >] tracehook_notify_resume include/linux/tracehook.h:191
[<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210
arch/x86/entry/common.c:251
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
---[ end trace 4cad985f706f8ace ]---
------------[ cut here ]------------
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
long r[143];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
syscall(SYS_mmap, 0x20000000ul, 0x40000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 1:
r[2] = syscall(SYS_open, "/dev/snd/seq", 0x400ul, 0, 0, 0);
break;
case 2:
*(uint8_t*)0x2000df50 = (uint8_t)0xffffffffffffff80;
*(uint8_t*)0x2000df51 = (uint8_t)0x1;
*(uint8_t*)0x2000df52 = (uint8_t)0xfff;
*(uint8_t*)0x2000df53 = (uint8_t)0xb0;
*(uint8_t*)0x2000df54 = (uint8_t)0x401;
*(uint8_t*)0x2000df55 = (uint8_t)0x7;
*(uint8_t*)0x2000df56 = (uint8_t)0x7;
*(uint8_t*)0x2000df57 = (uint8_t)0x0;
*(uint8_t*)0x2000df58 = (uint8_t)0x1;
*(uint8_t*)0x2000df59 = (uint8_t)0x401;
*(uint8_t*)0x2000df5a = (uint8_t)0xffffffffffff0001;
*(uint8_t*)0x2000df5b = (uint8_t)0x5;
*(uint8_t*)0x2000df5c = (uint8_t)0x6;
*(uint8_t*)0x2000df5d = (uint8_t)0x0;
*(uint8_t*)0x2000df5e = (uint8_t)0xffff;
*(uint8_t*)0x2000df5f = (uint8_t)0x3;
*(uint8_t*)0x2000df60 = (uint8_t)0x0;
*(uint8_t*)0x2000df61 = (uint8_t)0xffffffffffffffc0;
*(uint8_t*)0x2000df62 = (uint8_t)0x6;
*(uint8_t*)0x2000df63 = (uint8_t)0xfff;
*(uint8_t*)0x2000df64 = (uint8_t)0x624c;
*(uint8_t*)0x2000df65 = (uint8_t)0x53;
*(uint8_t*)0x2000df66 = (uint8_t)0x0;
*(uint8_t*)0x2000df67 = (uint8_t)0xfffffffffffffffc;
*(uint8_t*)0x2000df68 = (uint8_t)0x3f;
*(uint8_t*)0x2000df69 = (uint8_t)0x2;
*(uint8_t*)0x2000df6a = (uint8_t)0x4;
*(uint8_t*)0x2000df6b = (uint8_t)0x401;
*(uint8_t*)0x2000df6c = (uint8_t)0x100000000;
*(uint8_t*)0x2000df6d = (uint8_t)0x5;
*(uint8_t*)0x2000df6e = (uint8_t)0x1;
*(uint8_t*)0x2000df6f = (uint8_t)0x9;
*(uint8_t*)0x2000df70 = (uint8_t)0x40;
*(uint8_t*)0x2000df71 = (uint8_t)0xfff;
*(uint8_t*)0x2000df72 = (uint8_t)0x6;
*(uint8_t*)0x2000df73 = (uint8_t)0xffffffffffffff2b;
*(uint8_t*)0x2000df74 = (uint8_t)0x1f;
*(uint8_t*)0x2000df75 = (uint8_t)0x2;
*(uint8_t*)0x2000df76 = (uint8_t)0x4;
*(uint8_t*)0x2000df77 = (uint8_t)0x68;
*(uint8_t*)0x2000df78 = (uint8_t)0x9c33;
*(uint8_t*)0x2000df79 = (uint8_t)0x80;
*(uint8_t*)0x2000df7a = (uint8_t)0x3;
*(uint8_t*)0x2000df7b = (uint8_t)0x100;
*(uint8_t*)0x2000df7c = (uint8_t)0xc1b1;
*(uint8_t*)0x2000df7d = (uint8_t)0x3;
*(uint8_t*)0x2000df7e = (uint8_t)0x0;
*(uint8_t*)0x2000df7f = (uint8_t)0x8;
*(uint8_t*)0x2000df80 = (uint8_t)0x3;
*(uint8_t*)0x2000df81 = (uint8_t)0x8;
*(uint8_t*)0x2000df82 = (uint8_t)0x8;
*(uint8_t*)0x2000df83 = (uint8_t)0x5d;
*(uint8_t*)0x2000df84 = (uint8_t)0x1;
*(uint8_t*)0x2000df85 = (uint8_t)0x9;
*(uint8_t*)0x2000df86 = (uint8_t)0x1;
*(uint8_t*)0x2000df87 = (uint8_t)0x41;
*(uint8_t*)0x2000df88 = (uint8_t)0x3;
*(uint8_t*)0x2000df89 = (uint8_t)0x6;
*(uint8_t*)0x2000df8a = (uint8_t)0x3f;
*(uint8_t*)0x2000df8b = (uint8_t)0x3;
*(uint8_t*)0x2000df8c = (uint8_t)0x9;
*(uint8_t*)0x2000df8d = (uint8_t)0xffffffffffffff01;
*(uint8_t*)0x2000df8e = (uint8_t)0x0;
*(uint8_t*)0x2000df8f = (uint8_t)0x6;
*(uint8_t*)0x2000df90 = (uint8_t)0xe9c;
*(uint8_t*)0x2000df91 = (uint8_t)0x0;
*(uint32_t*)0x2000df94 = (uint32_t)0x7b;
*(uint32_t*)0x2000df98 = (uint32_t)0x1002;
*(uint32_t*)0x2000df9c = (uint32_t)0x9;
*(uint32_t*)0x2000dfa0 = (uint32_t)0x1000;
*(uint32_t*)0x2000dfa4 = (uint32_t)0x80;
*(uint32_t*)0x2000dfa8 = (uint32_t)0x10000;
*(uint32_t*)0x2000dfac = (uint32_t)0x8;
*(uint64_t*)0x2000dfb0 = (uint64_t)0x0;
*(uint32_t*)0x2000dfb8 = (uint32_t)0x3;
*(uint32_t*)0x2000dfbc = (uint32_t)0x39;
*(uint8_t*)0x2000dfc0 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc1 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc2 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc3 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc4 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc5 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc6 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc7 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc8 = (uint8_t)0x0;
*(uint8_t*)0x2000dfc9 = (uint8_t)0x0;
*(uint8_t*)0x2000dfca = (uint8_t)0x0;
*(uint8_t*)0x2000dfcb = (uint8_t)0x0;
*(uint8_t*)0x2000dfcc = (uint8_t)0x0;
*(uint8_t*)0x2000dfcd = (uint8_t)0x0;
*(uint8_t*)0x2000dfce = (uint8_t)0x0;
*(uint8_t*)0x2000dfcf = (uint8_t)0x0;
*(uint8_t*)0x2000dfd0 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd1 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd2 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd3 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd4 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd5 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd6 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd7 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd8 = (uint8_t)0x0;
*(uint8_t*)0x2000dfd9 = (uint8_t)0x0;
*(uint8_t*)0x2000dfda = (uint8_t)0x0;
*(uint8_t*)0x2000dfdb = (uint8_t)0x0;
*(uint8_t*)0x2000dfdc = (uint8_t)0x0;
*(uint8_t*)0x2000dfdd = (uint8_t)0x0;
*(uint8_t*)0x2000dfde = (uint8_t)0x0;
*(uint8_t*)0x2000dfdf = (uint8_t)0x0;
*(uint8_t*)0x2000dfe0 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe1 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe2 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe3 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe4 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe5 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe6 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe7 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe8 = (uint8_t)0x0;
*(uint8_t*)0x2000dfe9 = (uint8_t)0x0;
*(uint8_t*)0x2000dfea = (uint8_t)0x0;
*(uint8_t*)0x2000dfeb = (uint8_t)0x0;
*(uint8_t*)0x2000dfec = (uint8_t)0x0;
*(uint8_t*)0x2000dfed = (uint8_t)0x0;
*(uint8_t*)0x2000dfee = (uint8_t)0x0;
*(uint8_t*)0x2000dfef = (uint8_t)0x0;
*(uint8_t*)0x2000dff0 = (uint8_t)0x0;
*(uint8_t*)0x2000dff1 = (uint8_t)0x0;
*(uint8_t*)0x2000dff2 = (uint8_t)0x0;
*(uint8_t*)0x2000dff3 = (uint8_t)0x0;
*(uint8_t*)0x2000dff4 = (uint8_t)0x0;
*(uint8_t*)0x2000dff5 = (uint8_t)0x0;
*(uint8_t*)0x2000dff6 = (uint8_t)0x0;
*(uint8_t*)0x2000dff7 = (uint8_t)0x0;
*(uint8_t*)0x2000dff8 = (uint8_t)0x0;
*(uint8_t*)0x2000dff9 = (uint8_t)0x0;
*(uint8_t*)0x2000dffa = (uint8_t)0x0;
r[138] =
syscall(SYS_ioctl, r[2], 0xc0a85320ul, 0x2000df50ul, 0, 0, 0);
break;
case 3:
r[139] = syscall(SYS_read, r[2], 0x20025000ul, 0x75ul, 0, 0, 0);
break;
case 4:
r[140] = syscall(SYS_close, r[2], 0, 0, 0, 0, 0);
break;
case 5:
memcpy((void*)0x20022000,
"\x2f\x64\x65\x76\x2f\x73\x65\x71\x75\x65\x6e\x63\x65\x72",
14);
syscall(SYS_open, "/dev/sequencer", 0x4000ul, 0, 0, 0);
break;
}
return 0;
}
int main()
{
long i;
pthread_t th[6];
srand(getpid());
memset(r, -1, sizeof(r));
for (i = 0; i < 6; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
for (i = 0; i < 6; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
if (rand() % 2 == 0)
usleep(rand() % 10000);
}
usleep(100000);
return 0;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sound: list corruption in delete_and_unsubscribe_port
2016-02-16 9:41 sound: list corruption in delete_and_unsubscribe_port Dmitry Vyukov
@ 2016-02-16 10:00 ` Takashi Iwai
2016-02-16 11:19 ` Dmitry Vyukov
0 siblings, 1 reply; 4+ messages in thread
From: Takashi Iwai @ 2016-02-16 10:00 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller, Sasha Levin
On Tue, 16 Feb 2016 10:41:54 +0100,
Dmitry Vyukov wrote:
>
> Hello,
>
> Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865
> (4.5-rc4). But need to note that sound become much more stable, I've
> seen only 2 of these over night.
>
> The following program causes list corruption:
>
> ------------[ cut here ]------------
> WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0()
> list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100)
> Modules linked in:
> CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8
> fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780
> 0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139
> Call Trace:
> [<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
> [<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60
> [<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86
> [<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0
> sound/core/seq/seq_ports.c:545
> [<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260
> sound/core/seq/seq_ports.c:250
> [<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266
> [<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350
> sound/core/seq/seq_ports.c:330
> [<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290
> sound/core/seq/seq_clientmgr.c:272
> [<ffffffff852ae495>] seq_free_client+0x65/0x160
> sound/core/seq/seq_clientmgr.c:299
> [<ffffffff852b118d>] snd_seq_release+0x4d/0xb0
> sound/core/seq/seq_clientmgr.c:380
> [<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208
> [<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244
> [<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115
> [< inline >] tracehook_notify_resume include/linux/tracehook.h:191
> [<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210
> arch/x86/entry/common.c:251
> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
> [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
> arch/x86/entry/common.c:344
> [<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f
> arch/x86/entry/entry_64.S:281
> ---[ end trace 4cad985f706f8ace ]---
Hm, this might be the remaining open race at deleting ports.
Please try the patch below.
thanks,
Takashi
---
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 921fb2bd8fad..fe686ee41c6d 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -535,19 +535,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
bool is_src, bool ack)
{
struct snd_seq_port_subs_info *grp;
+ struct list_head *list;
+ bool empty;
grp = is_src ? &port->c_src : &port->c_dest;
+ list = is_src ? &subs->src_list : &subs->dest_list;
down_write(&grp->list_mutex);
write_lock_irq(&grp->list_lock);
- if (is_src)
- list_del(&subs->src_list);
- else
- list_del(&subs->dest_list);
+ empty = list_empty(list);
+ if (!empty)
+ list_del_init(list);
grp->exclusive = 0;
write_unlock_irq(&grp->list_lock);
up_write(&grp->list_mutex);
- unsubscribe_port(client, port, grp, &subs->info, ack);
+ if (!empty)
+ unsubscribe_port(client, port, grp, &subs->info, ack);
}
/* connect two ports */
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: sound: list corruption in delete_and_unsubscribe_port
2016-02-16 10:00 ` Takashi Iwai
@ 2016-02-16 11:19 ` Dmitry Vyukov
2016-02-16 13:39 ` Takashi Iwai
0 siblings, 1 reply; 4+ messages in thread
From: Dmitry Vyukov @ 2016-02-16 11:19 UTC (permalink / raw)
To: Takashi Iwai
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller, Sasha Levin
On Tue, Feb 16, 2016 at 11:00 AM, Takashi Iwai <tiwai@suse.de> wrote:
> On Tue, 16 Feb 2016 10:41:54 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865
>> (4.5-rc4). But need to note that sound become much more stable, I've
>> seen only 2 of these over night.
>>
>> The following program causes list corruption:
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0()
>> list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100)
>> Modules linked in:
>> CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8
>> fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780
>> 0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139
>> Call Trace:
>> [<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
>> [<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60
>> [<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86
>> [<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0
>> sound/core/seq/seq_ports.c:545
>> [<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260
>> sound/core/seq/seq_ports.c:250
>> [<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266
>> [<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350
>> sound/core/seq/seq_ports.c:330
>> [<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290
>> sound/core/seq/seq_clientmgr.c:272
>> [<ffffffff852ae495>] seq_free_client+0x65/0x160
>> sound/core/seq/seq_clientmgr.c:299
>> [<ffffffff852b118d>] snd_seq_release+0x4d/0xb0
>> sound/core/seq/seq_clientmgr.c:380
>> [<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208
>> [<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244
>> [<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115
>> [< inline >] tracehook_notify_resume include/linux/tracehook.h:191
>> [<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210
>> arch/x86/entry/common.c:251
>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>> [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
>> arch/x86/entry/common.c:344
>> [<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f
>> arch/x86/entry/entry_64.S:281
>> ---[ end trace 4cad985f706f8ace ]---
>
> Hm, this might be the remaining open race at deleting ports.
> Please try the patch below.
Yes, it fixes the crash for me.
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Thanks!
> thanks,
>
> Takashi
>
> ---
> diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
> index 921fb2bd8fad..fe686ee41c6d 100644
> --- a/sound/core/seq/seq_ports.c
> +++ b/sound/core/seq/seq_ports.c
> @@ -535,19 +535,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
> bool is_src, bool ack)
> {
> struct snd_seq_port_subs_info *grp;
> + struct list_head *list;
> + bool empty;
>
> grp = is_src ? &port->c_src : &port->c_dest;
> + list = is_src ? &subs->src_list : &subs->dest_list;
> down_write(&grp->list_mutex);
> write_lock_irq(&grp->list_lock);
> - if (is_src)
> - list_del(&subs->src_list);
> - else
> - list_del(&subs->dest_list);
> + empty = list_empty(list);
> + if (!empty)
> + list_del_init(list);
> grp->exclusive = 0;
> write_unlock_irq(&grp->list_lock);
> up_write(&grp->list_mutex);
>
> - unsubscribe_port(client, port, grp, &subs->info, ack);
> + if (!empty)
> + unsubscribe_port(client, port, grp, &subs->info, ack);
> }
>
> /* connect two ports */
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sound: list corruption in delete_and_unsubscribe_port
2016-02-16 11:19 ` Dmitry Vyukov
@ 2016-02-16 13:39 ` Takashi Iwai
0 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2016-02-16 13:39 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: alsa-devel, Jaroslav Kysela, LKML, Alexander Potapenko,
Kostya Serebryany, syzkaller, Sasha Levin
On Tue, 16 Feb 2016 12:19:31 +0100,
Dmitry Vyukov wrote:
>
> On Tue, Feb 16, 2016 at 11:00 AM, Takashi Iwai <tiwai@suse.de> wrote:
> > On Tue, 16 Feb 2016 10:41:54 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865
> >> (4.5-rc4). But need to note that sound become much more stable, I've
> >> seen only 2 of these over night.
> >>
> >> The following program causes list corruption:
> >>
> >> ------------[ cut here ]------------
> >> WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0()
> >> list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100)
> >> Modules linked in:
> >> CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> >> ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8
> >> fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780
> >> 0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139
> >> Call Trace:
> >> [<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
> >> [<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60
> >> [<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86
> >> [<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0
> >> sound/core/seq/seq_ports.c:545
> >> [<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260
> >> sound/core/seq/seq_ports.c:250
> >> [<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266
> >> [<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350
> >> sound/core/seq/seq_ports.c:330
> >> [<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290
> >> sound/core/seq/seq_clientmgr.c:272
> >> [<ffffffff852ae495>] seq_free_client+0x65/0x160
> >> sound/core/seq/seq_clientmgr.c:299
> >> [<ffffffff852b118d>] snd_seq_release+0x4d/0xb0
> >> sound/core/seq/seq_clientmgr.c:380
> >> [<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208
> >> [<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244
> >> [<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115
> >> [< inline >] tracehook_notify_resume include/linux/tracehook.h:191
> >> [<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210
> >> arch/x86/entry/common.c:251
> >> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
> >> [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
> >> arch/x86/entry/common.c:344
> >> [<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f
> >> arch/x86/entry/entry_64.S:281
> >> ---[ end trace 4cad985f706f8ace ]---
> >
> > Hm, this might be the remaining open race at deleting ports.
> > Please try the patch below.
>
> Yes, it fixes the crash for me.
>
> Tested-by: Dmitry Vyukov <dvyukov@google.com>
>
> Thanks!
Good to hear. FWIW, below is the final patch I'm going to queue.
Thanks for quick testing!
Takashi
-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: seq: Fix double port list deletion
The commit [7f0973e973cd: ALSA: seq: Fix lockdep warnings due to
double mutex locks] split the management of two linked lists (source
and destination) into two individual calls for avoiding the AB/BA
deadlock. However, this may leave the possible double deletion of one
of two lists when the counterpart is being deleted concurrently.
It ends up with a list corruption, as revealed by syzkaller fuzzer.
This patch fixes it by checking the list emptiness and skipping the
deletion and the following process.
BugLink: http://lkml.kernel.org/r/CACT4Y+bay9qsrz6dQu31EcGaH9XwfW7o3oBzSQUG9fMszoh=Sg@mail.gmail.com
Fixes: 7f0973e973cd ('ALSA: seq: Fix lockdep warnings due to 'double mutex locks)
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/core/seq/seq_ports.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 921fb2bd8fad..fe686ee41c6d 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -535,19 +535,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
bool is_src, bool ack)
{
struct snd_seq_port_subs_info *grp;
+ struct list_head *list;
+ bool empty;
grp = is_src ? &port->c_src : &port->c_dest;
+ list = is_src ? &subs->src_list : &subs->dest_list;
down_write(&grp->list_mutex);
write_lock_irq(&grp->list_lock);
- if (is_src)
- list_del(&subs->src_list);
- else
- list_del(&subs->dest_list);
+ empty = list_empty(list);
+ if (!empty)
+ list_del_init(list);
grp->exclusive = 0;
write_unlock_irq(&grp->list_lock);
up_write(&grp->list_mutex);
- unsubscribe_port(client, port, grp, &subs->info, ack);
+ if (!empty)
+ unsubscribe_port(client, port, grp, &subs->info, ack);
}
/* connect two ports */
--
2.7.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-02-16 13:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-16 9:41 sound: list corruption in delete_and_unsubscribe_port Dmitry Vyukov
2016-02-16 10:00 ` Takashi Iwai
2016-02-16 11:19 ` Dmitry Vyukov
2016-02-16 13:39 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).