From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756622AbcAYKrL (ORCPT ); Mon, 25 Jan 2016 05:47:11 -0500 Received: from mx2.suse.de ([195.135.220.15]:57248 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756300AbcAYKrH (ORCPT ); Mon, 25 Jan 2016 05:47:07 -0500 Date: Mon, 25 Jan 2016 11:47:05 +0100 Message-ID: From: Takashi Iwai To: "Dmitry Vyukov" Cc: , "Jie Yang" , "Mark Brown" , "Jaroslav Kysela" , "LKML" , "Alexander Potapenko" , "Kostya Serebryany" , "syzkaller" , "Sasha Levin" Subject: Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/24.5 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 24 Jan 2016 10:44:34 +0100, Dmitry Vyukov wrote: > > Hello, > > While running syzkaller fuzzer I've got the following lockdep report: > > ====================================================== > [ INFO: possible circular locking dependency detected ] > 4.4.0+ #276 Not tainted > ------------------------------------------------------- > syz-executor/21025 is trying to acquire lock: > (register_mutex#5){+.+.+.}, at: [] > snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 > > but task is already holding lock: > (&grp->list_mutex/1){+.+...}, at: [] > snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506 > > which lock already depends on the new lock. > > > the existing dependency chain (in reverse order) is: > > -> #2 (&grp->list_mutex/1){+.+...}: > [] lock_acquire+0x1dc/0x430 > kernel/locking/lockdep.c:3585 > [] down_write_nested+0x4a/0xa0 > kernel/locking/rwsem.c:149 > [] snd_seq_port_connect+0x1ba/0x840 > sound/core/seq/seq_ports.c:506 > [] snd_seq_ioctl_subscribe_port+0x1c4/0x290 > sound/core/seq/seq_clientmgr.c:1464 > [] snd_seq_do_ioctl+0x19d/0x1c0 > sound/core/seq/seq_clientmgr.c:2209 > [] snd_seq_kernel_client_ctl+0xdb/0x170 > sound/core/seq/seq_clientmgr.c:2423 > [] snd_seq_oss_create_client+0x253/0x2d5 > sound/core/seq/oss/seq_oss_init.c:119 > [] alsa_seq_oss_init+0x1af/0x23e > sound/core/seq/oss/seq_oss.c:89 > [] do_one_initcall+0x159/0x380 init/main.c:794 > [< inline >] do_initcall_level init/main.c:859 > [< inline >] do_initcalls init/main.c:867 > [< inline >] do_basic_setup init/main.c:885 > [] kernel_init_freeable+0x474/0x52d init/main.c:1010 > [] kernel_init+0x13/0x150 init/main.c:936 > [] ret_from_fork+0x3f/0x70 > arch/x86/entry/entry_64.S:468 > > -> #1 (&grp->list_mutex){++++.+}: > [] lock_acquire+0x1dc/0x430 > kernel/locking/lockdep.c:3585 > [] down_read+0x47/0x60 kernel/locking/rwsem.c:22 > [< inline >] deliver_to_subscribers > sound/core/seq/seq_clientmgr.c:679 > [] snd_seq_deliver_event+0x5a9/0x800 > sound/core/seq/seq_clientmgr.c:817 > [] snd_seq_kernel_client_dispatch+0x126/0x170 > sound/core/seq/seq_clientmgr.c:2401 > [] snd_seq_system_broadcast+0xb2/0xf0 > sound/core/seq/seq_system.c:101 > [] snd_seq_create_kernel_client+0x21e/0x300 > sound/core/seq/seq_clientmgr.c:2280 > [< inline >] snd_virmidi_dev_attach_seq > sound/core/seq/seq_virmidi.c:372 > [] snd_virmidi_dev_register+0x29f/0x750 > sound/core/seq/seq_virmidi.c:439 > [] snd_rawmidi_dev_register+0x30c/0xd40 > sound/core/rawmidi.c:1589 > [] __snd_device_register.part.0+0x63/0xc0 > sound/core/device.c:164 > [< inline >] __snd_device_register sound/core/device.c:162 > [] snd_device_register_all+0xad/0x110 > sound/core/device.c:212 > [] snd_card_register+0xef/0x6a0 sound/core/init.c:749 > [] snd_virmidi_probe+0x3ef/0x590 > sound/drivers/virmidi.c:123 > [] platform_drv_probe+0x8c/0x160 > drivers/base/platform.c:562 > [< inline >] really_probe drivers/base/dd.c:377 > [] driver_probe_device+0x37e/0xc90 > drivers/base/dd.c:499 > [] __device_attach_driver+0x19e/0x250 > drivers/base/dd.c:584 > [] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:464 > [] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641 > [] device_initial_probe+0x1a/0x20 drivers/base/dd.c:688 > [] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:558 > [] device_add+0x84b/0x1490 drivers/base/core.c:1120 > [] platform_device_add+0x389/0x790 > drivers/base/platform.c:403 > [] platform_device_register_full+0x396/0x4c0 > drivers/base/platform.c:535 > [< inline >] platform_device_register_resndata > include/linux/platform_device.h:111 > [< inline >] platform_device_register_simple > include/linux/platform_device.h:140 > [] alsa_card_virmidi_init+0x104/0x1da > sound/drivers/virmidi.c:172 > [] do_one_initcall+0x159/0x380 init/main.c:794 > [< inline >] do_initcall_level init/main.c:859 > [< inline >] do_initcalls init/main.c:867 > [< inline >] do_basic_setup init/main.c:885 > [] kernel_init_freeable+0x474/0x52d init/main.c:1010 > [] kernel_init+0x13/0x150 init/main.c:936 > [] ret_from_fork+0x3f/0x70 > arch/x86/entry/entry_64.S:468 > > -> #0 (register_mutex#5){+.+.+.}: > [< inline >] check_prev_add kernel/locking/lockdep.c:1853 > [< inline >] check_prevs_add kernel/locking/lockdep.c:1958 > [< inline >] validate_chain kernel/locking/lockdep.c:2144 > [] __lock_acquire+0x31eb/0x4700 > kernel/locking/lockdep.c:3206 > [] lock_acquire+0x1dc/0x430 > kernel/locking/lockdep.c:3585 > [< inline >] __mutex_lock_common kernel/locking/mutex.c:518 > [] mutex_lock_nested+0xb1/0xa50 > kernel/locking/mutex.c:618 > [] snd_rawmidi_kernel_open+0x4b/0x260 > sound/core/rawmidi.c:341 > [] midisynth_subscribe+0xf7/0x340 > sound/core/seq/seq_midi.c:188 > [] subscribe_port.isra.2+0x14e/0x2b0 > sound/core/seq/seq_ports.c:426 > [] snd_seq_port_connect+0x490/0x840 > sound/core/seq/seq_ports.c:527 > [] snd_seq_ioctl_subscribe_port+0x1c4/0x290 > sound/core/seq/seq_clientmgr.c:1464 > [] snd_seq_do_ioctl+0x19d/0x1c0 > sound/core/seq/seq_clientmgr.c:2209 > [] snd_seq_kernel_client_ctl+0xdb/0x170 > sound/core/seq/seq_clientmgr.c:2423 > [] snd_seq_oss_midi_open+0x3b4/0x610 > sound/core/seq/oss/seq_oss_midi.c:375 > [] snd_seq_oss_midi_open_all+0x8b/0xd0 > sound/core/seq/oss/seq_oss_midi.c:306 > [] snd_seq_oss_open+0x5c5/0x8d0 > sound/core/seq/oss/seq_oss_init.c:276 > [] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > [] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > [] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388 > [] do_dentry_open+0x6a2/0xcb0 fs/open.c:736 > [] vfs_open+0x17b/0x1f0 fs/open.c:853 > [< inline >] do_last fs/namei.c:3254 > [] path_openat+0xde9/0x5e30 fs/namei.c:3386 > [] do_filp_open+0x18e/0x250 fs/namei.c:3421 > [] do_sys_open+0x1fc/0x420 fs/open.c:1022 > [< inline >] SYSC_open fs/open.c:1040 > [] SyS_open+0x2d/0x40 fs/open.c:1035 > [] entry_SYSCALL_64_fastpath+0x16/0x7a > arch/x86/entry/entry_64.S:185 > > other info that might help us debug this: > > Chain exists of: > register_mutex#5 --> &grp->list_mutex --> &grp->list_mutex/1 > > Possible unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > lock(&grp->list_mutex/1); > lock(&grp->list_mutex); > lock(&grp->list_mutex/1); > lock(register_mutex#5); > > *** DEADLOCK *** > > 3 locks held by syz-executor/21025: > #0: (register_mutex#4){+.+.+.}, at: [] > odev_open+0x5f/0x90 sound/core/seq/oss/seq_oss.c:137 > #1: (&grp->list_mutex){++++.+}, at: [] > snd_seq_port_connect+0x1a2/0x840 sound/core/seq/seq_ports.c:505 > #2: (&grp->list_mutex/1){+.+...}, at: [] > snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506 This looks like a false-positive report to me. Of course, we should annotate the mutex there for nested locks, though. thanks, Takashi > > stack backtrace: > CPU: 2 PID: 21025 Comm: syz-executor Not tainted 4.4.0+ #276 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > 00000000ffffffff ffff88006d0af0c0 ffffffff82999e2d ffffffff88fa1eb0 > ffffffff88fa2f90 ffffffff88fa2060 ffff88006d0af110 ffffffff81450658 > ffff880065c8df00 ffff880065c8e79a 0000000000000000 ffff880065c8e778 > Call Trace: > [< inline >] __dump_stack lib/dump_stack.c:15 > [] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 > [] print_circular_bug+0x288/0x340 > kernel/locking/lockdep.c:1226 > [< inline >] check_prev_add kernel/locking/lockdep.c:1853 > [< inline >] check_prevs_add kernel/locking/lockdep.c:1958 > [< inline >] validate_chain kernel/locking/lockdep.c:2144 > [] __lock_acquire+0x31eb/0x4700 kernel/locking/lockdep.c:3206 > [] lock_acquire+0x1dc/0x430 kernel/locking/lockdep.c:3585 > [< inline >] __mutex_lock_common kernel/locking/mutex.c:518 > [] mutex_lock_nested+0xb1/0xa50 kernel/locking/mutex.c:618 > [] snd_rawmidi_kernel_open+0x4b/0x260 > sound/core/rawmidi.c:341 > [] midisynth_subscribe+0xf7/0x340 > sound/core/seq/seq_midi.c:188 > [] subscribe_port.isra.2+0x14e/0x2b0 > sound/core/seq/seq_ports.c:426 > [] snd_seq_port_connect+0x490/0x840 > sound/core/seq/seq_ports.c:527 > [] snd_seq_ioctl_subscribe_port+0x1c4/0x290 > sound/core/seq/seq_clientmgr.c:1464 > [] snd_seq_do_ioctl+0x19d/0x1c0 > sound/core/seq/seq_clientmgr.c:2209 > [] snd_seq_kernel_client_ctl+0xdb/0x170 > sound/core/seq/seq_clientmgr.c:2423 > [] snd_seq_oss_midi_open+0x3b4/0x610 > sound/core/seq/oss/seq_oss_midi.c:375 > [] snd_seq_oss_midi_open_all+0x8b/0xd0 > sound/core/seq/oss/seq_oss_midi.c:306 > [] snd_seq_oss_open+0x5c5/0x8d0 > sound/core/seq/oss/seq_oss_init.c:276 > [] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 > [] soundcore_open+0x30f/0x640 sound/sound_core.c:639 > [] chrdev_open+0x22a/0x4c0 fs/char_dev.c:388 > [] do_dentry_open+0x6a2/0xcb0 fs/open.c:736 > [] vfs_open+0x17b/0x1f0 fs/open.c:853 > [< inline >] do_last fs/namei.c:3254 > [] path_openat+0xde9/0x5e30 fs/namei.c:3386 > [] do_filp_open+0x18e/0x250 fs/namei.c:3421 > [] do_sys_open+0x1fc/0x420 fs/open.c:1022 > [< inline >] SYSC_open fs/open.c:1040 > [] SyS_open+0x2d/0x40 fs/open.c:1035 > [] entry_SYSCALL_64_fastpath+0x16/0x7a > arch/x86/entry/entry_64.S:185 > > On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2. >