On Tue, 16 Feb 2016 12:19:31 +0100, Dmitry Vyukov wrote: > > On Tue, Feb 16, 2016 at 11:00 AM, Takashi Iwai <tiwai@xxxxxxx> wrote: > > On Tue, 16 Feb 2016 10:41:54 +0100, > > Dmitry Vyukov wrote: > >> > >> Hello, > >> > >> Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865 > >> (4.5-rc4). But need to note that sound become much more stable, I've > >> seen only 2 of these over night. > >> > >> The following program causes list corruption: > >> > >> ------------[ cut here ]------------ > >> WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0() > >> list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100) > >> Modules linked in: > >> CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328 > >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > >> ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8 > >> fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780 > >> 0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139 > >> Call Trace: > >> [<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494 > >> [<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60 > >> [<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86 > >> [<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0 > >> sound/core/seq/seq_ports.c:545 > >> [<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260 > >> sound/core/seq/seq_ports.c:250 > >> [<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266 > >> [<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350 > >> sound/core/seq/seq_ports.c:330 > >> [<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290 > >> sound/core/seq/seq_clientmgr.c:272 > >> [<ffffffff852ae495>] seq_free_client+0x65/0x160 > >> sound/core/seq/seq_clientmgr.c:299 > >> [<ffffffff852b118d>] snd_seq_release+0x4d/0xb0 > >> sound/core/seq/seq_clientmgr.c:380 > >> [<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208 > >> [<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244 > >> [<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115 > >> [< inline >] tracehook_notify_resume include/linux/tracehook.h:191 > >> [<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210 > >> arch/x86/entry/common.c:251 > >> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282 > >> [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340 > >> arch/x86/entry/common.c:344 > >> [<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f > >> arch/x86/entry/entry_64.S:281 > >> ---[ end trace 4cad985f706f8ace ]--- > > > > Hm, this might be the remaining open race at deleting ports. > > Please try the patch below. > > Yes, it fixes the crash for me. > > Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > > Thanks! Good to hear. FWIW, below is the final patch I'm going to queue. Thanks for quick testing! Takashi -- 8< -- From: Takashi Iwai <tiwai@xxxxxxx> Subject: [PATCH] ALSA: seq: Fix double port list deletion The commit [7f0973e973cd: ALSA: seq: Fix lockdep warnings due to double mutex locks] split the management of two linked lists (source and destination) into two individual calls for avoiding the AB/BA deadlock. However, this may leave the possible double deletion of one of two lists when the counterpart is being deleted concurrently. It ends up with a list corruption, as revealed by syzkaller fuzzer. This patch fixes it by checking the list emptiness and skipping the deletion and the following process. BugLink: http://lkml.kernel.org/r/CACT4Y+bay9qsrz6dQu31EcGaH9XwfW7o3oBzSQUG9fMszoh=Sg@xxxxxxxxxxxxxx Fixes: 7f0973e973cd ('ALSA: seq: Fix lockdep warnings due to 'double mutex locks) Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> --- sound/core/seq/seq_ports.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c index 921fb2bd8fad..fe686ee41c6d 100644 --- a/sound/core/seq/seq_ports.c +++ b/sound/core/seq/seq_ports.c @@ -535,19 +535,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client, bool is_src, bool ack) { struct snd_seq_port_subs_info *grp; + struct list_head *list; + bool empty; grp = is_src ? &port->c_src : &port->c_dest; + list = is_src ? &subs->src_list : &subs->dest_list; down_write(&grp->list_mutex); write_lock_irq(&grp->list_lock); - if (is_src) - list_del(&subs->src_list); - else - list_del(&subs->dest_list); + empty = list_empty(list); + if (!empty) + list_del_init(list); grp->exclusive = 0; write_unlock_irq(&grp->list_lock); up_write(&grp->list_mutex); - unsubscribe_port(client, port, grp, &subs->info, ack); + if (!empty) + unsubscribe_port(client, port, grp, &subs->info, ack); } /* connect two ports */ -- 2.7.1 _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
