On Sat, Apr 7, 2018 at 11:56 AM, Takashi Iwai <tiwai@xxxxxxx> wrote: > On Fri, 06 Apr 2018 23:14:01 +0200, > syzbot wrote: >> >> syzbot has found reproducer for the following crash on upstream commit >> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000) >> Merge tag 'armsoc-drivers' of >> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc >> syzbot dashboard link: >> https://syzkaller.appspot.com/bug?extid=150189c103427d31a053 >> >> So far this crash happened 15 times on upstream. >> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5405588854931456 >> syzkaller reproducer: >> https://syzkaller.appspot.com/x/repro.syz?id=5561439796330496 >> Raw console output: >> https://syzkaller.appspot.com/x/log.txt?id=5697900571000832 >> Kernel config: >> https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 >> compiler: gcc (GCC) 8.0.1 20180301 (experimental) > > Thanks to the reproducer, I could spot out now. > Below is the patch (which was submitted as well). Great! There are 3 more recent stalls in sound, does this fix them as well? https://groups.google.com/forum/#!msg/syzkaller-bugs/MGfk8WH3O6k/ja2xKpdcCAAJ https://groups.google.com/forum/#!msg/syzkaller-bugs/74HglwU94go/T89ohzlYCAAJ https://groups.google.com/forum/#!msg/syzkaller-bugs/D2xWV7WTRDk/5y2kZyBICAAJ > thanks, > > Takashi > > -- 8< -- > From: Takashi Iwai <tiwai@xxxxxxx> > Subject: [PATCH] ALSA: pcm: Fix endless loop for XRUN recovery in OSS > emulation > > The commit 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS > ioctls and read/write") split the PCM preparation code to a locked > version, and it added a sanity check of runtime->oss.prepare flag > along with the change. This leaded to an endless loop when the stream > gets XRUN: namely, snd_pcm_oss_write3() and co call > snd_pcm_oss_prepare() without setting runtime->oss.prepare flag and > the loop continues until the PCM state reaches to another one. > > As the function is supposed to execute the preparation > unconditionally, drop the invalid state check there. > > The bug was triggered by syzkaller. > > Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write") > Reported-by: syzbot+7e3f31a52646f939c052@xxxxxxxxxxxxxxxxxxxxxxxxx > Reported-by: syzbot+4f2016cf5185da7759dc@xxxxxxxxxxxxxxxxxxxxxxxxx > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > --- > sound/core/oss/pcm_oss.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c > index 481ab0e94ffa..727647755aab 100644 > --- a/sound/core/oss/pcm_oss.c > +++ b/sound/core/oss/pcm_oss.c > @@ -1128,13 +1128,12 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil > } > > /* call with params_lock held */ > +/* NOTE: this doesn't care whether runtime->oss.prepare is set or not */ > static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) > { > int err; > struct snd_pcm_runtime *runtime = substream->runtime; > > - if (!runtime->oss.prepare) > - return 0; > err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_PREPARE, NULL); > if (err < 0) { > pcm_dbg(substream->pcm, > -- > 2.16.3 > _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
