linux-sg2042/sound/core
Takashi Iwai 816f318b23 ALSA: rawmidi: Fix possible deadlock with virmidi registration
When a seq-virmidi driver is initialized, it registers a rawmidi
instance with its callback to create an associated seq kernel client.
Currently it's done throughly in rawmidi's register_mutex context.
Recently it was found that this may lead to a deadlock another rawmidi
device that is being attached with the sequencer is accessed, as both
open with the same register_mutex.  This was actually triggered by
syzkaller, as Dmitry Vyukov reported:

======================================================
 [ INFO: possible circular locking dependency detected ]
 4.8.0-rc1+ #11 Not tainted
 -------------------------------------------------------
 syz-executor/7154 is trying to acquire lock:
  (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341

 but task is already holding lock:
  (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495

 which lock already depends on the new lock.

 the existing dependency chain (in reverse order) is:

 -> #1 (&grp->list_mutex){++++.+}:
    [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
    [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
    [<     inline     >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
    [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
    [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
    [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
    [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
    [<     inline     >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
    [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
    [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
    [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
    [<     inline     >] __snd_device_register sound/core/device.c:162
    [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
    [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
    [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
    [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
    ......

 -> #0 (register_mutex#5){+.+.+.}:
    [<     inline     >] check_prev_add kernel/locking/lockdep.c:1829
    [<     inline     >] check_prevs_add kernel/locking/lockdep.c:1939
    [<     inline     >] validate_chain kernel/locking/lockdep.c:2266
    [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
    [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
    [<     inline     >] __mutex_lock_common kernel/locking/mutex.c:521
    [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
    [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
    [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
    [<     inline     >] subscribe_port sound/core/seq/seq_ports.c:427
    [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
    [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
    [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
    [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
    [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
    [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
    [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
    [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
    [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
    [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
    ......

 other info that might help us debug this:

 Possible unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(&grp->list_mutex);
                                lock(register_mutex#5);
                                lock(&grp->list_mutex);
   lock(register_mutex#5);

 *** DEADLOCK ***
======================================================

The fix is to simply move the registration parts in
snd_rawmidi_dev_register() to the outside of the register_mutex lock.
The lock is needed only to manage the linked list, and it's not
necessarily to cover the whole initialization process.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-09-08 10:45:20 +02:00
..
oss ALSA: pcm: Fix potential deadlock in OSS emulation 2016-02-01 12:23:29 +01:00
seq ALSA: seq_timer: use monotonic times internally 2016-06-17 22:56:13 +02:00
Kconfig ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
Makefile ALSA: timer: remove legacy rtctimer 2016-04-25 10:41:46 +02:00
compress_offload.c ALSA: compress: Add function to indicate the stream has gone bad 2016-06-13 16:45:37 +01:00
control.c Merge branch 'for-next' into for-linus 2016-07-25 17:01:14 +02:00
control_compat.c ALSA: ctl: change return value in compatibility layer so that it's the same value in core implementation 2016-03-17 14:11:36 +01:00
ctljack.c ALSA: jack: Fix endless loop at unique index detection 2015-06-26 06:59:57 +02:00
device.c Merge branch 'topic/hda-unbind' into for-next 2015-03-16 14:48:20 +01:00
hrtimer.c ALSA: hrtimer: Handle start/stop more properly 2016-04-26 09:34:40 +02:00
hwdep.c ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
hwdep_compat.c [PATCH] hwdep_compat missed __user annotations 2006-10-10 15:37:21 -07:00
info.c ALSA: info: Drop kerneldoc comment from snd_info_create_entry() 2015-05-18 09:45:11 +02:00
info_oss.c ALSA: core: Clean up OSS proc file management 2015-04-24 17:31:08 +02:00
init.c ALSA: hda_intel: add card number to irq description 2016-01-12 21:05:16 +01:00
isadma.c ALSA: core: Use standard printk helpers 2014-02-14 08:14:15 +01:00
jack.c ALSA: jack: Allow building the jack layer without input device 2016-02-23 09:03:07 +01:00
memalloc.c genalloc: rename of_get_named_gen_pool() to of_gen_pool_get() 2015-06-30 19:45:01 -07:00
memory.c ALSA: Include linux/uaccess.h and linux/bitopts.h instead of asm/* 2015-01-28 17:25:07 +01:00
misc.c ALSA: Allow pass NULL dev for snd_pci_quirk_lookup() 2014-10-08 12:08:38 +02:00
pcm.c ALSA: pcm: Free chmap at PCM free callback, too 2016-07-08 09:15:44 +02:00
pcm_compat.c ALSA: pcm: Fix ioctls for X32 ABI 2016-02-28 17:44:35 +01:00
pcm_dmaengine.c ASoC: dmaengine_pcm: Add support for packed transfers 2016-04-27 17:34:11 +01:00
pcm_drm_eld.c ALSA: pcm: add DRM ELD helper 2015-05-22 16:01:44 +02:00
pcm_iec958.c ALSA: pcm: Allow 32 bit sample format in IEC958 channel status helper 2016-04-06 14:33:38 -07:00
pcm_lib.c ALSA: pcm: Bail out when chmap is already present 2016-05-10 17:05:16 +02:00
pcm_memory.c ALSA: Include linux/io.h instead of asm/io.h 2015-01-28 16:49:33 +01:00
pcm_misc.c ALSA: pcm: Add snd_pcm_rate_range_to_bits() 2016-02-05 18:49:00 +00:00
pcm_native.c ALSA: pcm: Fix poll error return codes 2016-05-09 17:34:49 +02:00
pcm_timer.c ALSA: pcm: Use standard printk helpers 2014-02-14 08:14:15 +01:00
pcm_trace.h ALSA: pcm: Replace PCM hwptr tracking with tracepoints 2014-11-04 14:09:14 +01:00
rawmidi.c ALSA: rawmidi: Fix possible deadlock with virmidi registration 2016-09-08 10:45:20 +02:00
rawmidi_compat.c ALSA: rawmidi: Fix ioctls X32 ABI 2016-02-28 17:44:51 +01:00
sgbuf.c ALSA: core: Deletion of unnecessary checks before two function calls 2014-11-21 20:06:57 +01:00
sound.c ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
sound_oss.c ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
timer.c ALSA: timer: Fix zero-division by continue of uninitialized instance 2016-09-08 10:45:05 +02:00
timer_compat.c ALSA: timer: fix gparams ioctl compatibility for different architectures 2016-03-23 08:06:16 +01:00
vmaster.c ALSA: core: Use standard printk helpers 2014-02-14 08:14:15 +01:00