* [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
@ 2024-03-18 19:59 syzbot
2024-03-19 6:40 ` Takashi Iwai
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: syzbot @ 2024-03-18 19:59 UTC (permalink / raw)
To: linux-kernel, linux-sound, perex, syzkaller-bugs, tiwai
Hello,
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1169a081180000
kernel config: https://syzkaller.appspot.com/x/.config?x=aef2a55903e5791c
dashboard link: https://syzkaller.appspot.com/bug?extid=18840ef96e57b83b7fea
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e5fae180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11271311180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/13635dbe3b05/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bf54eeb6380c/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+18840ef96e57b83b7fea@syzkaller.appspotmail.com
========================================================
WARNING: possible irq lock inversion dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--------------------------------------------------------
swapper/2/0 just changed the state of lock:
ffff88802a304110 (&group->lock#2){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0xa0/0xd0 sound/core/pcm_native.c:170
but this lock took another, SOFTIRQ-unsafe lock in the past:
(&timer->lock){+.+.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&timer->lock);
local_irq_disable();
lock(&group->lock#2);
lock(&timer->lock);
<Interrupt>
lock(&group->lock#2);
*** DEADLOCK ***
no locks held by swapper/2/0.
the shortest dependencies between 2nd lock and 1st lock:
-> (&timer->lock){+.+.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x65/0xbd0 sound/core/timer.c:412
snd_timer_close+0x8b/0xf0 sound/core/timer.c:464
snd_seq_timer_close+0xa4/0x100 sound/core/seq/seq_timer.c:302
queue_delete+0x49/0xa0 sound/core/seq/seq_queue.c:126
snd_seq_queue_delete+0x45/0x60 sound/core/seq/seq_queue.c:188
snd_seq_kernel_client_ctl+0x107/0x1c0 sound/core/seq/seq_clientmgr.c:2526
delete_seq_queue.isra.0+0xc8/0x150 sound/core/seq/oss/seq_oss_init.c:371
odev_release+0x52/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x270/0xb80 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa7d/0x2be0 kernel/exit.c:878
do_group_exit+0xd3/0x2a0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
SOFTIRQ-ON-W at:
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x65/0xbd0 sound/core/timer.c:412
snd_timer_close+0x8b/0xf0 sound/core/timer.c:464
snd_seq_timer_close+0xa4/0x100 sound/core/seq/seq_timer.c:302
queue_delete+0x49/0xa0 sound/core/seq/seq_queue.c:126
snd_seq_queue_delete+0x45/0x60 sound/core/seq/seq_queue.c:188
snd_seq_kernel_client_ctl+0x107/0x1c0 sound/core/seq/seq_clientmgr.c:2526
delete_seq_queue.isra.0+0xc8/0x150 sound/core/seq/oss/seq_oss_init.c:371
odev_release+0x52/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x270/0xb80 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa7d/0x2be0 kernel/exit.c:878
do_group_exit+0xd3/0x2a0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x65/0xbd0 sound/core/timer.c:412
snd_timer_close+0x8b/0xf0 sound/core/timer.c:464
snd_seq_timer_close+0xa4/0x100 sound/core/seq/seq_timer.c:302
queue_delete+0x49/0xa0 sound/core/seq/seq_queue.c:126
snd_seq_queue_delete+0x45/0x60 sound/core/seq/seq_queue.c:188
snd_seq_kernel_client_ctl+0x107/0x1c0 sound/core/seq/seq_clientmgr.c:2526
delete_seq_queue.isra.0+0xc8/0x150 sound/core/seq/oss/seq_oss_init.c:371
odev_release+0x52/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x270/0xb80 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa7d/0x2be0 kernel/exit.c:878
do_group_exit+0xd3/0x2a0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff949babc0>] __key.6+0x0/0x40
... acquired at:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline]
snd_timer_notify+0x111/0x3e0 sound/core/timer.c:1040
snd_pcm_timer_notify sound/core/pcm_native.c:622 [inline]
snd_pcm_post_start+0x272/0x350 sound/core/pcm_native.c:1459
snd_pcm_action_single+0x10a/0x150 sound/core/pcm_native.c:1289
snd_pcm_action+0x70/0x90 sound/core/pcm_native.c:1370
__snd_pcm_lib_xfer+0x13f5/0x1ea0 sound/core/pcm_lib.c:2371
snd_pcm_oss_write3+0xd5/0x1e0 sound/core/oss/pcm_oss.c:1242
io_playback_transfer+0x273/0x300 sound/core/oss/io.c:47
snd_pcm_plug_write_transfer+0x2cd/0x410 sound/core/oss/pcm_plugin.c:630
snd_pcm_oss_write2+0x24f/0x3f0 sound/core/oss/pcm_oss.c:1374
snd_pcm_oss_sync1+0x1bf/0x510 sound/core/oss/pcm_oss.c:1616
snd_pcm_oss_sync+0x617/0x7f0 sound/core/oss/pcm_oss.c:1692
snd_pcm_oss_release+0x291/0x320 sound/core/oss/pcm_oss.c:2575
__fput+0x270/0xb80 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa7d/0x2be0 kernel/exit.c:878
do_group_exit+0xd3/0x2a0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
-> (&group->lock#2){..-.}-{2:2} {
IN-SOFTIRQ-W at:
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
_snd_pcm_stream_lock_irqsave+0xa0/0xd0 sound/core/pcm_native.c:170
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x20/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x9d/0x1c0 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1773
__do_softirq+0x218/0x8de kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:633 [inline]
irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
default_idle+0xf/0x20 arch/x86/kernel/process.c:742
default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x32c/0x3f0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x148
INITIAL USE at:
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
snd_pcm_group_lock_irq sound/core/pcm_native.c:97 [inline]
snd_pcm_stream_lock_irq sound/core/pcm_native.c:136 [inline]
class_pcm_stream_lock_irq_constructor include/sound/pcm.h:666 [inline]
snd_pcm_hw_params+0x151/0x1a30 sound/core/pcm_native.c:740
snd_pcm_kernel_ioctl+0x147/0x2d0 sound/core/pcm_native.c:3434
snd_pcm_oss_change_params_locked+0x146c/0x3aa0 sound/core/oss/pcm_oss.c:965
snd_pcm_oss_make_ready_locked+0xb7/0x130 sound/core/oss/pcm_oss.c:1187
snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1405 [inline]
snd_pcm_oss_write+0x4af/0xa10 sound/core/oss/pcm_oss.c:2796
vfs_write+0x298/0x1100 fs/read_write.c:588
ksys_write+0x12f/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff949baf40>] __key.5+0x0/0x40
... acquired at:
mark_usage kernel/locking/lockdep.c:4567 [inline]
__lock_acquire+0x13d4/0x3b30 kernel/locking/lockdep.c:5091
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
_snd_pcm_stream_lock_irqsave+0xa0/0xd0 sound/core/pcm_native.c:170
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x20/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x9d/0x1c0 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1773
__do_softirq+0x218/0x8de kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:633 [inline]
irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
default_idle+0xf/0x20 arch/x86/kernel/process.c:742
default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x32c/0x3f0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x148
stack backtrace:
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_irq_inversion_bug.part.0+0x3e9/0x5a0 kernel/locking/lockdep.c:4080
print_irq_inversion_bug kernel/locking/lockdep.c:4033 [inline]
check_usage_forwards kernel/locking/lockdep.c:4111 [inline]
mark_lock_irq kernel/locking/lockdep.c:4243 [inline]
mark_lock+0x574/0xc60 kernel/locking/lockdep.c:4678
mark_usage kernel/locking/lockdep.c:4567 [inline]
__lock_acquire+0x13d4/0x3b30 kernel/locking/lockdep.c:5091
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
_snd_pcm_stream_lock_irqsave+0xa0/0xd0 sound/core/pcm_native.c:170
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x20/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x9d/0x1c0 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1773
__do_softirq+0x218/0x8de kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:633 [inline]
irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d e3 41 34 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc90000187e08 EFLAGS: 00000242
RAX: 0000000000025cab RBX: 0000000000000002 RCX: ffffffff8ad255f9
RDX: 0000000000000000 RSI: ffffffff8b0cb740 RDI: ffffffff8b6e88a0
RBP: ffffed1002f52910 R08: 0000000000000001 R09: ffffed100d686fdd
R10: ffff88806b437eeb R11: 0000000000000000 R12: 0000000000000002
R13: ffff888017a94880 R14: ffffffff8f9e6f90 R15: 0000000000000000
default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x32c/0x3f0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x148
</TASK>
----------------
Code disassembly (best guess):
0: 4c 01 c7 add %r8,%rdi
3: 4c 29 c2 sub %r8,%rdx
6: e9 72 ff ff ff jmp 0xffffff7d
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d e3 41 34 00 verw 0x3441e3(%rip) # 0x34420b
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
37: 00 00 00 00
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
2024-03-18 19:59 [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4) syzbot
@ 2024-03-19 6:40 ` Takashi Iwai
2024-03-21 0:40 ` Edward Adam Davis
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2024-03-19 6:40 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, linux-sound, perex, syzkaller-bugs, tiwai
#syz fix: ALSA: timer: Fix missing irq-disable at closing
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
2024-03-18 19:59 [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4) syzbot
2024-03-19 6:40 ` Takashi Iwai
@ 2024-03-21 0:40 ` Edward Adam Davis
2024-03-21 0:42 ` syzbot
2024-03-21 1:30 ` Edward Adam Davis
2024-03-21 2:22 ` [PATCH] ALSA: timer: fix deadlock in _snd_pcm_stream_lock_irqsave Edward Adam Davis
3 siblings, 1 reply; 9+ messages in thread
From: Edward Adam Davis @ 2024-03-21 0:40 UTC (permalink / raw)
To: syzbot+18840ef96e57b83b7fea; +Cc: linux-kernel, syzkaller-bugs
please test dl in _snd_pcm_stream_lock_irqsave
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 15b07d09c4b7..c501faa30040 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -409,7 +409,7 @@ static void snd_timer_close_locked(struct snd_timer_instance *timeri,
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ guard(spinlock_irqsave)(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
}
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
2024-03-21 0:40 ` Edward Adam Davis
@ 2024-03-21 0:42 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2024-03-21 0:42 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file sound/core/timer.c
Hunk #1 FAILED at 409.
1 out of 1 hunk FAILED
Tested on:
commit: 23956900 Merge tag 'v6.9-rc-smb3-server-fixes' of git:..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=aef2a55903e5791c
dashboard link: https://syzkaller.appspot.com/bug?extid=18840ef96e57b83b7fea
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=16d8023a180000
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
2024-03-18 19:59 [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4) syzbot
2024-03-19 6:40 ` Takashi Iwai
2024-03-21 0:40 ` Edward Adam Davis
@ 2024-03-21 1:30 ` Edward Adam Davis
2024-03-21 1:54 ` syzbot
2024-03-21 2:22 ` [PATCH] ALSA: timer: fix deadlock in _snd_pcm_stream_lock_irqsave Edward Adam Davis
3 siblings, 1 reply; 9+ messages in thread
From: Edward Adam Davis @ 2024-03-21 1:30 UTC (permalink / raw)
To: syzbot+18840ef96e57b83b7fea; +Cc: linux-kernel, syzkaller-bugs
please test dl in _snd_pcm_stream_lock_irqsave
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 15b07d09c4b7..c501faa30040 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -409,7 +409,7 @@ static void snd_timer_close_locked(struct snd_timer_instance *timeri,
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ guard(spinlock_irqsave)(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
}
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
2024-03-18 20:09 [syzbot] [sound?] inconsistent lock state in snd_timer_interrupt syzbot
@ 2024-03-21 1:37 ` Edward Adam Davis
0 siblings, 0 replies; 9+ messages in thread
From: Edward Adam Davis @ 2024-03-21 1:37 UTC (permalink / raw)
To: syzbot+d832e7bb0f8bf47217f1; +Cc: linux-kernel, syzkaller-bugs
please test dl in _snd_pcm_stream_lock_irqsave
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 15b07d09c4b7..c501faa30040 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -409,7 +409,7 @@ static void snd_timer_close_locked(struct snd_timer_instance *timeri,
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ guard(spinlock_irqsave)(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
}
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4)
2024-03-21 1:30 ` Edward Adam Davis
@ 2024-03-21 1:54 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2024-03-21 1:54 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+18840ef96e57b83b7fea@syzkaller.appspotmail.com
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1268783a180000
kernel config: https://syzkaller.appspot.com/x/.config?x=aef2a55903e5791c
dashboard link: https://syzkaller.appspot.com/bug?extid=18840ef96e57b83b7fea
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10928f15180000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] ALSA: timer: fix deadlock in _snd_pcm_stream_lock_irqsave
2024-03-18 19:59 [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4) syzbot
` (2 preceding siblings ...)
2024-03-21 1:30 ` Edward Adam Davis
@ 2024-03-21 2:22 ` Edward Adam Davis
2024-03-21 6:33 ` Takashi Iwai
3 siblings, 1 reply; 9+ messages in thread
From: Edward Adam Davis @ 2024-03-21 2:22 UTC (permalink / raw)
To: syzbot+18840ef96e57b83b7fea
Cc: linux-kernel, linux-sound, perex, syzkaller-bugs, tiwai
[Syzbot reported]
swapper/2/0 just changed the state of lock:
ffff88802a304110 (&group->lock#2){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0xa0/0xd0 sound/core/pcm_native.c:170
but this lock took another, SOFTIRQ-unsafe lock in the past:
(&timer->lock){+.+.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&timer->lock);
local_irq_disable();
lock(&group->lock#2);
lock(&timer->lock);
<Interrupt>
lock(&group->lock#2);
*** DEADLOCK ***
[Fix]
Ensure that the context interrupt state is the same before and after using the
timer->lock.
Fixes: beb45974dd49 ("ALSA: timer: Use guard() for locking")
Reported-and-tested-by: syzbot+18840ef96e57b83b7fea@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
sound/core/timer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 15b07d09c4b7..c501faa30040 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -409,7 +409,7 @@ static void snd_timer_close_locked(struct snd_timer_instance *timeri,
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ guard(spinlock_irqsave)(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] ALSA: timer: fix deadlock in _snd_pcm_stream_lock_irqsave
2024-03-21 2:22 ` [PATCH] ALSA: timer: fix deadlock in _snd_pcm_stream_lock_irqsave Edward Adam Davis
@ 2024-03-21 6:33 ` Takashi Iwai
0 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2024-03-21 6:33 UTC (permalink / raw)
To: Edward Adam Davis
Cc: syzbot+18840ef96e57b83b7fea, linux-kernel, linux-sound, perex,
syzkaller-bugs, tiwai
On Thu, 21 Mar 2024 03:22:24 +0100,
Edward Adam Davis wrote:
>
> [Syzbot reported]
> swapper/2/0 just changed the state of lock:
> ffff88802a304110 (&group->lock#2){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0xa0/0xd0 sound/core/pcm_native.c:170
> but this lock took another, SOFTIRQ-unsafe lock in the past:
> (&timer->lock){+.+.}-{2:2}
>
>
> and interrupts could create inverse lock ordering between them.
>
>
> other info that might help us debug this:
> Possible interrupt unsafe locking scenario:
>
> CPU0 CPU1
> ---- ----
> lock(&timer->lock);
> local_irq_disable();
> lock(&group->lock#2);
> lock(&timer->lock);
> <Interrupt>
> lock(&group->lock#2);
>
> *** DEADLOCK ***
> [Fix]
> Ensure that the context interrupt state is the same before and after using the
> timer->lock.
>
> Fixes: beb45974dd49 ("ALSA: timer: Use guard() for locking")
> Reported-and-tested-by: syzbot+18840ef96e57b83b7fea@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
This was already fixed in Linus tree commit
587d67fd929ad89801bcc429675bda90d53f6592.
thanks,
Takashi
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-03-21 6:33 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-18 19:59 [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4) syzbot
2024-03-19 6:40 ` Takashi Iwai
2024-03-21 0:40 ` Edward Adam Davis
2024-03-21 0:42 ` syzbot
2024-03-21 1:30 ` Edward Adam Davis
2024-03-21 1:54 ` syzbot
2024-03-21 2:22 ` [PATCH] ALSA: timer: fix deadlock in _snd_pcm_stream_lock_irqsave Edward Adam Davis
2024-03-21 6:33 ` Takashi Iwai
-- strict thread matches above, loose matches on Subject: below --
2024-03-18 20:09 [syzbot] [sound?] inconsistent lock state in snd_timer_interrupt syzbot
2024-03-21 1:37 ` [syzbot] [sound?] possible deadlock in _snd_pcm_stream_lock_irqsave (4) Edward Adam Davis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.