Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-03 Thread Takashi Iwai 
On Wed, 03 Feb 2016 14:22:18 +0100,
Dmitry Vyukov wrote:
> 
> On Wed, Feb 3, 2016 at 8:47 AM, Takashi Iwai  wrote:
> >> > This looks like a false-positive report to me.  Of course, we should
> >> > annotate the mutex there for nested locks, though.
> >>
> >>
> >> Takashi, can you please annotate it for lockdep? I hit it on every run.
> >
> > The lock had an annotation but alas it didn't seem enough.
> > In anyway, it's not good to have double locks if it's avoidable.  So I
> > worked on it now, and below is the current result of the hack.
> >
> > The change became a bit more intrusive than wished, but it should be
> > still simple enough.  I put this on top of topic/core-fixes branch.
> 
> 
> I don't see the deadlock reports now. Thanks!

Good to hear, now queued for the next pull request.
Thanks for quick tests!


Takashi

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-03 Thread Dmitry Vyukov 
On Wed, Feb 3, 2016 at 8:47 AM, Takashi Iwai  wrote:
>> > This looks like a false-positive report to me.  Of course, we should
>> > annotate the mutex there for nested locks, though.
>>
>>
>> Takashi, can you please annotate it for lockdep? I hit it on every run.
>
> The lock had an annotation but alas it didn't seem enough.
> In anyway, it's not good to have double locks if it's avoidable.  So I
> worked on it now, and below is the current result of the hack.
>
> The change became a bit more intrusive than wished, but it should be
> still simple enough.  I put this on top of topic/core-fixes branch.


I don't see the deadlock reports now. Thanks!


> thanks,
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai 
> Subject: [PATCH] ALSA: seq: Fix lockdep warnings due to double mutex locks
>
> The port subscription code uses double mutex locks for source and
> destination ports, and this may become racy once when wrongly set up.
> It leads to lockdep warning splat, typically triggered by fuzzer like
> syzkaller, although the actual deadlock hasn't been seen, so far.
>
> This patch simplifies the handling by reducing to two single locks, so
> that no lockdep warning will be trigger any longer.
>
> By splitting to two actions, a still-in-progress element shall be
> added in one list while handling another.  For ignoring this element,
> a new check is added in deliver_to_subscribers().
>
> Along with it, the code to add/remove the subscribers list element was
> cleaned up and refactored.
>
> Cc: 
> Signed-off-by: Takashi Iwai 
> ---
>  sound/core/seq/seq_clientmgr.c |   3 +
>  sound/core/seq/seq_ports.c | 233 
> +++--
>  2 files changed, 133 insertions(+), 103 deletions(-)
>
> diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
> index 13cfa815732d..58e79e02f217 100644
> --- a/sound/core/seq/seq_clientmgr.c
> +++ b/sound/core/seq/seq_clientmgr.c
> @@ -678,6 +678,9 @@ static int deliver_to_subscribers(struct snd_seq_client 
> *client,
> else
> down_read(>list_mutex);
> list_for_each_entry(subs, >list_head, src_list) {
> +   /* both ports ready? */
> +   if (atomic_read(>ref_count) != 2)
> +   continue;
> event->dest = subs->info.dest;
> if (subs->info.flags & SNDRV_SEQ_PORT_SUBS_TIMESTAMP)
> /* convert time according to flag with subscription */
> diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
> index 55170a20ae72..921fb2bd8fad 100644
> --- a/sound/core/seq/seq_ports.c
> +++ b/sound/core/seq/seq_ports.c
> @@ -173,10 +173,6 @@ struct snd_seq_client_port *snd_seq_create_port(struct 
> snd_seq_client *client,
>  }
>
>  /* */
> -enum group_type {
> -   SRC_LIST, DEST_LIST
> -};
> -
>  static int subscribe_port(struct snd_seq_client *client,
>   struct snd_seq_client_port *port,
>   struct snd_seq_port_subs_info *grp,
> @@ -203,6 +199,20 @@ static struct snd_seq_client_port 
> *get_client_port(struct snd_seq_addr *addr,
> return NULL;
>  }
>
> +static void delete_and_unsubscribe_port(struct snd_seq_client *client,
> +   struct snd_seq_client_port *port,
> +   struct snd_seq_subscribers *subs,
> +   bool is_src, bool ack);
> +
> +static inline struct snd_seq_subscribers *
> +get_subscriber(struct list_head *p, bool is_src)
> +{
> +   if (is_src)
> +   return list_entry(p, struct snd_seq_subscribers, src_list);
> +   else
> +   return list_entry(p, struct snd_seq_subscribers, dest_list);
> +}
> +
>  /*
>   * remove all subscribers on the list
>   * this is called from port_delete, for each src and dest list.
> @@ -210,7 +220,7 @@ static struct snd_seq_client_port *get_client_port(struct 
> snd_seq_addr *addr,
>  static void clear_subscriber_list(struct snd_seq_client *client,
>   struct snd_seq_client_port *port,
>   struct snd_seq_port_subs_info *grp,
> - int grptype)
> + int is_src)
>  {
> struct list_head *p, *n;
>
> @@ -219,15 +229,13 @@ static void clear_subscriber_list(struct snd_seq_client 
> *client,
> struct snd_seq_client *c;
> struct snd_seq_client_port *aport;
>
> -   if (grptype == SRC_LIST) {
> -   subs = list_entry(p, struct snd_seq_subscribers, 
> src_list);
> +   subs = get_subscriber(p, is_src);
> +   if (is_src)
> aport = get_client_port(>info.dest, );
> -   } else {
> -   subs = list_entry(p, struct snd_seq_subscribers, 
> dest_list);
> +   else
> aport = get_client_port(>info.sender,

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-03 Thread Dmitry Vyukov 
On Wed, Feb 3, 2016 at 8:47 AM, Takashi Iwai  wrote:
>> > This looks like a false-positive report to me.  Of course, we should
>> > annotate the mutex there for nested locks, though.
>>
>>
>> Takashi, can you please annotate it for lockdep? I hit it on every run.
>
> The lock had an annotation but alas it didn't seem enough.
> In anyway, it's not good to have double locks if it's avoidable.  So I
> worked on it now, and below is the current result of the hack.
>
> The change became a bit more intrusive than wished, but it should be
> still simple enough.  I put this on top of topic/core-fixes branch.


I don't see the deadlock reports now. Thanks!


> thanks,
>
> Takashi
>
> -- 8< --
> From: Takashi Iwai 
> Subject: [PATCH] ALSA: seq: Fix lockdep warnings due to double mutex locks
>
> The port subscription code uses double mutex locks for source and
> destination ports, and this may become racy once when wrongly set up.
> It leads to lockdep warning splat, typically triggered by fuzzer like
> syzkaller, although the actual deadlock hasn't been seen, so far.
>
> This patch simplifies the handling by reducing to two single locks, so
> that no lockdep warning will be trigger any longer.
>
> By splitting to two actions, a still-in-progress element shall be
> added in one list while handling another.  For ignoring this element,
> a new check is added in deliver_to_subscribers().
>
> Along with it, the code to add/remove the subscribers list element was
> cleaned up and refactored.
>
> Cc: 
> Signed-off-by: Takashi Iwai 
> ---
>  sound/core/seq/seq_clientmgr.c |   3 +
>  sound/core/seq/seq_ports.c | 233 
> +++--
>  2 files changed, 133 insertions(+), 103 deletions(-)
>
> diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
> index 13cfa815732d..58e79e02f217 100644
> --- a/sound/core/seq/seq_clientmgr.c
> +++ b/sound/core/seq/seq_clientmgr.c
> @@ -678,6 +678,9 @@ static int deliver_to_subscribers(struct snd_seq_client 
> *client,
> else
> down_read(>list_mutex);
> list_for_each_entry(subs, >list_head, src_list) {
> +   /* both ports ready? */
> +   if (atomic_read(>ref_count) != 2)
> +   continue;
> event->dest = subs->info.dest;
> if (subs->info.flags & SNDRV_SEQ_PORT_SUBS_TIMESTAMP)
> /* convert time according to flag with subscription */
> diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
> index 55170a20ae72..921fb2bd8fad 100644
> --- a/sound/core/seq/seq_ports.c
> +++ b/sound/core/seq/seq_ports.c
> @@ -173,10 +173,6 @@ struct snd_seq_client_port *snd_seq_create_port(struct 
> snd_seq_client *client,
>  }
>
>  /* */
> -enum group_type {
> -   SRC_LIST, DEST_LIST
> -};
> -
>  static int subscribe_port(struct snd_seq_client *client,
>   struct snd_seq_client_port *port,
>   struct snd_seq_port_subs_info *grp,
> @@ -203,6 +199,20 @@ static struct snd_seq_client_port 
> *get_client_port(struct snd_seq_addr *addr,
> return NULL;
>  }
>
> +static void delete_and_unsubscribe_port(struct snd_seq_client *client,
> +   struct snd_seq_client_port *port,
> +   struct snd_seq_subscribers *subs,
> +   bool is_src, bool ack);
> +
> +static inline struct snd_seq_subscribers *
> +get_subscriber(struct list_head *p, bool is_src)
> +{
> +   if (is_src)
> +   return list_entry(p, struct snd_seq_subscribers, src_list);
> +   else
> +   return list_entry(p, struct snd_seq_subscribers, dest_list);
> +}
> +
>  /*
>   * remove all subscribers on the list
>   * this is called from port_delete, for each src and dest list.
> @@ -210,7 +220,7 @@ static struct snd_seq_client_port *get_client_port(struct 
> snd_seq_addr *addr,
>  static void clear_subscriber_list(struct snd_seq_client *client,
>   struct snd_seq_client_port *port,
>   struct snd_seq_port_subs_info *grp,
> - int grptype)
> + int is_src)
>  {
> struct list_head *p, *n;
>
> @@ -219,15 +229,13 @@ static void clear_subscriber_list(struct snd_seq_client 
> *client,
> struct snd_seq_client *c;
> struct snd_seq_client_port *aport;
>
> -   if (grptype == SRC_LIST) {
> -   subs = list_entry(p, struct snd_seq_subscribers, 
> src_list);
> +   subs = get_subscriber(p, is_src);
> +   if (is_src)
> aport = get_client_port(>info.dest, );
> -   } else {
> -   subs = list_entry(p, struct snd_seq_subscribers, 
> dest_list);
> +

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-03 Thread Takashi Iwai 
On Wed, 03 Feb 2016 14:22:18 +0100,
Dmitry Vyukov wrote:
> 
> On Wed, Feb 3, 2016 at 8:47 AM, Takashi Iwai  wrote:
> >> > This looks like a false-positive report to me.  Of course, we should
> >> > annotate the mutex there for nested locks, though.
> >>
> >>
> >> Takashi, can you please annotate it for lockdep? I hit it on every run.
> >
> > The lock had an annotation but alas it didn't seem enough.
> > In anyway, it's not good to have double locks if it's avoidable.  So I
> > worked on it now, and below is the current result of the hack.
> >
> > The change became a bit more intrusive than wished, but it should be
> > still simple enough.  I put this on top of topic/core-fixes branch.
> 
> 
> I don't see the deadlock reports now. Thanks!

Good to hear, now queued for the next pull request.
Thanks for quick tests!


Takashi

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-02 Thread Takashi Iwai 
On Tue, 02 Feb 2016 22:23:55 +0100,
Dmitry Vyukov wrote:
> 
> On Mon, Jan 25, 2016 at 11:47 AM, Takashi Iwai  wrote:
> > On Sun, 24 Jan 2016 10:44:34 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> While running syzkaller fuzzer I've got the following lockdep report:
> >>
> >> ==
> >> [ INFO: possible circular locking dependency detected ]
> >> 4.4.0+ #276 Not tainted
> >> ---
> >> syz-executor/21025 is trying to acquire lock:
> >>  (register_mutex#5){+.+.+.}, at: []
> >> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> >>
> >> but task is already holding lock:
> >>  (>list_mutex/1){+.+...}, at: []
> >> snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506
> >>
> >> which lock already depends on the new lock.
> >>
> >>
> >> the existing dependency chain (in reverse order) is:
> >>
> >> -> #2 (>list_mutex/1){+.+...}:
> >>[] lock_acquire+0x1dc/0x430
> >> kernel/locking/lockdep.c:3585
> >>[] down_write_nested+0x4a/0xa0
> >> kernel/locking/rwsem.c:149
> >>[] snd_seq_port_connect+0x1ba/0x840
> >> sound/core/seq/seq_ports.c:506
> >>[] snd_seq_ioctl_subscribe_port+0x1c4/0x290
> >> sound/core/seq/seq_clientmgr.c:1464
> >>[] snd_seq_do_ioctl+0x19d/0x1c0
> >> sound/core/seq/seq_clientmgr.c:2209
> >>[] snd_seq_kernel_client_ctl+0xdb/0x170
> >> sound/core/seq/seq_clientmgr.c:2423
> >>[] snd_seq_oss_create_client+0x253/0x2d5
> >> sound/core/seq/oss/seq_oss_init.c:119
> >>[] alsa_seq_oss_init+0x1af/0x23e
> >> sound/core/seq/oss/seq_oss.c:89
> >>[] do_one_initcall+0x159/0x380 init/main.c:794
> >>[< inline >] do_initcall_level init/main.c:859
> >>[< inline >] do_initcalls init/main.c:867
> >>[< inline >] do_basic_setup init/main.c:885
> >>[] kernel_init_freeable+0x474/0x52d 
> >> init/main.c:1010
> >>[] kernel_init+0x13/0x150 init/main.c:936
> >>[] ret_from_fork+0x3f/0x70
> >> arch/x86/entry/entry_64.S:468
> >>
> >> -> #1 (>list_mutex){.+}:
> >>[] lock_acquire+0x1dc/0x430
> >> kernel/locking/lockdep.c:3585
> >>[] down_read+0x47/0x60 kernel/locking/rwsem.c:22
> >>[< inline >] deliver_to_subscribers
> >> sound/core/seq/seq_clientmgr.c:679
> >>[] snd_seq_deliver_event+0x5a9/0x800
> >> sound/core/seq/seq_clientmgr.c:817
> >>[] snd_seq_kernel_client_dispatch+0x126/0x170
> >> sound/core/seq/seq_clientmgr.c:2401
> >>[] snd_seq_system_broadcast+0xb2/0xf0
> >> sound/core/seq/seq_system.c:101
> >>[] snd_seq_create_kernel_client+0x21e/0x300
> >> sound/core/seq/seq_clientmgr.c:2280
> >>[< inline >] snd_virmidi_dev_attach_seq
> >> sound/core/seq/seq_virmidi.c:372
> >>[] snd_virmidi_dev_register+0x29f/0x750
> >> sound/core/seq/seq_virmidi.c:439
> >>[] snd_rawmidi_dev_register+0x30c/0xd40
> >> sound/core/rawmidi.c:1589
> >>[] __snd_device_register.part.0+0x63/0xc0
> >> sound/core/device.c:164
> >>[< inline >] __snd_device_register sound/core/device.c:162
> >>[] snd_device_register_all+0xad/0x110
> >> sound/core/device.c:212
> >>[] snd_card_register+0xef/0x6a0 
> >> sound/core/init.c:749
> >>[] snd_virmidi_probe+0x3ef/0x590
> >> sound/drivers/virmidi.c:123
> >>[] platform_drv_probe+0x8c/0x160
> >> drivers/base/platform.c:562
> >>[< inline >] really_probe drivers/base/dd.c:377
> >>[] driver_probe_device+0x37e/0xc90
> >> drivers/base/dd.c:499
> >>[] __device_attach_driver+0x19e/0x250
> >> drivers/base/dd.c:584
> >>[] bus_for_each_drv+0x13f/0x1d0 
> >> drivers/base/bus.c:464
> >>[] __device_attach+0x1ef/0x2e0 
> >> drivers/base/dd.c:641
> >>[] device_initial_probe+0x1a/0x20 
> >> drivers/base/dd.c:688
> >>[] bus_probe_device+0x1e9/0x290 
> >> drivers/base/bus.c:558
> >>[] device_add+0x84b/0x1490 
> >> drivers/base/core.c:1120
> >>[] platform_device_add+0x389/0x790
> >> drivers/base/platform.c:403
> >>[] platform_device_register_full+0x396/0x4c0
> >> drivers/base/platform.c:535
> >>[< inline >] platform_device_register_resndata
> >> include/linux/platform_device.h:111
> >>[< inline >] platform_device_register_simple
> >> include/linux/platform_device.h:140
> >>[] alsa_card_virmidi_init+0x104/0x1da
> >> sound/drivers/virmidi.c:172
> >>[] do_one_initcall+0x159/0x380 init/main.c:794
> >>[< inline >] do_initcall_level init/main.c:859
> >>[< inline >] do_initcalls init/main.c:867
> >>[< inline >] do_basic_setup init/main.c:885
> >>[] kernel_init_freeable+0x474/0x52d 
> >> init/main.c:1010
> >>[] kernel_init+0x13/0x150 init/main.c:936
> >>[] ret_from_fork+0x3f/0x70
> >> arch/x86/entry/entry_64.S:468
> >>
> >> ->

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-02 Thread Dmitry Vyukov 
On Mon, Jan 25, 2016 at 11:47 AM, Takashi Iwai  wrote:
> On Sun, 24 Jan 2016 10:44:34 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> While running syzkaller fuzzer I've got the following lockdep report:
>>
>> ==
>> [ INFO: possible circular locking dependency detected ]
>> 4.4.0+ #276 Not tainted
>> ---
>> syz-executor/21025 is trying to acquire lock:
>>  (register_mutex#5){+.+.+.}, at: []
>> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
>>
>> but task is already holding lock:
>>  (>list_mutex/1){+.+...}, at: []
>> snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506
>>
>> which lock already depends on the new lock.
>>
>>
>> the existing dependency chain (in reverse order) is:
>>
>> -> #2 (>list_mutex/1){+.+...}:
>>[] lock_acquire+0x1dc/0x430
>> kernel/locking/lockdep.c:3585
>>[] down_write_nested+0x4a/0xa0
>> kernel/locking/rwsem.c:149
>>[] snd_seq_port_connect+0x1ba/0x840
>> sound/core/seq/seq_ports.c:506
>>[] snd_seq_ioctl_subscribe_port+0x1c4/0x290
>> sound/core/seq/seq_clientmgr.c:1464
>>[] snd_seq_do_ioctl+0x19d/0x1c0
>> sound/core/seq/seq_clientmgr.c:2209
>>[] snd_seq_kernel_client_ctl+0xdb/0x170
>> sound/core/seq/seq_clientmgr.c:2423
>>[] snd_seq_oss_create_client+0x253/0x2d5
>> sound/core/seq/oss/seq_oss_init.c:119
>>[] alsa_seq_oss_init+0x1af/0x23e
>> sound/core/seq/oss/seq_oss.c:89
>>[] do_one_initcall+0x159/0x380 init/main.c:794
>>[< inline >] do_initcall_level init/main.c:859
>>[< inline >] do_initcalls init/main.c:867
>>[< inline >] do_basic_setup init/main.c:885
>>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>>[] kernel_init+0x13/0x150 init/main.c:936
>>[] ret_from_fork+0x3f/0x70
>> arch/x86/entry/entry_64.S:468
>>
>> -> #1 (>list_mutex){.+}:
>>[] lock_acquire+0x1dc/0x430
>> kernel/locking/lockdep.c:3585
>>[] down_read+0x47/0x60 kernel/locking/rwsem.c:22
>>[< inline >] deliver_to_subscribers
>> sound/core/seq/seq_clientmgr.c:679
>>[] snd_seq_deliver_event+0x5a9/0x800
>> sound/core/seq/seq_clientmgr.c:817
>>[] snd_seq_kernel_client_dispatch+0x126/0x170
>> sound/core/seq/seq_clientmgr.c:2401
>>[] snd_seq_system_broadcast+0xb2/0xf0
>> sound/core/seq/seq_system.c:101
>>[] snd_seq_create_kernel_client+0x21e/0x300
>> sound/core/seq/seq_clientmgr.c:2280
>>[< inline >] snd_virmidi_dev_attach_seq
>> sound/core/seq/seq_virmidi.c:372
>>[] snd_virmidi_dev_register+0x29f/0x750
>> sound/core/seq/seq_virmidi.c:439
>>[] snd_rawmidi_dev_register+0x30c/0xd40
>> sound/core/rawmidi.c:1589
>>[] __snd_device_register.part.0+0x63/0xc0
>> sound/core/device.c:164
>>[< inline >] __snd_device_register sound/core/device.c:162
>>[] snd_device_register_all+0xad/0x110
>> sound/core/device.c:212
>>[] snd_card_register+0xef/0x6a0 
>> sound/core/init.c:749
>>[] snd_virmidi_probe+0x3ef/0x590
>> sound/drivers/virmidi.c:123
>>[] platform_drv_probe+0x8c/0x160
>> drivers/base/platform.c:562
>>[< inline >] really_probe drivers/base/dd.c:377
>>[] driver_probe_device+0x37e/0xc90
>> drivers/base/dd.c:499
>>[] __device_attach_driver+0x19e/0x250
>> drivers/base/dd.c:584
>>[] bus_for_each_drv+0x13f/0x1d0 
>> drivers/base/bus.c:464
>>[] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641
>>[] device_initial_probe+0x1a/0x20 
>> drivers/base/dd.c:688
>>[] bus_probe_device+0x1e9/0x290 
>> drivers/base/bus.c:558
>>[] device_add+0x84b/0x1490 drivers/base/core.c:1120
>>[] platform_device_add+0x389/0x790
>> drivers/base/platform.c:403
>>[] platform_device_register_full+0x396/0x4c0
>> drivers/base/platform.c:535
>>[< inline >] platform_device_register_resndata
>> include/linux/platform_device.h:111
>>[< inline >] platform_device_register_simple
>> include/linux/platform_device.h:140
>>[] alsa_card_virmidi_init+0x104/0x1da
>> sound/drivers/virmidi.c:172
>>[] do_one_initcall+0x159/0x380 init/main.c:794
>>[< inline >] do_initcall_level init/main.c:859
>>[< inline >] do_initcalls init/main.c:867
>>[< inline >] do_basic_setup init/main.c:885
>>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>>[] kernel_init+0x13/0x150 init/main.c:936
>>[] ret_from_fork+0x3f/0x70
>> arch/x86/entry/entry_64.S:468
>>
>> -> #0 (register_mutex#5){+.+.+.}:
>>[< inline >] check_prev_add kernel/locking/lockdep.c:1853
>>[< inline >] check_prevs_add kernel/locking/lockdep.c:1958
>>[< inline >] validate_chain kernel/locking/lockdep.c:2144
>>[] __lock_acquire+0x31eb/0x4700
>>

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-02 Thread Dmitry Vyukov 
On Mon, Jan 25, 2016 at 11:47 AM, Takashi Iwai  wrote:
> On Sun, 24 Jan 2016 10:44:34 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> While running syzkaller fuzzer I've got the following lockdep report:
>>
>> ==
>> [ INFO: possible circular locking dependency detected ]
>> 4.4.0+ #276 Not tainted
>> ---
>> syz-executor/21025 is trying to acquire lock:
>>  (register_mutex#5){+.+.+.}, at: []
>> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
>>
>> but task is already holding lock:
>>  (>list_mutex/1){+.+...}, at: []
>> snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506
>>
>> which lock already depends on the new lock.
>>
>>
>> the existing dependency chain (in reverse order) is:
>>
>> -> #2 (>list_mutex/1){+.+...}:
>>[] lock_acquire+0x1dc/0x430
>> kernel/locking/lockdep.c:3585
>>[] down_write_nested+0x4a/0xa0
>> kernel/locking/rwsem.c:149
>>[] snd_seq_port_connect+0x1ba/0x840
>> sound/core/seq/seq_ports.c:506
>>[] snd_seq_ioctl_subscribe_port+0x1c4/0x290
>> sound/core/seq/seq_clientmgr.c:1464
>>[] snd_seq_do_ioctl+0x19d/0x1c0
>> sound/core/seq/seq_clientmgr.c:2209
>>[] snd_seq_kernel_client_ctl+0xdb/0x170
>> sound/core/seq/seq_clientmgr.c:2423
>>[] snd_seq_oss_create_client+0x253/0x2d5
>> sound/core/seq/oss/seq_oss_init.c:119
>>[] alsa_seq_oss_init+0x1af/0x23e
>> sound/core/seq/oss/seq_oss.c:89
>>[] do_one_initcall+0x159/0x380 init/main.c:794
>>[< inline >] do_initcall_level init/main.c:859
>>[< inline >] do_initcalls init/main.c:867
>>[< inline >] do_basic_setup init/main.c:885
>>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>>[] kernel_init+0x13/0x150 init/main.c:936
>>[] ret_from_fork+0x3f/0x70
>> arch/x86/entry/entry_64.S:468
>>
>> -> #1 (>list_mutex){.+}:
>>[] lock_acquire+0x1dc/0x430
>> kernel/locking/lockdep.c:3585
>>[] down_read+0x47/0x60 kernel/locking/rwsem.c:22
>>[< inline >] deliver_to_subscribers
>> sound/core/seq/seq_clientmgr.c:679
>>[] snd_seq_deliver_event+0x5a9/0x800
>> sound/core/seq/seq_clientmgr.c:817
>>[] snd_seq_kernel_client_dispatch+0x126/0x170
>> sound/core/seq/seq_clientmgr.c:2401
>>[] snd_seq_system_broadcast+0xb2/0xf0
>> sound/core/seq/seq_system.c:101
>>[] snd_seq_create_kernel_client+0x21e/0x300
>> sound/core/seq/seq_clientmgr.c:2280
>>[< inline >] snd_virmidi_dev_attach_seq
>> sound/core/seq/seq_virmidi.c:372
>>[] snd_virmidi_dev_register+0x29f/0x750
>> sound/core/seq/seq_virmidi.c:439
>>[] snd_rawmidi_dev_register+0x30c/0xd40
>> sound/core/rawmidi.c:1589
>>[] __snd_device_register.part.0+0x63/0xc0
>> sound/core/device.c:164
>>[< inline >] __snd_device_register sound/core/device.c:162
>>[] snd_device_register_all+0xad/0x110
>> sound/core/device.c:212
>>[] snd_card_register+0xef/0x6a0 
>> sound/core/init.c:749
>>[] snd_virmidi_probe+0x3ef/0x590
>> sound/drivers/virmidi.c:123
>>[] platform_drv_probe+0x8c/0x160
>> drivers/base/platform.c:562
>>[< inline >] really_probe drivers/base/dd.c:377
>>[] driver_probe_device+0x37e/0xc90
>> drivers/base/dd.c:499
>>[] __device_attach_driver+0x19e/0x250
>> drivers/base/dd.c:584
>>[] bus_for_each_drv+0x13f/0x1d0 
>> drivers/base/bus.c:464
>>[] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641
>>[] device_initial_probe+0x1a/0x20 
>> drivers/base/dd.c:688
>>[] bus_probe_device+0x1e9/0x290 
>> drivers/base/bus.c:558
>>[] device_add+0x84b/0x1490 drivers/base/core.c:1120
>>[] platform_device_add+0x389/0x790
>> drivers/base/platform.c:403
>>[] platform_device_register_full+0x396/0x4c0
>> drivers/base/platform.c:535
>>[< inline >] platform_device_register_resndata
>> include/linux/platform_device.h:111
>>[< inline >] platform_device_register_simple
>> include/linux/platform_device.h:140
>>[] alsa_card_virmidi_init+0x104/0x1da
>> sound/drivers/virmidi.c:172
>>[] do_one_initcall+0x159/0x380 init/main.c:794
>>[< inline >] do_initcall_level init/main.c:859
>>[< inline >] do_initcalls init/main.c:867
>>[< inline >] do_basic_setup init/main.c:885
>>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>>[] kernel_init+0x13/0x150 init/main.c:936
>>[] ret_from_fork+0x3f/0x70
>> arch/x86/entry/entry_64.S:468
>>
>> -> #0 (register_mutex#5){+.+.+.}:
>>[< inline >] check_prev_add kernel/locking/lockdep.c:1853
>>[< inline >] check_prevs_add kernel/locking/lockdep.c:1958
>>[< inline >] validate_chain kernel/locking/lockdep.c:2144
>>[]

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-02-02 Thread Takashi Iwai 
On Tue, 02 Feb 2016 22:23:55 +0100,
Dmitry Vyukov wrote:
> 
> On Mon, Jan 25, 2016 at 11:47 AM, Takashi Iwai  wrote:
> > On Sun, 24 Jan 2016 10:44:34 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> While running syzkaller fuzzer I've got the following lockdep report:
> >>
> >> ==
> >> [ INFO: possible circular locking dependency detected ]
> >> 4.4.0+ #276 Not tainted
> >> ---
> >> syz-executor/21025 is trying to acquire lock:
> >>  (register_mutex#5){+.+.+.}, at: []
> >> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> >>
> >> but task is already holding lock:
> >>  (>list_mutex/1){+.+...}, at: []
> >> snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506
> >>
> >> which lock already depends on the new lock.
> >>
> >>
> >> the existing dependency chain (in reverse order) is:
> >>
> >> -> #2 (>list_mutex/1){+.+...}:
> >>[] lock_acquire+0x1dc/0x430
> >> kernel/locking/lockdep.c:3585
> >>[] down_write_nested+0x4a/0xa0
> >> kernel/locking/rwsem.c:149
> >>[] snd_seq_port_connect+0x1ba/0x840
> >> sound/core/seq/seq_ports.c:506
> >>[] snd_seq_ioctl_subscribe_port+0x1c4/0x290
> >> sound/core/seq/seq_clientmgr.c:1464
> >>[] snd_seq_do_ioctl+0x19d/0x1c0
> >> sound/core/seq/seq_clientmgr.c:2209
> >>[] snd_seq_kernel_client_ctl+0xdb/0x170
> >> sound/core/seq/seq_clientmgr.c:2423
> >>[] snd_seq_oss_create_client+0x253/0x2d5
> >> sound/core/seq/oss/seq_oss_init.c:119
> >>[] alsa_seq_oss_init+0x1af/0x23e
> >> sound/core/seq/oss/seq_oss.c:89
> >>[] do_one_initcall+0x159/0x380 init/main.c:794
> >>[< inline >] do_initcall_level init/main.c:859
> >>[< inline >] do_initcalls init/main.c:867
> >>[< inline >] do_basic_setup init/main.c:885
> >>[] kernel_init_freeable+0x474/0x52d 
> >> init/main.c:1010
> >>[] kernel_init+0x13/0x150 init/main.c:936
> >>[] ret_from_fork+0x3f/0x70
> >> arch/x86/entry/entry_64.S:468
> >>
> >> -> #1 (>list_mutex){.+}:
> >>[] lock_acquire+0x1dc/0x430
> >> kernel/locking/lockdep.c:3585
> >>[] down_read+0x47/0x60 kernel/locking/rwsem.c:22
> >>[< inline >] deliver_to_subscribers
> >> sound/core/seq/seq_clientmgr.c:679
> >>[] snd_seq_deliver_event+0x5a9/0x800
> >> sound/core/seq/seq_clientmgr.c:817
> >>[] snd_seq_kernel_client_dispatch+0x126/0x170
> >> sound/core/seq/seq_clientmgr.c:2401
> >>[] snd_seq_system_broadcast+0xb2/0xf0
> >> sound/core/seq/seq_system.c:101
> >>[] snd_seq_create_kernel_client+0x21e/0x300
> >> sound/core/seq/seq_clientmgr.c:2280
> >>[< inline >] snd_virmidi_dev_attach_seq
> >> sound/core/seq/seq_virmidi.c:372
> >>[] snd_virmidi_dev_register+0x29f/0x750
> >> sound/core/seq/seq_virmidi.c:439
> >>[] snd_rawmidi_dev_register+0x30c/0xd40
> >> sound/core/rawmidi.c:1589
> >>[] __snd_device_register.part.0+0x63/0xc0
> >> sound/core/device.c:164
> >>[< inline >] __snd_device_register sound/core/device.c:162
> >>[] snd_device_register_all+0xad/0x110
> >> sound/core/device.c:212
> >>[] snd_card_register+0xef/0x6a0 
> >> sound/core/init.c:749
> >>[] snd_virmidi_probe+0x3ef/0x590
> >> sound/drivers/virmidi.c:123
> >>[] platform_drv_probe+0x8c/0x160
> >> drivers/base/platform.c:562
> >>[< inline >] really_probe drivers/base/dd.c:377
> >>[] driver_probe_device+0x37e/0xc90
> >> drivers/base/dd.c:499
> >>[] __device_attach_driver+0x19e/0x250
> >> drivers/base/dd.c:584
> >>[] bus_for_each_drv+0x13f/0x1d0 
> >> drivers/base/bus.c:464
> >>[] __device_attach+0x1ef/0x2e0 
> >> drivers/base/dd.c:641
> >>[] device_initial_probe+0x1a/0x20 
> >> drivers/base/dd.c:688
> >>[] bus_probe_device+0x1e9/0x290 
> >> drivers/base/bus.c:558
> >>[] device_add+0x84b/0x1490 
> >> drivers/base/core.c:1120
> >>[] platform_device_add+0x389/0x790
> >> drivers/base/platform.c:403
> >>[] platform_device_register_full+0x396/0x4c0
> >> drivers/base/platform.c:535
> >>[< inline >] platform_device_register_resndata
> >> include/linux/platform_device.h:111
> >>[< inline >] platform_device_register_simple
> >> include/linux/platform_device.h:140
> >>[] alsa_card_virmidi_init+0x104/0x1da
> >> sound/drivers/virmidi.c:172
> >>[] do_one_initcall+0x159/0x380 init/main.c:794
> >>[< inline >] do_initcall_level init/main.c:859
> >>[< inline >] do_initcalls init/main.c:867
> >>[< inline >] do_basic_setup init/main.c:885
> >>[] kernel_init_freeable+0x474/0x52d 
> >> init/main.c:1010
> >>[] kernel_init+0x13/0x150 init/main.c:936
> >>[] ret_from_fork+0x3f/0x70
> >>

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-01-25 Thread Takashi Iwai 
On Sun, 24 Jan 2016 10:44:34 +0100,
Dmitry Vyukov wrote:
> 
> Hello,
> 
> While running syzkaller fuzzer I've got the following lockdep report:
> 
> ==
> [ INFO: possible circular locking dependency detected ]
> 4.4.0+ #276 Not tainted
> ---
> syz-executor/21025 is trying to acquire lock:
>  (register_mutex#5){+.+.+.}, at: []
> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> 
> but task is already holding lock:
>  (>list_mutex/1){+.+...}, at: []
> snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506
> 
> which lock already depends on the new lock.
> 
> 
> the existing dependency chain (in reverse order) is:
> 
> -> #2 (>list_mutex/1){+.+...}:
>[] lock_acquire+0x1dc/0x430
> kernel/locking/lockdep.c:3585
>[] down_write_nested+0x4a/0xa0
> kernel/locking/rwsem.c:149
>[] snd_seq_port_connect+0x1ba/0x840
> sound/core/seq/seq_ports.c:506
>[] snd_seq_ioctl_subscribe_port+0x1c4/0x290
> sound/core/seq/seq_clientmgr.c:1464
>[] snd_seq_do_ioctl+0x19d/0x1c0
> sound/core/seq/seq_clientmgr.c:2209
>[] snd_seq_kernel_client_ctl+0xdb/0x170
> sound/core/seq/seq_clientmgr.c:2423
>[] snd_seq_oss_create_client+0x253/0x2d5
> sound/core/seq/oss/seq_oss_init.c:119
>[] alsa_seq_oss_init+0x1af/0x23e
> sound/core/seq/oss/seq_oss.c:89
>[] do_one_initcall+0x159/0x380 init/main.c:794
>[< inline >] do_initcall_level init/main.c:859
>[< inline >] do_initcalls init/main.c:867
>[< inline >] do_basic_setup init/main.c:885
>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>[] kernel_init+0x13/0x150 init/main.c:936
>[] ret_from_fork+0x3f/0x70
> arch/x86/entry/entry_64.S:468
> 
> -> #1 (>list_mutex){.+}:
>[] lock_acquire+0x1dc/0x430
> kernel/locking/lockdep.c:3585
>[] down_read+0x47/0x60 kernel/locking/rwsem.c:22
>[< inline >] deliver_to_subscribers
> sound/core/seq/seq_clientmgr.c:679
>[] snd_seq_deliver_event+0x5a9/0x800
> sound/core/seq/seq_clientmgr.c:817
>[] snd_seq_kernel_client_dispatch+0x126/0x170
> sound/core/seq/seq_clientmgr.c:2401
>[] snd_seq_system_broadcast+0xb2/0xf0
> sound/core/seq/seq_system.c:101
>[] snd_seq_create_kernel_client+0x21e/0x300
> sound/core/seq/seq_clientmgr.c:2280
>[< inline >] snd_virmidi_dev_attach_seq
> sound/core/seq/seq_virmidi.c:372
>[] snd_virmidi_dev_register+0x29f/0x750
> sound/core/seq/seq_virmidi.c:439
>[] snd_rawmidi_dev_register+0x30c/0xd40
> sound/core/rawmidi.c:1589
>[] __snd_device_register.part.0+0x63/0xc0
> sound/core/device.c:164
>[< inline >] __snd_device_register sound/core/device.c:162
>[] snd_device_register_all+0xad/0x110
> sound/core/device.c:212
>[] snd_card_register+0xef/0x6a0 sound/core/init.c:749
>[] snd_virmidi_probe+0x3ef/0x590
> sound/drivers/virmidi.c:123
>[] platform_drv_probe+0x8c/0x160
> drivers/base/platform.c:562
>[< inline >] really_probe drivers/base/dd.c:377
>[] driver_probe_device+0x37e/0xc90
> drivers/base/dd.c:499
>[] __device_attach_driver+0x19e/0x250
> drivers/base/dd.c:584
>[] bus_for_each_drv+0x13f/0x1d0 
> drivers/base/bus.c:464
>[] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641
>[] device_initial_probe+0x1a/0x20 
> drivers/base/dd.c:688
>[] bus_probe_device+0x1e9/0x290 
> drivers/base/bus.c:558
>[] device_add+0x84b/0x1490 drivers/base/core.c:1120
>[] platform_device_add+0x389/0x790
> drivers/base/platform.c:403
>[] platform_device_register_full+0x396/0x4c0
> drivers/base/platform.c:535
>[< inline >] platform_device_register_resndata
> include/linux/platform_device.h:111
>[< inline >] platform_device_register_simple
> include/linux/platform_device.h:140
>[] alsa_card_virmidi_init+0x104/0x1da
> sound/drivers/virmidi.c:172
>[] do_one_initcall+0x159/0x380 init/main.c:794
>[< inline >] do_initcall_level init/main.c:859
>[< inline >] do_initcalls init/main.c:867
>[< inline >] do_basic_setup init/main.c:885
>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>[] kernel_init+0x13/0x150 init/main.c:936
>[] ret_from_fork+0x3f/0x70
> arch/x86/entry/entry_64.S:468
> 
> -> #0 (register_mutex#5){+.+.+.}:
>[< inline >] check_prev_add kernel/locking/lockdep.c:1853
>[< inline >] check_prevs_add kernel/locking/lockdep.c:1958
>[< inline >] validate_chain kernel/locking/lockdep.c:2144
>[] __lock_acquire+0x31eb/0x4700
> kernel/locking/lockdep.c:3206
>[] lock_acquire+0x1dc/0x430
> kernel/locking/lockdep.c:3585
>[< inline >] __mutex_lock_common kernel/locking/mutex.c:518
>

Re: sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-01-25 Thread Takashi Iwai 
On Sun, 24 Jan 2016 10:44:34 +0100,
Dmitry Vyukov wrote:
> 
> Hello,
> 
> While running syzkaller fuzzer I've got the following lockdep report:
> 
> ==
> [ INFO: possible circular locking dependency detected ]
> 4.4.0+ #276 Not tainted
> ---
> syz-executor/21025 is trying to acquire lock:
>  (register_mutex#5){+.+.+.}, at: []
> snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
> 
> but task is already holding lock:
>  (>list_mutex/1){+.+...}, at: []
> snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506
> 
> which lock already depends on the new lock.
> 
> 
> the existing dependency chain (in reverse order) is:
> 
> -> #2 (>list_mutex/1){+.+...}:
>[] lock_acquire+0x1dc/0x430
> kernel/locking/lockdep.c:3585
>[] down_write_nested+0x4a/0xa0
> kernel/locking/rwsem.c:149
>[] snd_seq_port_connect+0x1ba/0x840
> sound/core/seq/seq_ports.c:506
>[] snd_seq_ioctl_subscribe_port+0x1c4/0x290
> sound/core/seq/seq_clientmgr.c:1464
>[] snd_seq_do_ioctl+0x19d/0x1c0
> sound/core/seq/seq_clientmgr.c:2209
>[] snd_seq_kernel_client_ctl+0xdb/0x170
> sound/core/seq/seq_clientmgr.c:2423
>[] snd_seq_oss_create_client+0x253/0x2d5
> sound/core/seq/oss/seq_oss_init.c:119
>[] alsa_seq_oss_init+0x1af/0x23e
> sound/core/seq/oss/seq_oss.c:89
>[] do_one_initcall+0x159/0x380 init/main.c:794
>[< inline >] do_initcall_level init/main.c:859
>[< inline >] do_initcalls init/main.c:867
>[< inline >] do_basic_setup init/main.c:885
>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>[] kernel_init+0x13/0x150 init/main.c:936
>[] ret_from_fork+0x3f/0x70
> arch/x86/entry/entry_64.S:468
> 
> -> #1 (>list_mutex){.+}:
>[] lock_acquire+0x1dc/0x430
> kernel/locking/lockdep.c:3585
>[] down_read+0x47/0x60 kernel/locking/rwsem.c:22
>[< inline >] deliver_to_subscribers
> sound/core/seq/seq_clientmgr.c:679
>[] snd_seq_deliver_event+0x5a9/0x800
> sound/core/seq/seq_clientmgr.c:817
>[] snd_seq_kernel_client_dispatch+0x126/0x170
> sound/core/seq/seq_clientmgr.c:2401
>[] snd_seq_system_broadcast+0xb2/0xf0
> sound/core/seq/seq_system.c:101
>[] snd_seq_create_kernel_client+0x21e/0x300
> sound/core/seq/seq_clientmgr.c:2280
>[< inline >] snd_virmidi_dev_attach_seq
> sound/core/seq/seq_virmidi.c:372
>[] snd_virmidi_dev_register+0x29f/0x750
> sound/core/seq/seq_virmidi.c:439
>[] snd_rawmidi_dev_register+0x30c/0xd40
> sound/core/rawmidi.c:1589
>[] __snd_device_register.part.0+0x63/0xc0
> sound/core/device.c:164
>[< inline >] __snd_device_register sound/core/device.c:162
>[] snd_device_register_all+0xad/0x110
> sound/core/device.c:212
>[] snd_card_register+0xef/0x6a0 sound/core/init.c:749
>[] snd_virmidi_probe+0x3ef/0x590
> sound/drivers/virmidi.c:123
>[] platform_drv_probe+0x8c/0x160
> drivers/base/platform.c:562
>[< inline >] really_probe drivers/base/dd.c:377
>[] driver_probe_device+0x37e/0xc90
> drivers/base/dd.c:499
>[] __device_attach_driver+0x19e/0x250
> drivers/base/dd.c:584
>[] bus_for_each_drv+0x13f/0x1d0 
> drivers/base/bus.c:464
>[] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641
>[] device_initial_probe+0x1a/0x20 
> drivers/base/dd.c:688
>[] bus_probe_device+0x1e9/0x290 
> drivers/base/bus.c:558
>[] device_add+0x84b/0x1490 drivers/base/core.c:1120
>[] platform_device_add+0x389/0x790
> drivers/base/platform.c:403
>[] platform_device_register_full+0x396/0x4c0
> drivers/base/platform.c:535
>[< inline >] platform_device_register_resndata
> include/linux/platform_device.h:111
>[< inline >] platform_device_register_simple
> include/linux/platform_device.h:140
>[] alsa_card_virmidi_init+0x104/0x1da
> sound/drivers/virmidi.c:172
>[] do_one_initcall+0x159/0x380 init/main.c:794
>[< inline >] do_initcall_level init/main.c:859
>[< inline >] do_initcalls init/main.c:867
>[< inline >] do_basic_setup init/main.c:885
>[] kernel_init_freeable+0x474/0x52d init/main.c:1010
>[] kernel_init+0x13/0x150 init/main.c:936
>[] ret_from_fork+0x3f/0x70
> arch/x86/entry/entry_64.S:468
> 
> -> #0 (register_mutex#5){+.+.+.}:
>[< inline >] check_prev_add kernel/locking/lockdep.c:1853
>[< inline >] check_prevs_add kernel/locking/lockdep.c:1958
>[< inline >] validate_chain kernel/locking/lockdep.c:2144
>[] __lock_acquire+0x31eb/0x4700
> kernel/locking/lockdep.c:3206
>[] lock_acquire+0x1dc/0x430
> kernel/locking/lockdep.c:3585
>[< inline >] __mutex_lock_common kernel/locking/mutex.c:518
>

sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-01-24 Thread Dmitry Vyukov 
Hello,

While running syzkaller fuzzer I've got the following lockdep report:

==
[ INFO: possible circular locking dependency detected ]
4.4.0+ #276 Not tainted
---
syz-executor/21025 is trying to acquire lock:
 (register_mutex#5){+.+.+.}, at: []
snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341

but task is already holding lock:
 (>list_mutex/1){+.+...}, at: []
snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (>list_mutex/1){+.+...}:
   [] lock_acquire+0x1dc/0x430
kernel/locking/lockdep.c:3585
   [] down_write_nested+0x4a/0xa0
kernel/locking/rwsem.c:149
   [] snd_seq_port_connect+0x1ba/0x840
sound/core/seq/seq_ports.c:506
   [] snd_seq_ioctl_subscribe_port+0x1c4/0x290
sound/core/seq/seq_clientmgr.c:1464
   [] snd_seq_do_ioctl+0x19d/0x1c0
sound/core/seq/seq_clientmgr.c:2209
   [] snd_seq_kernel_client_ctl+0xdb/0x170
sound/core/seq/seq_clientmgr.c:2423
   [] snd_seq_oss_create_client+0x253/0x2d5
sound/core/seq/oss/seq_oss_init.c:119
   [] alsa_seq_oss_init+0x1af/0x23e
sound/core/seq/oss/seq_oss.c:89
   [] do_one_initcall+0x159/0x380 init/main.c:794
   [< inline >] do_initcall_level init/main.c:859
   [< inline >] do_initcalls init/main.c:867
   [< inline >] do_basic_setup init/main.c:885
   [] kernel_init_freeable+0x474/0x52d init/main.c:1010
   [] kernel_init+0x13/0x150 init/main.c:936
   [] ret_from_fork+0x3f/0x70
arch/x86/entry/entry_64.S:468

-> #1 (>list_mutex){.+}:
   [] lock_acquire+0x1dc/0x430
kernel/locking/lockdep.c:3585
   [] down_read+0x47/0x60 kernel/locking/rwsem.c:22
   [< inline >] deliver_to_subscribers
sound/core/seq/seq_clientmgr.c:679
   [] snd_seq_deliver_event+0x5a9/0x800
sound/core/seq/seq_clientmgr.c:817
   [] snd_seq_kernel_client_dispatch+0x126/0x170
sound/core/seq/seq_clientmgr.c:2401
   [] snd_seq_system_broadcast+0xb2/0xf0
sound/core/seq/seq_system.c:101
   [] snd_seq_create_kernel_client+0x21e/0x300
sound/core/seq/seq_clientmgr.c:2280
   [< inline >] snd_virmidi_dev_attach_seq
sound/core/seq/seq_virmidi.c:372
   [] snd_virmidi_dev_register+0x29f/0x750
sound/core/seq/seq_virmidi.c:439
   [] snd_rawmidi_dev_register+0x30c/0xd40
sound/core/rawmidi.c:1589
   [] __snd_device_register.part.0+0x63/0xc0
sound/core/device.c:164
   [< inline >] __snd_device_register sound/core/device.c:162
   [] snd_device_register_all+0xad/0x110
sound/core/device.c:212
   [] snd_card_register+0xef/0x6a0 sound/core/init.c:749
   [] snd_virmidi_probe+0x3ef/0x590
sound/drivers/virmidi.c:123
   [] platform_drv_probe+0x8c/0x160
drivers/base/platform.c:562
   [< inline >] really_probe drivers/base/dd.c:377
   [] driver_probe_device+0x37e/0xc90
drivers/base/dd.c:499
   [] __device_attach_driver+0x19e/0x250
drivers/base/dd.c:584
   [] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:464
   [] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641
   [] device_initial_probe+0x1a/0x20 drivers/base/dd.c:688
   [] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:558
   [] device_add+0x84b/0x1490 drivers/base/core.c:1120
   [] platform_device_add+0x389/0x790
drivers/base/platform.c:403
   [] platform_device_register_full+0x396/0x4c0
drivers/base/platform.c:535
   [< inline >] platform_device_register_resndata
include/linux/platform_device.h:111
   [< inline >] platform_device_register_simple
include/linux/platform_device.h:140
   [] alsa_card_virmidi_init+0x104/0x1da
sound/drivers/virmidi.c:172
   [] do_one_initcall+0x159/0x380 init/main.c:794
   [< inline >] do_initcall_level init/main.c:859
   [< inline >] do_initcalls init/main.c:867
   [< inline >] do_basic_setup init/main.c:885
   [] kernel_init_freeable+0x474/0x52d init/main.c:1010
   [] kernel_init+0x13/0x150 init/main.c:936
   [] ret_from_fork+0x3f/0x70
arch/x86/entry/entry_64.S:468

-> #0 (register_mutex#5){+.+.+.}:
   [< inline >] check_prev_add kernel/locking/lockdep.c:1853
   [< inline >] check_prevs_add kernel/locking/lockdep.c:1958
   [< inline >] validate_chain kernel/locking/lockdep.c:2144
   [] __lock_acquire+0x31eb/0x4700
kernel/locking/lockdep.c:3206
   [] lock_acquire+0x1dc/0x430
kernel/locking/lockdep.c:3585
   [< inline >] __mutex_lock_common kernel/locking/mutex.c:518
   [] mutex_lock_nested+0xb1/0xa50
kernel/locking/mutex.c:618
   [] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
   [] midisynth_subscribe+0xf7/0x340
sound/core/seq/seq_midi.c:188
   [] subscribe_port.isra.2+0x14e/0x2b0
sound/core/seq/seq_ports.c:426
   []

sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect

2016-01-24 Thread Dmitry Vyukov 
Hello,

While running syzkaller fuzzer I've got the following lockdep report:

==
[ INFO: possible circular locking dependency detected ]
4.4.0+ #276 Not tainted
---
syz-executor/21025 is trying to acquire lock:
 (register_mutex#5){+.+.+.}, at: []
snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341

but task is already holding lock:
 (>list_mutex/1){+.+...}, at: []
snd_seq_port_connect+0x1ba/0x840 sound/core/seq/seq_ports.c:506

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (>list_mutex/1){+.+...}:
   [] lock_acquire+0x1dc/0x430
kernel/locking/lockdep.c:3585
   [] down_write_nested+0x4a/0xa0
kernel/locking/rwsem.c:149
   [] snd_seq_port_connect+0x1ba/0x840
sound/core/seq/seq_ports.c:506
   [] snd_seq_ioctl_subscribe_port+0x1c4/0x290
sound/core/seq/seq_clientmgr.c:1464
   [] snd_seq_do_ioctl+0x19d/0x1c0
sound/core/seq/seq_clientmgr.c:2209
   [] snd_seq_kernel_client_ctl+0xdb/0x170
sound/core/seq/seq_clientmgr.c:2423
   [] snd_seq_oss_create_client+0x253/0x2d5
sound/core/seq/oss/seq_oss_init.c:119
   [] alsa_seq_oss_init+0x1af/0x23e
sound/core/seq/oss/seq_oss.c:89
   [] do_one_initcall+0x159/0x380 init/main.c:794
   [< inline >] do_initcall_level init/main.c:859
   [< inline >] do_initcalls init/main.c:867
   [< inline >] do_basic_setup init/main.c:885
   [] kernel_init_freeable+0x474/0x52d init/main.c:1010
   [] kernel_init+0x13/0x150 init/main.c:936
   [] ret_from_fork+0x3f/0x70
arch/x86/entry/entry_64.S:468

-> #1 (>list_mutex){.+}:
   [] lock_acquire+0x1dc/0x430
kernel/locking/lockdep.c:3585
   [] down_read+0x47/0x60 kernel/locking/rwsem.c:22
   [< inline >] deliver_to_subscribers
sound/core/seq/seq_clientmgr.c:679
   [] snd_seq_deliver_event+0x5a9/0x800
sound/core/seq/seq_clientmgr.c:817
   [] snd_seq_kernel_client_dispatch+0x126/0x170
sound/core/seq/seq_clientmgr.c:2401
   [] snd_seq_system_broadcast+0xb2/0xf0
sound/core/seq/seq_system.c:101
   [] snd_seq_create_kernel_client+0x21e/0x300
sound/core/seq/seq_clientmgr.c:2280
   [< inline >] snd_virmidi_dev_attach_seq
sound/core/seq/seq_virmidi.c:372
   [] snd_virmidi_dev_register+0x29f/0x750
sound/core/seq/seq_virmidi.c:439
   [] snd_rawmidi_dev_register+0x30c/0xd40
sound/core/rawmidi.c:1589
   [] __snd_device_register.part.0+0x63/0xc0
sound/core/device.c:164
   [< inline >] __snd_device_register sound/core/device.c:162
   [] snd_device_register_all+0xad/0x110
sound/core/device.c:212
   [] snd_card_register+0xef/0x6a0 sound/core/init.c:749
   [] snd_virmidi_probe+0x3ef/0x590
sound/drivers/virmidi.c:123
   [] platform_drv_probe+0x8c/0x160
drivers/base/platform.c:562
   [< inline >] really_probe drivers/base/dd.c:377
   [] driver_probe_device+0x37e/0xc90
drivers/base/dd.c:499
   [] __device_attach_driver+0x19e/0x250
drivers/base/dd.c:584
   [] bus_for_each_drv+0x13f/0x1d0 drivers/base/bus.c:464
   [] __device_attach+0x1ef/0x2e0 drivers/base/dd.c:641
   [] device_initial_probe+0x1a/0x20 drivers/base/dd.c:688
   [] bus_probe_device+0x1e9/0x290 drivers/base/bus.c:558
   [] device_add+0x84b/0x1490 drivers/base/core.c:1120
   [] platform_device_add+0x389/0x790
drivers/base/platform.c:403
   [] platform_device_register_full+0x396/0x4c0
drivers/base/platform.c:535
   [< inline >] platform_device_register_resndata
include/linux/platform_device.h:111
   [< inline >] platform_device_register_simple
include/linux/platform_device.h:140
   [] alsa_card_virmidi_init+0x104/0x1da
sound/drivers/virmidi.c:172
   [] do_one_initcall+0x159/0x380 init/main.c:794
   [< inline >] do_initcall_level init/main.c:859
   [< inline >] do_initcalls init/main.c:867
   [< inline >] do_basic_setup init/main.c:885
   [] kernel_init_freeable+0x474/0x52d init/main.c:1010
   [] kernel_init+0x13/0x150 init/main.c:936
   [] ret_from_fork+0x3f/0x70
arch/x86/entry/entry_64.S:468

-> #0 (register_mutex#5){+.+.+.}:
   [< inline >] check_prev_add kernel/locking/lockdep.c:1853
   [< inline >] check_prevs_add kernel/locking/lockdep.c:1958
   [< inline >] validate_chain kernel/locking/lockdep.c:2144
   [] __lock_acquire+0x31eb/0x4700
kernel/locking/lockdep.c:3206
   [] lock_acquire+0x1dc/0x430
kernel/locking/lockdep.c:3585
   [< inline >] __mutex_lock_common kernel/locking/mutex.c:518
   [] mutex_lock_nested+0xb1/0xa50
kernel/locking/mutex.c:618
   [] snd_rawmidi_kernel_open+0x4b/0x260
sound/core/rawmidi.c:341
   [] midisynth_subscribe+0xf7/0x340
sound/core/seq/seq_midi.c:188
   [] subscribe_port.isra.2+0x14e/0x2b0
sound/core/seq/seq_ports.c:426
   []