06ab30034e
A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by syzkaller fuzzer: WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136 [<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223 [<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273 [<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528 [<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Also a similar warning is found but in another path: Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133 [<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163 [<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252 [<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302 [<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528 [<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616 [<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 In the former case, the reason is that virmidi has an open code calling snd_rawmidi_transmit_ack() with the value calculated outside the spinlock. We may use snd_rawmidi_transmit() in a loop just for consuming the input data, but even there, there is a race between snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack(). Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack() separately without protection, so they are racy as well. The patch tries to address these issues by the following ways: - Introduce the unlocked versions of snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack() to be called inside the explicit lock. - Rewrite snd_rawmidi_transmit() to be race-free (the former case). - Make the split calls (the latter case) protected in the rawmidi spin lock. BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
---|---|---|
.. | ||
ac97_codec.h | ||
aci.h | ||
ad1816a.h | ||
ad1843.h | ||
adau1373.h | ||
aess.h | ||
ak4xxx-adda.h | ||
ak4113.h | ||
ak4114.h | ||
ak4117.h | ||
ak4531_codec.h | ||
ak4641.h | ||
alc5623.h | ||
asequencer.h | ||
asound.h | ||
asoundef.h | ||
atmel-abdac.h | ||
atmel-ac97c.h | ||
compress_driver.h | ||
control.h | ||
core.h | ||
cs42l52.h | ||
cs42l56.h | ||
cs42l73.h | ||
cs4231-regs.h | ||
cs4271.h | ||
cs8403.h | ||
cs8427.h | ||
da7213.h | ||
da7218.h | ||
da7219-aad.h | ||
da7219.h | ||
da9055.h | ||
designware_i2s.h | ||
dmaengine_pcm.h | ||
emu10k1_synth.h | ||
emu10k1.h | ||
emu8000_reg.h | ||
emu8000.h | ||
emux_legacy.h | ||
emux_synth.h | ||
es1688.h | ||
gus.h | ||
hda_hwdep.h | ||
hda_i915.h | ||
hda_register.h | ||
hda_regmap.h | ||
hda_verbs.h | ||
hdaudio_ext.h | ||
hdaudio.h | ||
hwdep.h | ||
i2c.h | ||
info.h | ||
initval.h | ||
jack.h | ||
l3.h | ||
max9768.h | ||
max98088.h | ||
max98090.h | ||
max98095.h | ||
memalloc.h | ||
minors.h | ||
mixer_oss.h | ||
mpu401.h | ||
omap-hdmi-audio.h | ||
omap-pcm.h | ||
opl3.h | ||
opl4.h | ||
pcm_drm_eld.h | ||
pcm_iec958.h | ||
pcm_oss.h | ||
pcm_params.h | ||
pcm-indirect.h | ||
pcm.h | ||
pt2258.h | ||
pxa2xx-lib.h | ||
rawmidi.h | ||
rt286.h | ||
rt298.h | ||
rt5640.h | ||
rt5645.h | ||
rt5651.h | ||
rt5659.h | ||
rt5670.h | ||
rt5677.h | ||
s3c24xx_uda134x.h | ||
sb16_csp.h | ||
sb.h | ||
seq_device.h | ||
seq_kernel.h | ||
seq_midi_emul.h | ||
seq_midi_event.h | ||
seq_oss_legacy.h | ||
seq_oss.h | ||
seq_virmidi.h | ||
sh_dac_audio.h | ||
sh_fsi.h | ||
simple_card.h | ||
snd_wavefront.h | ||
soc-dai.h | ||
soc-dapm.h | ||
soc-dpcm.h | ||
soc-topology.h | ||
soc.h | ||
soundfont.h | ||
spear_dma.h | ||
spear_spdif.h | ||
sta32x.h | ||
sta350.h | ||
tas2552-plat.h | ||
tas5086.h | ||
tea6330t.h | ||
timer.h | ||
tlv320aic3x.h | ||
tlv320aic32x4.h | ||
tlv320dac33-plat.h | ||
tlv.h | ||
tpa6130a2-plat.h | ||
uda134x.h | ||
uda1380.h | ||
util_mem.h | ||
vx_core.h | ||
wavefront.h | ||
wm0010.h | ||
wm1250-ev1.h | ||
wm2000.h | ||
wm2200.h | ||
wm5100.h | ||
wm8903.h | ||
wm8904.h | ||
wm8955.h | ||
wm8960.h | ||
wm8962.h | ||
wm8993.h | ||
wm8996.h | ||
wm9081.h | ||
wm9090.h | ||
wss.h |