lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <s5hsi0s7p0d.wl-tiwai@suse.de>
Date:	Tue, 16 Feb 2016 14:39:46 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	Dmitry Vyukov <dvyukov@...gle.com>
Cc:	alsa-devel@...a-project.org, Jaroslav Kysela <perex@...ex.cz>,
	LKML <linux-kernel@...r.kernel.org>,
	Alexander Potapenko <glider@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>,
	syzkaller <syzkaller@...glegroups.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: Re: sound: list corruption in delete_and_unsubscribe_port

On Tue, 16 Feb 2016 12:19:31 +0100,
Dmitry Vyukov wrote:
> 
> On Tue, Feb 16, 2016 at 11:00 AM, Takashi Iwai <tiwai@...e.de> wrote:
> > On Tue, 16 Feb 2016 10:41:54 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865
> >> (4.5-rc4). But need to note that sound become much more stable, I've
> >> seen only 2 of these over night.
> >>
> >> The following program causes list corruption:
> >>
> >> ------------[ cut here ]------------
> >> WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0()
> >> list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100)
> >> Modules linked in:
> >> CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> >>  ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8
> >>  fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780
> >>  0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139
> >> Call Trace:
> >>  [<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
> >>  [<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60
> >>  [<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86
> >>  [<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0
> >> sound/core/seq/seq_ports.c:545
> >>  [<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260
> >> sound/core/seq/seq_ports.c:250
> >>  [<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266
> >>  [<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350
> >> sound/core/seq/seq_ports.c:330
> >>  [<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290
> >> sound/core/seq/seq_clientmgr.c:272
> >>  [<ffffffff852ae495>] seq_free_client+0x65/0x160
> >> sound/core/seq/seq_clientmgr.c:299
> >>  [<ffffffff852b118d>] snd_seq_release+0x4d/0xb0
> >> sound/core/seq/seq_clientmgr.c:380
> >>  [<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208
> >>  [<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244
> >>  [<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115
> >>  [<     inline     >] tracehook_notify_resume include/linux/tracehook.h:191
> >>  [<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210
> >> arch/x86/entry/common.c:251
> >>  [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:282
> >>  [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
> >> arch/x86/entry/common.c:344
> >>  [<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f
> >> arch/x86/entry/entry_64.S:281
> >> ---[ end trace 4cad985f706f8ace ]---
> >
> > Hm, this might be the remaining open race at deleting ports.
> > Please try the patch below.
> 
> Yes, it fixes the crash for me.
> 
> Tested-by: Dmitry Vyukov <dvyukov@...gle.com>
> 
> Thanks!

Good to hear.  FWIW, below is the final patch I'm going to queue.
Thanks for quick testing!


Takashi

-- 8< --
From: Takashi Iwai <tiwai@...e.de>
Subject: [PATCH] ALSA: seq: Fix double port list deletion

The commit [7f0973e973cd: ALSA: seq: Fix lockdep warnings due to
double mutex locks] split the management of two linked lists (source
and destination) into two individual calls for avoiding the AB/BA
deadlock.  However, this may leave the possible double deletion of one
of two lists when the counterpart is being deleted concurrently.
It ends up with a list corruption, as revealed by syzkaller fuzzer.

This patch fixes it by checking the list emptiness and skipping the
deletion and the following process.

BugLink: http://lkml.kernel.org/r/CACT4Y+bay9qsrz6dQu31EcGaH9XwfW7o3oBzSQUG9fMszoh=Sg@mail.gmail.com
Fixes: 7f0973e973cd ('ALSA: seq: Fix lockdep warnings due to 'double mutex locks)
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Tested-by: Dmitry Vyukov <dvyukov@...gle.com>
Cc: <stable@...r.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
 sound/core/seq/seq_ports.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index 921fb2bd8fad..fe686ee41c6d 100644
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -535,19 +535,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
 					bool is_src, bool ack)
 {
 	struct snd_seq_port_subs_info *grp;
+	struct list_head *list;
+	bool empty;
 
 	grp = is_src ? &port->c_src : &port->c_dest;
+	list = is_src ? &subs->src_list : &subs->dest_list;
 	down_write(&grp->list_mutex);
 	write_lock_irq(&grp->list_lock);
-	if (is_src)
-		list_del(&subs->src_list);
-	else
-		list_del(&subs->dest_list);
+	empty = list_empty(list);
+	if (!empty)
+		list_del_init(list);
 	grp->exclusive = 0;
 	write_unlock_irq(&grp->list_lock);
 	up_write(&grp->list_mutex);
 
-	unsubscribe_port(client, port, grp, &subs->info, ack);
+	if (!empty)
+		unsubscribe_port(client, port, grp, &subs->info, ack);
 }
 
 /* connect two ports */
-- 
2.7.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ