lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190523094141.GA24259@buildpc-HP-Z230>
Date:   Thu, 23 May 2019 15:11:41 +0530
From:   Sanyog Kale <sanyog.r.kale@...el.com>
To:     Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
Cc:     Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
        vkoul@...nel.org, alsa-devel@...a-project.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] soundwire: stream: fix bad unlock balance

On Thu, May 23, 2019 at 10:30:20AM +0100, Srinivas Kandagatla wrote:
> 
> 
> On 23/05/2019 10:20, Sanyog Kale wrote:
> > On Thu, May 23, 2019 at 09:43:14AM +0100, Srinivas Kandagatla wrote:
> > > 
> > > 
> > > On 22/05/2019 17:41, Pierre-Louis Bossart wrote:
> > > > 
> > > > 
> > > > On 5/22/19 11:25 AM, Srinivas Kandagatla wrote:
> > > > > This patch fixes below warning due to unlocking without locking.
> > > > > 
> > > > > ?? =====================================
> > > > > ?? WARNING: bad unlock balance detected!
> > > > > ?? 5.1.0-16506-gc1c383a6f0a2-dirty #1523 Tainted: G?????????????? W
> > > > > ?? -------------------------------------
> > > > > ?? aplay/2954 is trying to release lock (&bus->msg_lock) at:
> > > > > ?? do_bank_switch+0x21c/0x480
> > > > > ?? but there are no more locks to release!
> > > > > 
> > > > > Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
> > > > > ---
> > > > > ?? drivers/soundwire/stream.c | 3 ++-
> > > > > ?? 1 file changed, 2 insertions(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
> > > > > index 544925ff0b40..d16268f30e4f 100644
> > > > > --- a/drivers/soundwire/stream.c
> > > > > +++ b/drivers/soundwire/stream.c
> > > > > @@ -814,7 +814,8 @@ static int do_bank_switch(struct
> > > > > sdw_stream_runtime *stream)
> > > > > ?????????????????????????? goto error;
> > > > > ?????????????????? }
> > > > > -?????????????? mutex_unlock(&bus->msg_lock);
> > > > > +?????????????? if (mutex_is_locked(&bus->msg_lock))
> > > > > +?????????????????????? utex_unlock(&bus->msg_lock);
> > > > 
> > > > Does this even compile? should be mutex_unlock, no?
> > > > 
> > > > We also may want to identify the issue in more details without pushing
> > > > it under the rug. The locking mechanism is far from simple and it's
> > > > likely there are a number of problems with it.
> > > > 
> > > msg_lock is taken conditionally during multi link bank switch cases, however
> > > the unlock is done unconditionally leading to this warning.
> > > 
> > > Having a closer look show that there could be a dead lock in this path while
> > > executing sdw_transfer(). And infact there is no need to take msg_lock in
> > > multi link switch cases as sdw_transfer should take care of this.
> > > 
> > > Vinod/Sanyog any reason why msg_lock is really required in this path?
> > > 
> > 
> > In case of multi link we use sdw_transfer_defer instead of sdw_transfer
> > where lock is not acquired, hence lock is acquired in do_bank_switch for
> > multi link. we should add same check of multi link to release lock in
> > do_bank_switch.
> 
> probably we should just add the lock around the sdw_transfer_defer call in
> sdw_bank_switch()?
> This should cleanup the code a bit too.
> 
> something like:
> 
> ------------------------------------>cut<-----------------------------
> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
> index d01060dbee96..f455af5b8151 100644
> --- a/drivers/soundwire/stream.c
> +++ b/drivers/soundwire/stream.c
> @@ -676,10 +676,13 @@ static int sdw_bank_switch(struct sdw_bus *bus, int
> m_rt_count)
>          */
>         multi_link = bus->multi_link && (m_rt_count > 1);
> 
> -       if (multi_link)
> +       if (multi_link) {
> +               mutex_lock(&bus->msg_lock);
>                 ret = sdw_transfer_defer(bus, wr_msg, &bus->defer_msg);
> -       else
> +               mutex_unlock(&bus->msg_lock);

you cant release bus_lock here since message is not yet transferred.
we can only release bus_lock after sdw_ml_sync_bank_switch function where
we confirm that message transfer is completed.

> +       } else {
>                 ret = sdw_transfer(bus, wr_msg);
> +       }
> 
>         if (ret < 0) {
>                 dev_err(bus->dev, "Slave frame_ctrl reg write failed\n");
> @@ -742,25 +745,19 @@ static int do_bank_switch(struct sdw_stream_runtime
> *stream)
>         struct sdw_master_runtime *m_rt = NULL;
>         const struct sdw_master_ops *ops;
>         struct sdw_bus *bus = NULL;
> -       bool multi_link = false;
>         int ret = 0;
> 
>         list_for_each_entry(m_rt, &stream->master_list, stream_node) {
>                 bus = m_rt->bus;
>                 ops = bus->ops;
> 
> -               if (bus->multi_link) {
> -                       multi_link = true;
> -                       mutex_lock(&bus->msg_lock);
> -               }
> -
>                 /* Pre-bank switch */
>                 if (ops->pre_bank_switch) {
>                         ret = ops->pre_bank_switch(bus);
>                         if (ret < 0) {
>                                 dev_err(bus->dev,
>                                         "Pre bank switch op failed: %d\n",
> ret);
> -                               goto msg_unlock;
> +                               return ret;
>                         }
>                 }
> 
> @@ -814,7 +811,6 @@ static int do_bank_switch(struct sdw_stream_runtime
> *stream)
>                         goto error;
>                 }
> 
> -               mutex_unlock(&bus->msg_lock);
>         }
> 
>         return ret;
> @@ -827,16 +823,6 @@ static int do_bank_switch(struct sdw_stream_runtime
> *stream)
>                 kfree(bus->defer_msg.msg);
>         }
> 
> -msg_unlock:
> -
> -       if (multi_link) {
> -               list_for_each_entry(m_rt, &stream->master_list, stream_node)
> {
> -                       bus = m_rt->bus;
> -                       if (mutex_is_locked(&bus->msg_lock))
> -                               mutex_unlock(&bus->msg_lock);
> -               }
> -       }
> -
>         return ret;
>  }
> 
> ------------------------------------>cut<-----------------------------
> > 
> > > --srini
> > > 
> > > > > ?????????? }
> > > > > ?????????? return ret;
> > > > > 
> > 

-- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ