lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241103012845.3066-1-hdanton@sina.com>
Date: Sun,  3 Nov 2024 09:28:45 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+73582d08864d8268b6fd@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [sound?] INFO: task hung in snd_card_free

On Sat, 02 Nov 2024 17:09:25 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    e42b1a9a2557 Merge tag 'spi-fix-v6.12-rc5' of git://git.ke..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1274ca30580000

#syz test

--- x/sound/core/init.c
+++ y/sound/core/init.c
@@ -577,9 +577,13 @@ void snd_card_disconnect_sync(struct snd
 }
 EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);
 
+static DEFINE_SPINLOCK(release_sl);
+
 static int snd_card_do_free(struct snd_card *card)
 {
+	spin_lock(&release_sl);
 	card->releasing = true;
+	spin_unlock(&release_sl);
 #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
 	if (snd_mixer_oss_notify_callback)
 		snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);
@@ -591,8 +595,10 @@ static int snd_card_do_free(struct snd_c
 		dev_warn(card->dev, "unable to free card info\n");
 		/* Not fatal error */
 	}
+	spin_lock(&release_sl);
 	if (card->release_completion)
 		complete(card->release_completion);
+	spin_unlock(&release_sl);
 	if (!card->managed)
 		kfree(card);
 	return 0;
@@ -637,16 +643,20 @@ void snd_card_free(struct snd_card *card
 {
 	DECLARE_COMPLETION_ONSTACK(released);
 
+	spin_lock(&release_sl);
 	/* The call of snd_card_free() is allowed from various code paths;
 	 * a manual call from the driver and the call via devres_free, and
 	 * we need to avoid double-free. Moreover, the release via devres
 	 * may call snd_card_free() twice due to its nature, we need to have
 	 * the check here at the beginning.
 	 */
-	if (card->releasing)
+	if (card->releasing) {
+		spin_unlock(&release_sl);
 		return;
+	}
 
 	card->release_completion = &released;
+	spin_unlock(&release_sl);
 	snd_card_free_when_closed(card);
 
 	/* wait, until all devices are ready for the free operation */
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ