| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_EE9DA7FFC6DD52DFC65889ABEEEC6EC64C06@qq.com>
Date: Tue, 5 Nov 2024 14:57:09 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+73582d08864d8268b6fd@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [sound?] INFO: task hung in snd_card_free
The sound card of usx2y's probe and disconnect need to be protected under mutex.
dubug: why card_dev not release ?
#syz test
diff --git a/sound/core/init.c b/sound/core/init.c
index 114fb87de990..35717e1d0049 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -387,8 +387,10 @@ struct snd_card *snd_card_ref(int idx)
guard(mutex)(&snd_card_mutex);
card = snd_cards[idx];
- if (card)
+ if (card) {
+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);
get_device(&card->card_dev);
+ }
return card;
}
EXPORT_SYMBOL_GPL(snd_card_ref);
@@ -495,6 +497,7 @@ void snd_card_disconnect(struct snd_card *card)
if (!card)
return;
+ printk("card: %p, %s\n", card, __func__);
scoped_guard(spinlock, &card->files_lock) {
if (card->shutdown)
return;
@@ -544,6 +547,8 @@ void snd_card_disconnect(struct snd_card *card)
if (card->registered) {
device_del(&card->card_dev);
+ printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__);
+ put_device(&card->card_dev);
card->registered = false;
}
@@ -580,6 +585,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);
static int snd_card_do_free(struct snd_card *card)
{
card->releasing = true;
+ printk("card: %p, %s\n", card, __func__);
#if IS_ENABLED(CONFIG_SND_MIXER_OSS)
if (snd_mixer_oss_notify_callback)
snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);
@@ -615,6 +621,7 @@ void snd_card_free_when_closed(struct snd_card *card)
return;
snd_card_disconnect(card);
+ printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__);
put_device(&card->card_dev);
return;
}
@@ -643,6 +650,7 @@ void snd_card_free(struct snd_card *card)
* may call snd_card_free() twice due to its nature, we need to have
* the check here at the beginning.
*/
+ printk("card: %p, rl: %d, %s\n", card, card->releasing, __func__);
if (card->releasing)
return;
@@ -1074,6 +1082,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)
return -ENODEV;
}
list_add(&mfile->list, &card->files_list);
+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);
get_device(&card->card_dev);
return 0;
}
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index 2f9cede242b3..129210a81545 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS];
static void snd_usx2y_card_private_free(struct snd_card *card);
static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s);
+static DEFINE_MUTEX(devices_mutex);
/*
* pipe 4 is used for switching the lamps, setting samplerate, volumes ....
@@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card)
{
struct usx2ydev *usx2y = usx2y(card);
+ printk("card: %p, %s\n", card, __func__);
kfree(usx2y->in04_buf);
usb_free_urb(usx2y->in04_urb);
if (usx2y->us428ctls_sharedmem)
@@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)
struct usx2ydev *usx2y;
struct list_head *p;
+ mutex_lock(&devices_mutex);
card = usb_get_intfdata(intf);
- if (!card)
+ if (!card) {
+ mutex_unlock(&devices_mutex);
return;
+ }
usx2y = usx2y(card);
usx2y->chip_status = USX2Y_STAT_CHIP_HUP;
usx2y_unlinkseq(&usx2y->as04);
@@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)
if (usx2y->us428ctls_sharedmem)
wake_up(&usx2y->us428ctls_wait_queue_head);
snd_card_free(card);
+ mutex_unlock(&devices_mutex);
}
static int snd_usx2y_probe(struct usb_interface *intf,
@@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf,
struct snd_card *card;
int err;
+ mutex_lock(&devices_mutex);
if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 ||
(le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 &&
le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 &&
- le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428))
- return -EINVAL;
+ le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) {
+ err = -EINVAL;
+ goto out;
+ }
err = usx2y_create_card(device, intf, &card);
if (err < 0)
- return err;
+ goto out;
err = usx2y_hwdep_new(card, device);
if (err < 0)
goto error;
@@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf,
goto error;
dev_set_drvdata(&intf->dev, card);
+ mutex_unlock(&devices_mutex);
return 0;
- error:
+error:
snd_card_free(card);
+out:
+ mutex_unlock(&devices_mutex);
return err;
}
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index 96a412beab2d..efd775aaa684 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -509,6 +509,7 @@ batadv_hardif_is_iface_up(const struct batadv_hard_iface *hard_iface)
static void batadv_check_known_mac_addr(const struct net_device *net_dev)
{
const struct batadv_hard_iface *hard_iface;
+ static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL * 5, 1);
rcu_read_lock();
list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) {
@@ -523,9 +524,11 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev)
net_dev->dev_addr))
continue;
+ if (__ratelimit(&rs)) {
pr_warn("The newly added mac address (%pM) already exists on: %s\n",
net_dev->dev_addr, hard_iface->net_dev->name);
pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n");
+ }
}
rcu_read_unlock();
}
Powered by blists - more mailing lists