• T
    ALSA: rawmidi: Fix possible deadlock with virmidi registration · 816f318b
    Takashi Iwai 提交于
    When a seq-virmidi driver is initialized, it registers a rawmidi
    instance with its callback to create an associated seq kernel client.
    Currently it's done throughly in rawmidi's register_mutex context.
    Recently it was found that this may lead to a deadlock another rawmidi
    device that is being attached with the sequencer is accessed, as both
    open with the same register_mutex.  This was actually triggered by
    syzkaller, as Dmitry Vyukov reported:
    
    ======================================================
     [ INFO: possible circular locking dependency detected ]
     4.8.0-rc1+ #11 Not tainted
     -------------------------------------------------------
     syz-executor/7154 is trying to acquire lock:
      (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
    
     but task is already holding lock:
      (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
    
     which lock already depends on the new lock.
    
     the existing dependency chain (in reverse order) is:
    
     -> #1 (&grp->list_mutex){++++.+}:
        [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
        [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
        [<     inline     >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
        [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
        [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
        [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
        [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
        [<     inline     >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
        [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
        [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
        [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
        [<     inline     >] __snd_device_register sound/core/device.c:162
        [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
        [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
        [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
        [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
        ......
    
     -> #0 (register_mutex#5){+.+.+.}:
        [<     inline     >] check_prev_add kernel/locking/lockdep.c:1829
        [<     inline     >] check_prevs_add kernel/locking/lockdep.c:1939
        [<     inline     >] validate_chain kernel/locking/lockdep.c:2266
        [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
        [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
        [<     inline     >] __mutex_lock_common kernel/locking/mutex.c:521
        [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
        [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
        [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
        [<     inline     >] subscribe_port sound/core/seq/seq_ports.c:427
        [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
        [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
        [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
        [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
        [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
        [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
        [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
        [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
        [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
        [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
        ......
    
     other info that might help us debug this:
    
     Possible unsafe locking scenario:
    
            CPU0                    CPU1
            ----                    ----
       lock(&grp->list_mutex);
                                    lock(register_mutex#5);
                                    lock(&grp->list_mutex);
       lock(register_mutex#5);
    
     *** DEADLOCK ***
    ======================================================
    
    The fix is to simply move the registration parts in
    snd_rawmidi_dev_register() to the outside of the register_mutex lock.
    The lock is needed only to manage the linked list, and it's not
    necessarily to cover the whole initialization process.
    Reported-by: NDmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: NTakashi Iwai <tiwai@suse.de>
    816f318b
rawmidi.c 49.3 KB