Re: sound: list corruption in delete_and_unsubscribe_port
From: Dmitry Vyukov
Date: Tue Feb 16 2016 - 06:20:07 EST
On Tue, Feb 16, 2016 at 11:00 AM, Takashi Iwai <tiwai@xxxxxxx> wrote:
> On Tue, 16 Feb 2016 10:41:54 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> Here is a new one on 18558cae0272f8fd9647e69d3fec1565a7949865
>> (4.5-rc4). But need to note that sound become much more stable, I've
>> seen only 2 of these over night.
>>
>> The following program causes list corruption:
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 2 PID: 12546 at lib/list_debug.c:62 __list_del_entry+0x10b/0x1e0()
>> list_del corruption, ffff880063512388->next is LIST_POISON1 (dead000000000100)
>> Modules linked in:
>> CPU: 2 PID: 12546 Comm: a.out Not tainted 4.5.0-rc4+ #328
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> ffffffff87b05080 ffff8800608b7a48 ffffffff82be46cf ffffffff81477fb8
>> fffffbfff0f60a10 ffff8800608b7ab8 ffff8800637d97c0 ffffffff86ad3780
>> 0000000000000009 000000000000003e ffff8800608b7a88 ffffffff81355139
>> Call Trace:
>> [<ffffffff81355249>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
>> [<ffffffff82c4c36b>] __list_del_entry+0x10b/0x1e0 lib/list_debug.c:60
>> [<ffffffff82c4c44d>] list_del+0xd/0x70 lib/list_debug.c:86
>> [<ffffffff852c38e3>] delete_and_unsubscribe_port+0x1e3/0x2f0
>> sound/core/seq/seq_ports.c:545
>> [<ffffffff852c43fa>] clear_subscriber_list+0x15a/0x260
>> sound/core/seq/seq_ports.c:250
>> [<ffffffff852c456a>] port_delete+0x6a/0x1c0 sound/core/seq/seq_ports.c:266
>> [<ffffffff852c5242>] snd_seq_delete_all_ports+0x242/0x350
>> sound/core/seq/seq_ports.c:330
>> [<ffffffff852ae1cf>] seq_free_client1+0x2f/0x290
>> sound/core/seq/seq_clientmgr.c:272
>> [<ffffffff852ae495>] seq_free_client+0x65/0x160
>> sound/core/seq/seq_clientmgr.c:299
>> [<ffffffff852b118d>] snd_seq_release+0x4d/0xb0
>> sound/core/seq/seq_clientmgr.c:380
>> [<ffffffff817c3256>] __fput+0x236/0x780 fs/file_table.c:208
>> [<ffffffff817c3825>] ____fput+0x15/0x20 fs/file_table.c:244
>> [<ffffffff813b3100>] task_work_run+0x170/0x210 kernel/task_work.c:115
>> [< inline >] tracehook_notify_resume include/linux/tracehook.h:191
>> [<ffffffff810066b1>] exit_to_usermode_loop+0x1d1/0x210
>> arch/x86/entry/common.c:251
>> [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
>> [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
>> arch/x86/entry/common.c:344
>> [<ffffffff866626e2>] int_ret_from_sys_call+0x25/0x9f
>> arch/x86/entry/entry_64.S:281
>> ---[ end trace 4cad985f706f8ace ]---
>
> Hm, this might be the remaining open race at deleting ports.
> Please try the patch below.
Yes, it fixes the crash for me.
Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Thanks!
> thanks,
>
> Takashi
>
> ---
> diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
> index 921fb2bd8fad..fe686ee41c6d 100644
> --- a/sound/core/seq/seq_ports.c
> +++ b/sound/core/seq/seq_ports.c
> @@ -535,19 +535,22 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
> bool is_src, bool ack)
> {
> struct snd_seq_port_subs_info *grp;
> + struct list_head *list;
> + bool empty;
>
> grp = is_src ? &port->c_src : &port->c_dest;
> + list = is_src ? &subs->src_list : &subs->dest_list;
> down_write(&grp->list_mutex);
> write_lock_irq(&grp->list_lock);
> - if (is_src)
> - list_del(&subs->src_list);
> - else
> - list_del(&subs->dest_list);
> + empty = list_empty(list);
> + if (!empty)
> + list_del_init(list);
> grp->exclusive = 0;
> write_unlock_irq(&grp->list_lock);
> up_write(&grp->list_mutex);
>
> - unsubscribe_port(client, port, grp, &subs->info, ack);
> + if (!empty)
> + unsubscribe_port(client, port, grp, &subs->info, ack);
> }
>
> /* connect two ports */