syzbot


possible deadlock in snd_seq_deliver_event

Status: public: reported C repro on 2019/04/14 08:51
Reported-by: syzbot+237185122f2f8603e8ba@syzkaller.appspotmail.com
First crash: 2386d, last: 2386d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream possible deadlock in snd_seq_deliver_event C 6 2386d 2396d 4/26 fixed on 2018/01/23 12:04

Sample crash report:
=============================================
[ INFO: possible recursive locking detected ]
4.9.60-gdfe0a9b #81 Not tainted
---------------------------------------------
syzkaller633487/3245 is trying to acquire lock:
 (&grp->list_mutex){++++.+}, at: [<ffffffff82e0af5f>] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:666 [inline]
 (&grp->list_mutex){++++.+}, at: [<ffffffff82e0af5f>] snd_seq_deliver_event+0x4cf/0x740 sound/core/seq/seq_clientmgr.c:807
but task is already holding lock:
 (&grp->list_mutex){++++.+}, at: [<ffffffff82e0af5f>] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:666 [inline]
 (&grp->list_mutex){++++.+}, at: [<ffffffff82e0af5f>] snd_seq_deliver_event+0x4cf/0x740 sound/core/seq/seq_clientmgr.c:807
other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&grp->list_mutex);
  lock(&grp->list_mutex);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syzkaller633487/3245:
 #0:  (register_mutex#4){+.+.+.}, at: [<ffffffff82e1e77a>] odev_release+0x4a/0x70 sound/core/seq/oss/seq_oss.c:152
 #1:  (&grp->list_mutex){++++.+}, at: [<ffffffff82e0af5f>] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:666 [inline]
 #1:  (&grp->list_mutex){++++.+}, at: [<ffffffff82e0af5f>] snd_seq_deliver_event+0x4cf/0x740 sound/core/seq/seq_clientmgr.c:807

stack backtrace:
CPU: 0 PID: 3245 Comm: syzkaller633487 Not tainted 4.9.60-gdfe0a9b #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c772f100 ffffffff81d91389 ffffffff8537b4d0 ffffffff8537b4d0
 dffffc0000000000 f75f28fb6e9d5274 0000000000000000 ffff8801c772f2c8
 ffffffff8123c925 ffff8801c7720000 ffff8801c7720928 00000000000003c7
Call Trace:
 [<ffffffff81d91389>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91389>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8123c925>] print_deadlock_bug kernel/locking/lockdep.c:1727 [inline]
 [<ffffffff8123c925>] check_deadlock kernel/locking/lockdep.c:1771 [inline]
 [<ffffffff8123c925>] validate_chain kernel/locking/lockdep.c:2249 [inline]
 [<ffffffff8123c925>] __lock_acquire+0xe35/0x3640 kernel/locking/lockdep.c:3345
 [<ffffffff8123fb6e>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
 [<ffffffff838a3354>] down_read+0x44/0xb0 kernel/locking/rwsem.c:22
 [<ffffffff82e0af5f>] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:666 [inline]
 [<ffffffff82e0af5f>] snd_seq_deliver_event+0x4cf/0x740 sound/core/seq/seq_clientmgr.c:807
 [<ffffffff82e0bf2e>] snd_seq_kernel_client_dispatch+0x11e/0x150 sound/core/seq/seq_clientmgr.c:2318
 [<ffffffff82e306c5>] dummy_input+0x235/0x320 sound/core/seq/seq_dummy.c:104
 [<ffffffff82e0a5e0>] snd_seq_deliver_single_event.constprop.11+0x310/0x7c0 sound/core/seq/seq_clientmgr.c:621
 [<ffffffff82e0ada6>] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
 [<ffffffff82e0ada6>] snd_seq_deliver_event+0x316/0x740 sound/core/seq/seq_clientmgr.c:807
 [<ffffffff82e0bf2e>] snd_seq_kernel_client_dispatch+0x11e/0x150 sound/core/seq/seq_clientmgr.c:2318
 [<ffffffff82e306c5>] dummy_input+0x235/0x320 sound/core/seq/seq_dummy.c:104
 [<ffffffff82e0a5e0>] snd_seq_deliver_single_event.constprop.11+0x310/0x7c0 sound/core/seq/seq_clientmgr.c:621
 [<ffffffff82e0abbd>] snd_seq_deliver_event+0x12d/0x740 sound/core/seq/seq_clientmgr.c:818
 [<ffffffff82e0bf2e>] snd_seq_kernel_client_dispatch+0x11e/0x150 sound/core/seq/seq_clientmgr.c:2318
 [<ffffffff82e2cef0>] snd_seq_oss_dispatch sound/core/seq/oss/seq_oss_device.h:150 [inline]
 [<ffffffff82e2cef0>] snd_seq_oss_midi_reset+0x390/0x570 sound/core/seq/oss/seq_oss_midi.c:481
 [<ffffffff82e29320>] snd_seq_oss_synth_reset+0x3c0/0x8b0 sound/core/seq/oss/seq_oss_synth.c:416
 [<ffffffff82e1fd7c>] snd_seq_oss_reset+0x6c/0x260 sound/core/seq/oss/seq_oss_init.c:448
 [<ffffffff82e1ffe1>] snd_seq_oss_release+0x71/0x130 sound/core/seq/oss/seq_oss_init.c:425
 [<ffffffff82e1e782>] odev_release+0x52/0x70 sound/core/seq/oss/seq_oss.c:153
 [<ffffffff815734dc>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff815739b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81196005>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113d2e7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113d2e7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff810e0256>] ? _

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/11/06 15:40 https://android.googlesource.com/kernel/common android-4.9 dfe0a9bcfc3a d49979f7 .config console log report syz C ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.