syzbot


KCSAN: data-race in snd_seq_check_queue / snd_seq_control_queue (3)

Status: fixed on 2021/03/10 01:48
Subsystems: sound
[Documentation on labels]
Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com
Fix commit: 4ebd47037027 ALSA: seq: Use bool for snd_seq_queue internal flags
First crash: 1497d, last: 1318d
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 5.4 00/47] 5.4.87-rc1 review 58 (58) 2021/02/26 14:21
[PATCH 4.14 00/29] 4.14.214-rc1 review 32 (32) 2021/01/08 17:38
[PATCH 4.4 00/19] 4.4.250-rc1 review 21 (21) 2021/01/08 01:13
[PATCH 4.9 00/32] 4.9.250-rc1 review 33 (33) 2021/01/07 14:16
[PATCH 5.10 00/63] 5.10.5-rc1 review 75 (75) 2021/01/07 08:13
[PATCH 4.19 00/35] 4.19.165-rc1 review 44 (44) 2021/01/06 13:46
[PATCH 4.19 00/29] 4.19.165-rc2 review 36 (36) 2021/01/06 13:46
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in snd_seq_check_queue / snd_seq_control_queue (2) sound 42 1498d 1561d 0/27 closed as invalid on 2020/06/18 14:24
upstream KCSAN: data-race in snd_seq_check_queue / snd_seq_control_queue sound 97 1562d 1660d 15/27 fixed on 2020/04/15 17:19

Sample crash report:
==================================================================
BUG: KCSAN: data-race in snd_seq_check_queue / snd_seq_control_queue

write to 0xffff88810cd47124 of 1 bytes by interrupt on cpu 0:
 snd_seq_check_queue+0x261/0x2a0 sound/core/seq/seq_queue.c:283
 snd_seq_timer_interrupt+0x20e/0x220 sound/core/seq/seq_timer.c:158
 snd_timer_process_callbacks sound/core/timer.c:796 [inline]
 snd_timer_interrupt+0xa1c/0xae0 sound/core/timer.c:919
 snd_hrtimer_callback+0x139/0x200 sound/core/hrtimer.c:50
 __run_hrtimer+0x133/0x420 kernel/time/hrtimer.c:1519
 __hrtimer_run_queues kernel/time/hrtimer.c:1583 [inline]
 hrtimer_interrupt+0x36e/0xa10 kernel/time/hrtimer.c:1645
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1080 [inline]
 __sysvec_apic_timer_interrupt+0x6f/0x200 arch/x86/kernel/apic/apic.c:1097
 asm_call_irq_on_stack+0xf/0x20
 __run_sysvec_on_irqstack arch/x86/include/asm/irq_stack.h:37 [inline]
 run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:89 [inline]
 sysvec_apic_timer_interrupt+0x52/0x90 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631
 native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
 arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
 kcsan_setup_watchpoint+0x1ec/0x4d0 kernel/kcsan/core.c:591
 tomoyo_check_acl+0x9a/0x200 security/tomoyo/domain.c:173
 tomoyo_path_permission security/tomoyo/file.c:586 [inline]
 tomoyo_path_perm+0x22f/0x330 security/tomoyo/file.c:838
 tomoyo_path_unlink+0x43/0x60 security/tomoyo/tomoyo.c:150
 security_path_unlink+0x82/0xd0 security/security.c:1101
 do_unlinkat+0x231/0x4d0 fs/namei.c:3894
 __do_sys_unlink fs/namei.c:3943 [inline]
 __se_sys_unlink fs/namei.c:3941 [inline]
 __x64_sys_unlink+0x2c/0x30 fs/namei.c:3941
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

read to 0xffff88810cd47124 of 1 bytes by task 12143 on cpu 1:
 queue_access_lock sound/core/seq/seq_queue.c:345 [inline]
 snd_seq_control_queue+0xf4/0x580 sound/core/seq/seq_queue.c:727
 event_input_timer+0x1e/0x30 sound/core/seq/seq_system.c:103
 snd_seq_deliver_single_event+0x2f5/0x4b0 sound/core/seq/seq_clientmgr.c:638
 snd_seq_deliver_event+0x195/0x490 sound/core/seq/seq_clientmgr.c:839
 snd_seq_dispatch_event+0x12e/0x230 sound/core/seq/seq_clientmgr.c:913
 snd_seq_check_queue+0x10e/0x2a0 sound/core/seq/seq_queue.c:264
 snd_seq_enqueue_event+0x24c/0x290 sound/core/seq/seq_queue.c:333
 snd_seq_client_enqueue_event+0x206/0x2a0 sound/core/seq/seq_clientmgr.c:974
 snd_seq_write+0x425/0x530 sound/core/seq/seq_clientmgr.c:1093
 vfs_write+0x21a/0x7c0 fs/read_write.c:603
 ksys_write+0xce/0x180 fs/read_write.c:658
 __do_sys_write fs/read_write.c:670 [inline]
 __se_sys_write fs/read_write.c:667 [inline]
 __x64_sys_write+0x3e/0x50 fs/read_write.c:667
 do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 12143 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (111):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/15 03:00 upstream fab0fca1da5c 97183ed7 .config console log report info ci2-upstream-kcsan-gce
2020/12/14 13:14 upstream 2c85ebc57b3e b22a7ec3 .config console log report info ci2-upstream-kcsan-gce
2020/12/09 13:42 upstream a68a0262abda 99917735 .config console log report info ci2-upstream-kcsan-gce
2020/11/30 07:32 upstream b65054597872 a0092f9d .config console log report info ci2-upstream-kcsan-gce
2020/11/28 16:41 upstream c84e1efae022 3c7136c0 .config console log report info ci2-upstream-kcsan-gce
2020/11/19 16:54 upstream c2e7554e1b85 0767f13f .config console log report info ci2-upstream-kcsan-gce
2020/11/16 18:50 upstream 09162bc32c88 1bf9a662 .config console log report info ci2-upstream-kcsan-gce
2020/11/16 04:09 upstream 0062442ecfef 1bf9a662 .config console log report info ci2-upstream-kcsan-gce
2020/11/13 20:34 upstream 585e5b17b92d 4a7fa9b4 .config console log report info ci2-upstream-kcsan-gce
2020/11/12 15:54 upstream 3d5e28bff7ad 77a55c8e .config console log report info ci2-upstream-kcsan-gce
2020/11/11 01:26 upstream eccc87672492 cca87986 .config console log report info ci2-upstream-kcsan-gce
2020/11/02 21:10 upstream 495023e4e49e 7f344fa6 .config console log report info ci2-upstream-kcsan-gce
2020/11/02 05:38 upstream 31f020064f9d 8bc4594f .config console log report info ci2-upstream-kcsan-gce
2020/10/30 17:50 upstream 07e088730245 a6e3ac3b .config console log report info ci2-upstream-kcsan-gce
2020/10/27 14:18 upstream 4525c8781ec0 94942294 .config console log report info ci2-upstream-kcsan-gce
2020/10/26 01:43 upstream 986b9eacb259 a1839e81 .config console log report info ci2-upstream-kcsan-gce
2020/10/23 06:55 upstream 96485e446260 4e740c00 .config console log report info ci2-upstream-kcsan-gce
2020/10/18 07:00 upstream 9d9af1007bc0 fea47c01 .config console log report info ci2-upstream-kcsan-gce
2020/10/16 06:02 upstream 726eb70e0d34 6e262c73 .config console log report info ci2-upstream-kcsan-gce
2020/09/30 06:15 upstream 02de58b24d2e 5abc3f1a .config console log report info ci2-upstream-kcsan-gce
2020/09/30 03:24 upstream fb0155a09b02 5abc3f1a .config console log report info ci2-upstream-kcsan-gce
2020/09/28 18:05 upstream a1b8638ba132 6bfdbe89 .config console log report info ci2-upstream-kcsan-gce
2020/09/27 20:21 upstream a1bffa48745a 5dd8aee8 .config console log report info ci2-upstream-kcsan-gce
2020/09/27 08:21 upstream eeddbe6841cd 5dd8aee8 .config console log report info ci2-upstream-kcsan-gce
2020/09/25 19:20 upstream 171d4ff79f96 4a006f63 .config console log report info ci2-upstream-kcsan-gce
2020/09/12 06:00 upstream e8878ab82545 79fb24e2 .config console log report ci2-upstream-kcsan-gce
2020/09/11 18:16 upstream 581cb3a26baf adfb8b4e .config console log report ci2-upstream-kcsan-gce
2020/09/11 08:18 upstream 581cb3a26baf ac7ca78e .config console log report ci2-upstream-kcsan-gce
2020/09/10 15:29 upstream 7fe10096c150 ac7ca78e .config console log report ci2-upstream-kcsan-gce
2020/09/09 03:49 upstream 6f6a73c8b715 abf9ba4f .config console log report ci2-upstream-kcsan-gce
2020/09/06 07:34 upstream 9322c47b21b9 abf9ba4f .config console log report ci2-upstream-kcsan-gce
2020/09/01 12:50 upstream b51594df17d0 d5a3ae1f .config console log report ci2-upstream-kcsan-gce
2020/08/31 01:25 upstream dcc5c6f013d8 d5a3ae1f .config console log report ci2-upstream-kcsan-gce
2020/08/28 06:32 upstream 15bc20c6af4c 816e0689 .config console log report ci2-upstream-kcsan-gce
2020/08/19 11:43 upstream 18445bf405cb e1c29030 .config console log report ci2-upstream-kcsan-gce
2020/08/15 14:40 upstream c9c9735c46f5 5ce13532 .config console log report ci2-upstream-kcsan-gce
2020/08/12 21:03 upstream fb893de323e2 0d7bd2e0 .config console log report ci2-upstream-kcsan-gce
2020/08/12 01:09 upstream bb5baaa9238e bb3e5fe6 .config console log report ci2-upstream-kcsan-gce
2020/08/10 01:17 upstream 9420f1ce0186 70301872 .config console log report ci2-upstream-kcsan-gce
2020/08/04 04:15 upstream e4cbce4d1317 96dd3623 .config console log report ci2-upstream-kcsan-gce
2020/08/02 10:10 upstream ac3a0c847296 96dd3623 .config console log report ci2-upstream-kcsan-gce
2020/07/22 12:52 upstream 4fa640dc5230 21f1765e .config console log report ci2-upstream-kcsan-gce
2020/07/21 09:10 upstream 4fa640dc5230 d88894e6 .config console log report ci2-upstream-kcsan-gce
2020/06/18 21:24 upstream 1b5044021070 3ea11d3f .config console log report ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.