BUG: looking up invalid subclass: 8
22 views
Skip to first unread message
syzbot
Nov 6, 2017, 1:36:15 PM11/6/17
to alsa-...@alsa-project.org, danie...@google.com, linux-...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com
Hello,
syzkaller hit the following crash on
5a3517e009e979f21977d362212b7729c5165d92
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
turning off the locking correctness validator.
CPU: 0 PID: 2988 Comm: syzkaller395259 Not tainted
4.14.0-rc7-next-20171103+ #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
look_up_lock_class kernel/locking/lockdep.c:686 [inline]
register_lock_class+0x5f2/0x2c70 kernel/locking/lockdep.c:769
__lock_acquire+0x203/0x4770 kernel/locking/lockdep.c:3387
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
down_read_nested+0x9a/0x150 kernel/locking/rwsem.c:157
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:666 [inline]
snd_seq_deliver_event+0x559/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
snd_seq_deliver_event+0x176/0x820 sound/core/seq/seq_clientmgr.c:822
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
snd_seq_oss_dispatch sound/core/seq/oss/seq_oss_device.h:150 [inline]
snd_seq_oss_midi_reset+0x44b/0x700 sound/core/seq/oss/seq_oss_midi.c:481
snd_seq_oss_synth_reset+0x398/0x980 sound/core/seq/oss/seq_oss_synth.c:416
snd_seq_oss_reset+0x6c/0x260 sound/core/seq/oss/seq_oss_init.c:448
snd_seq_oss_release+0x71/0x120 sound/core/seq/oss/seq_oss_init.c:425
odev_release+0x52/0x70 sound/core/seq/oss/seq_oss.c:153
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9b5/0x1ad0 kernel/exit.c:869
do_group_exit+0x149/0x400 kernel/exit.c:972
SYSC_exit_group kernel/exit.c:983 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:981
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x437dd9
RSP: 002b:00007ffe20d04a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000437dd9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000086 R08: 000000000000003c R09: 00000000000000e7
R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401e90 R14: 0000000000401f20 R15: 0000000000000000
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzkaller hit the following crash on
5a3517e009e979f21977d362212b7729c5165d92
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
turning off the locking correctness validator.
CPU: 0 PID: 2988 Comm: syzkaller395259 Not tainted
4.14.0-rc7-next-20171103+ #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
look_up_lock_class kernel/locking/lockdep.c:686 [inline]
register_lock_class+0x5f2/0x2c70 kernel/locking/lockdep.c:769
__lock_acquire+0x203/0x4770 kernel/locking/lockdep.c:3387
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
down_read_nested+0x9a/0x150 kernel/locking/rwsem.c:157
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:666 [inline]
snd_seq_deliver_event+0x559/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
deliver_to_subscribers sound/core/seq/seq_clientmgr.c:676 [inline]
snd_seq_deliver_event+0x362/0x820 sound/core/seq/seq_clientmgr.c:811
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
dummy_input+0x2c4/0x400 sound/core/seq/seq_dummy.c:104
snd_seq_deliver_single_event.constprop.11+0x2fb/0x940
sound/core/seq/seq_clientmgr.c:621
snd_seq_deliver_event+0x176/0x820 sound/core/seq/seq_clientmgr.c:822
snd_seq_kernel_client_dispatch+0x11e/0x150
sound/core/seq/seq_clientmgr.c:2317
snd_seq_oss_dispatch sound/core/seq/oss/seq_oss_device.h:150 [inline]
snd_seq_oss_midi_reset+0x44b/0x700 sound/core/seq/oss/seq_oss_midi.c:481
snd_seq_oss_synth_reset+0x398/0x980 sound/core/seq/oss/seq_oss_synth.c:416
snd_seq_oss_reset+0x6c/0x260 sound/core/seq/oss/seq_oss_init.c:448
snd_seq_oss_release+0x71/0x120 sound/core/seq/oss/seq_oss_init.c:425
odev_release+0x52/0x70 sound/core/seq/oss/seq_oss.c:153
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9b5/0x1ad0 kernel/exit.c:869
do_group_exit+0x149/0x400 kernel/exit.c:972
SYSC_exit_group kernel/exit.c:983 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:981
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x437dd9
RSP: 002b:00007ffe20d04a08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000437dd9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000086 R08: 000000000000003c R09: 00000000000000e7
R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401e90 R14: 0000000000401f20 R15: 0000000000000000
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
Takashi Iwai
Nov 6, 2017, 2:29:21 PM11/6/17
to syzbot, alsa-...@alsa-project.org, danie...@google.com, syzkall...@googlegroups.com, pe...@perex.cz, linux-...@vger.kernel.org
On Mon, 06 Nov 2017 19:36:14 +0100,
syzbot wrote:
>
> Hello,
>
> syzkaller hit the following crash on
> 5a3517e009e979f21977d362212b7729c5165d92
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> turning off the locking correctness validator.
> CPU: 0 PID: 2988 Comm: syzkaller395259 Not tainted
> 4.14.0-rc7-next-20171103+ #10
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> look_up_lock_class kernel/locking/lockdep.c:686 [inline]
> register_lock_class+0x5f2/0x2c70 kernel/locking/lockdep.c:769
Ah interesting, this is a result of the recent down_read_nested()
syzbot wrote:
>
> Hello,
>
> syzkaller hit the following crash on
> 5a3517e009e979f21977d362212b7729c5165d92
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> turning off the locking correctness validator.
> CPU: 0 PID: 2988 Comm: syzkaller395259 Not tainted
> 4.14.0-rc7-next-20171103+ #10
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> look_up_lock_class kernel/locking/lockdep.c:686 [inline]
> register_lock_class+0x5f2/0x2c70 kernel/locking/lockdep.c:769
usage because we allow more depth than the lock subclasses.
Below is the quick fix to paper over it.
thanks,
Takashi
-- 8< --
From: Takashi Iwai <ti...@suse.de>
Subject: [PATCH] ALSA: seq: Avoid invalid lockdep class warning
The recent fix for adding rwsem nesting annotation was using the given
"hop" argument as the lock subclass key. Although the idea itself
works, it may trigger a kernel warning like:
BUG: looking up invalid subclass: 8
....
since the lockdep has a smaller number of subclasses (8) than we
currently allow for the hops there (10).
The current definition is merely a sanity check for avoiding the too
deep delivery paths, and the 8 hops are already enough. So, as a
quick fix, just follow the max hops as same as the max lockdep
subclasses.
Fixes: 1f20f9ff57ca ("ALSA: seq: Fix nested rwsem annotation for lockdep splat")
Reported-by: syzbot <syzk...@googlegroups.com>
Cc: <sta...@vger.kernel.org>
Signed-off-by: Takashi Iwai <ti...@suse.de>
---
include/sound/seq_kernel.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/sound/seq_kernel.h b/include/sound/seq_kernel.h
index feb58d455560..4b9ee3009aa0 100644
--- a/include/sound/seq_kernel.h
+++ b/include/sound/seq_kernel.h
@@ -49,7 +49,8 @@ typedef union snd_seq_timestamp snd_seq_timestamp_t;
#define SNDRV_SEQ_DEFAULT_CLIENT_EVENTS 200
/* max delivery path length */
-#define SNDRV_SEQ_MAX_HOPS 10
+/* NOTE: this shouldn't be greater than MAX_LOCKDEP_SUBCLASSES */
+#define SNDRV_SEQ_MAX_HOPS 8
/* max size of event size */
#define SNDRV_SEQ_MAX_EVENT_LEN 0x3fffffff
--
2.14.3
Eric Biggers
Jan 31, 2018, 4:13:06 PM1/31/18
to syzbot, syzkall...@googlegroups.com
On Mon, 06 Nov 2017 19:36:14 +0100, syzbot wrote:
Reply all
Reply to author
Forward
0 new messages