sound: another WARNING in rawmidi_transmit_ack

21 views
Skip to first unread message

Dmitry Vyukov

unread,
Feb 1, 2016, 6:31:40 AM2/1/16
to Jaroslav Kysela, Takashi Iwai, alsa-...@alsa-project.org, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
Hello,

The following program triggers a splash of WARNINGs in rawmidi_transmit_ack.
Takashi, I am on commit 36f90b0a2ddd60823fe193a85e60ff1906c2a9b3 + a
bunch of your recent fixes:
https://gist.githubusercontent.com/dvyukov/40640128a433ad16a56a/raw/ab3a08637ce3654b969b778c5700fe4a80f14456/gistfile1.txt


------------[ cut here ]------------
WARNING: CPU: 2 PID: 6954 at sound/core/rawmidi.c:1133
rawmidi_transmit_ack+0x24a/0x3b0()
Modules linked in:
CPU: 2 PID: 6954 Comm: syz-executor Not tainted 4.5.0-rc2+ #306
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff8800309d78b8 ffffffff82be2c0d 0000000000000000
ffff880031238000 ffffffff8719a820 ffff8800309d78f8 ffffffff81355139
ffffffff8527e69a ffffffff8719a820 000000000000046d 0000000000000005
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133
[<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80
sound/core/rawmidi.c:1163
[<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570
sound/core/seq/seq_virmidi.c:185
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760
sound/core/rawmidi.c:1252
[<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302
[<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 6f686d9dad133d99 ]---


// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

long r[28];

void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] = syscall(SYS_mmap, 0x20000000ul, 0xd90000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 1:
memcpy(
(void*)0x20d8f000,
"\x2f\x64\x65\x76\x2f\x73\x65\x71\x75\x65\x6e\x63\x65\x72\x32",
15);
r[2] = syscall(SYS_open, "/dev/sequencer2", 0x181800ul, 0,
0, 0);
break;
case 2:
memcpy((void*)0x20d8df5b, "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x6d"
"\x69\x64\x69\x43\x23\x44\x23",
17);
r[4] = syscall(SYS_open, "/dev/snd/midiC2D0", 0x802ul, 0, 0,
0);
break;
case 3:
r[5] = syscall(SYS_mmap, 0x20d90000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 4:
r[6] = syscall(SYS_mmap, 0x20d90000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 5:
r[7] = syscall(SYS_mmap, 0x20000000ul, 0x0ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 6:
r[8] = syscall(SYS_mmap, 0x20d91000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 7:
*(uint32_t*)0x20d91000 = (uint32_t)0xf834;
r[10] =
syscall(SYS_ioctl, r[2], 0x40045201ul, 0x20d91000ul, 0, 0, 0);
break;
case 8:
r[11] = syscall(SYS_mmap, 0x20d91000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 9:
r[12] =
syscall(SYS_ioctl, r[2], 0x80404509ul, 0x20d91000ul, 0, 0, 0);
break;
case 10:
r[13] = syscall(SYS_mmap, 0x20d90000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 11:
*(uint64_t*)0x20d90ffd = (uint64_t)0x20a962b0;
*(uint64_t*)0x20d91005 = (uint64_t)0xd3;
*(uint64_t*)0x20d9100d = (uint64_t)0x20d902e4;
*(uint64_t*)0x20d91015 = (uint64_t)0xf6;
*(uint64_t*)0x20d9101d = (uint64_t)0x20d907cd;
*(uint64_t*)0x20d91025 = (uint64_t)0x67;
*(uint64_t*)0x20d9102d = (uint64_t)0x20000000;
*(uint64_t*)0x20d91035 = (uint64_t)0x0;
memcpy((void*)0x20a962b0,
"\xea\x7e\xf1\x21\xe0\xc7\xaa\xa3\x6d\x6c\xb3\x94\x27\x70"
"\xed\x74\xab\xee\x27\x7c\x1b\x9e\x66\x76\x79\xa6\x4f\x69"
"\xf6\x63\x0a\x5c\x31\xe3\xef\x43\x43\x93\x6a\x40\x53\x03"
"\x0d\x61\xd9\xb5\xac\xc0\xe9\x10\x1c\x5d\x50\x6e\x7f\xe1"
"\x0a\x65\x7e\x09\xa5\x57\x89\x33\x52\x49\x01\xaf\x5f\xdd"
"\x55\xb2\x59\xca\xf6\x0d\x39\x26\xa6\xad\x9f\x93\x7e\xda"
"\x06\x6f\xae\x4e\xce\x3d\xd9\xbd\x4f\x6a\xec\x7b\xb7\xc8"
"\xe0\xd8\x25\x85\xca\xda\x7f\x04\x7a\x0e\x23\x66\x63\xc0"
"\xfb\x9a\xe7\x87\xb2\x85\x83\x6e\x07\xd5\x8c\x8e\xb1\x8a"
"\x9a\x43\xb8\x5c\x2d\xe4\xe9\x9b\x8d\xfb\x23\x52\xfd\xf9"
"\x7e\xa4\xc1\x8b\x90\xf9\x14\x98\xba\x75\xa5\xf2\x88\xbf"
"\x8f\x28\x8f\xee\xf3\xc7\x20\xfc\xa3\x53\xd2\x1c\x1b\x02"
"\xc5\x2b\x1b\x9a\x17\xb6\xef\xd5\x6b\x46\x4c\x66\x75\x45"
"\xcc\xb4\x1d\x41\x13\xb1\x1f\xc7\x76\x7f\x28\x8b\x3d\x85"
"\x16\x38\x2f\x27\xdb\x17\x71\x05\xd6\x0e\x5e\x53\x3b\x19"
"\xbb",
211);
memcpy((void*)0x20d902e4,
"\xe8\x61\x5b\xd6\x03\xc7\x69\x3a\xa4\x17\x85\xce\xf4\x49"
"\x07\x42\xee\x24\x4a\x9e\xe5\xff\x3e\xa1\xbc\x97\xc7\x66"
"\x01\x9f\x34\x57\x1b\xf6\x99\x2b\xd0\x45\xa0\xc9\x2b\x2d"
"\x45\x45\x7a\xb0\xf9\x9d\xc8\x3b\x53\x78\x3a\x93\x42\xcc"
"\x88\xa9\xf4\x79\xab\x1c\xfe\x48\x8d\x61\x6a\x84\x26\x2d"
"\x74\xb6\x2d\xa7\xbb\x8c\x33\x6e\xca\x38\x57\xf8\x39\x91"
"\xc7\x57\x6f\x28\xbc\x2e\x9e\xca\xc8\xcb\x08\x0c\x1e\xe6"
"\x49\x5d\x32\xe6\x33\xd0\x92\x20\xb5\x7f\x96\x2a\x47\x3f"
"\xa5\x9d\x9b\xeb\x67\xd9\x36\x48\xeb\x0d\x16\xd4\xc9\x48"
"\x7d\xa4\xfd\x42\xde\x2d\xf6\xae\x48\xe6\x50\x1c\x24\x86"
"\xe5\x0d\x23\x04\xa6\xcc\xfb\x98\xbe\x61\xb2\xed\x59\x28"
"\x82\xd1\x80\x06\xf1\x90\xae\xd4\x99\x28\x92\x92\x30\xdc"
"\x12\x29\x5e\x47\x69\x74\x7b\x1b\x82\x14\xce\xaa\x35\x06"
"\xa3\x24\x00\x34\xf8\xeb\x3f\x24\xf7\xdf\x30\x59\xb5\x54"
"\x1a\x60\xfa\x23\x1b\x67\xf8\x3c\x59\x56\x0b\xef\xaf\x09"
"\x7d\xaa\xe5\x4b\xce\x0b\x6a\x3b\xde\x94\xa1\x80\x37\xae"
"\x5c\x8c\xac\x0f\x1a\xfd\x36\x9a\xa8\x8a\xd2\x2d\xe5\xf1"
"\xb2\x8e\x29\x30\xe1\x39\x72\xef",
246);
memcpy((void*)0x20d907cd,
"\x3e\x14\x32\x60\x81\x87\xfb\x49\xb5\x66\xa3\x99\xe5\x9b"
"\xfd\xae\xec\xa8\x66\x6b\x6b\x52\xa4\x13\xbd\x8a\x2a\xe7"
"\x26\x6a\x48\x8d\x09\x1f\x6e\x60\x25\x75\xd0\x62\xfa\x32"
"\xc0\x40\x16\x21\xc0\x41\xa9\xd3\x30\x77\x64\x5d\xf4\x50"
"\xfd\x63\x06\xbf\xc2\xad\xfa\xf6\xa5\x2a\x51\x60\x5b\x47"
"\x60\x4d\xbe\x25\x16\x2e\xd7\xdc\x43\xe3\xc9\x57\x4a\x00"
"\x9f\x4f\x23\x40\xb0\x9b\xc7\x25\x5f\xef\xb1\x97\x9e\xb3"
"\x09\xc8\x99\x34\xf2",
103);
r[25] = syscall(SYS_writev, r[4], 0x20d90ffdul, 0x4ul, 0, 0, 0);
break;
case 12:
memcpy(
(void*)0x20d8a029,
"\x41\x30\x85\x16\x79\x50\x97\xdd\x70\xc7\x66\xcd\x0b\xa5\x9e"
"\x92\xe8\xba\x6c\x3f\x30\x00\x24\x10\x48\xa9\x47\xe4\x96\x91"
"\x7d\x4b\x68\x92\xe9\x81\x54\xd5\xe8\x72\xdf\x42\x12\xa3\xfd"
"\xe7\x30\xa0\xd7\x9f\xd0\x88\xeb\x6b\x42\x43\x78\x80\xfb\x51"
"\x39\xcd\xab\x77\x9a\xb4\x9a\x79\xa4\x0b\xa0\x3a\x9e\x09\x0d"
"\x1d\xda\x32\x68\x64\xf9\x03\x3f\xed\x07\xd2\xd3\xea\x82\xb8"
"\x8e\x47\xf9\x7a\x78\x73\x6f\x46\x9a\x6e\xb3\xa8\xb7\x9f\xac"
"\x1c\x47\x66\x0a\x67\x59\xb4\x6b\x52\xab\x3b\xe6\x6d\x74\xe2"
"\xf0\x84\xfe\x1b\x3a\xe8\x82\x2b\x2a\xad\x3e\x61\x69\xdb\xe0"
"\xff\x65\xa9\xab\xf9\xa1\x69\x30\xcd\xc2\xbb\x2e\xac\x11\xf6"
"\x3c\x31\x25\x2e\x77\x12\x86\xdf\x24\x37\xf8\xdc\x9a\xc3\x11"
"\xd4\x25\xce\x12\xbe\x2f\xb0\x4a\x50\x64\x8a\xf1\xb3\xf0\x75"
"\xae\x5a\x0b\x5d\xf3\x8d\xe8\x75\x07\xaa\x0a\x93\x6c\x85\x2c"
"\x48\x3e\xae\xbc\xe1\x49\xab\xa9\x7b\xe3\x57\x7e\xa8\x90\x1a"
"\x04\x5f\x10\x9a\x96\x5b\xf4\xd0\xa1\xec\xed\x0f\xd8\x0a\x40"
"\xd8\x75\x05\x0d\x14\xc6\x28\xbb\x7a\xc5\x42\x69\xb0\xea\x26"
"\x0d\x2f\xb6\xba\xcc\x23\x28\x28\x61\x6b\x55\xf8\x10\xb8\xb8"
"\x2d\xba\x9f\xfd\x2e\x1d\xa7\xf1\x3f\x8e\x54\x64\xf5\x6f\xfe"
"\x33\x93\x1d\xcb\x82\x60\x8f\x90\x85\xf7\x58\xc2\x3b\x9d\x9a"
"\x7f\xe0\x55\x2e\xa2\x1a\xd5\x39\xe6\xfd\xcf\x2c\x2c\x5b\x7e"
"\xfb\xfd\x81\x17\x92\x95\x97\x40\x74\x9d\xfb\x81\xc2\x02\x85"
"\x0c\x55\xed\xbf\x1f\xce\xad\x58\x88\xd2\x10\xf0\x4e\x18\x28"
"\x86\xe0\x1c\xa7\xce\x7c\xdb\xdd\x15\x3c\xd2\xd8\x1d\x9e\x43"
"\x18\x0e\x1d\xc2\xb8\x8e\xf0\x0f\xd6\x6b\x89\x40\x00\x28\x1d"
"\x5a\xa2\x5a\xeb\x2f\x60\x7b\x02\xc9\x86\x88\xfb\x94\x89\x81"
"\xec\x4c\x9f\xe8\xaf\xcb\x7b\x68\x21\xe1\xa3\x60\x32\x7d\x23"
"\xcf\x71\x20\x22\x1b\x8e\xec\x51\x17\x05\x70\x2c\x92\x70\x59"
"\x35\x6a\x25\x71\x39\x2c\x66\x42\x3f\x46\x78\x88\x7f\xdb\x71"
"\xb8\xd6\x7c\xce\x8b\x4a\xb1\x8d\xa2\xc5\xb9\xac\xe7\x89\x4b"
"\x7a\x6c\x91\x11\x6d\xe9\x2b\x27\x80\x49\x32\x66\x16\xed\xf1"
"\x74\x51\xcd\x44\x4a\x94\x5c\xfc\xe5\x11\x54\xf5\x61\xbe\xed"
"\xbc\x00\xbd\xde\x02\xd4\x40\xa5\x13\x4f\x48\x6e\x43\x1a\xc2"
"\x56\xe8\x95\x16\xcc\x5f\x4d\xf8\x80\x40\x2c\x59\x07\x32\x49"
"\x84\xff\x31\x53\xd9\x26\x08\xc1\x06\xf2\x69\x4b\x35\xa4\x41"
"\xe5\x00\xdd\x64\x23\x1a\xb7\x29\xde\xef\x90\x03\xe3\xe1\x7d"
"\x61\x74\xfd\xe5\xd1\xa6\xa8\x9b\xc5\x07\x90\xfb\x75\x5e\x64"
"\xa3\x22\xcc\xd2\xc9\x29\xdb\x71\x84\x5c\x67\x51\x75\xc6\xdc"
"\x22\x78\xb8\x6d\x2e\x8f\xf5\x51\x87\x53\xd5\xc5\x10\x53\xc3"
"\x0c\x96\xf0\x6c\xca\x61\x37\xfc\x63\xff\xe0\xd4\x77\x3d\xea"
"\x64\xe0\x43\xfb\xca\xf6\xd0\x2d\xd2\xc4\x67\x35\x58\x70\xa5"
"\x6f\x0c\x19\x93\x45\xdd\xf4\x0f\xad\x60\xf4\x8e\x8d\x6a\xb6"
"\x8d\x66\xaa\xe6\x19\xc3\x60\x4a\x77\xaa\x7b\x15\x9b\x89\x65"
"\x11\x70\xc6\xa1\x86\xf1\x7c\xac\xac\xe4\x94\xb3\x08\xdd\xd0"
"\x7c\xfb\x60\x2f\x5f\x42\xe6\x97\xfc\x1c\x40\xc1\xb1\x2c\x4b"
"\x9d\xc0\x66\x48\xf1\x1b\x74\x54\x5b\x97\xc8\xb1\xba\x0b\xa5"
"\x36\x7b\xf9\x70\x09\x2e\x7e\x57\x07\x98\xaa\xa4\x40\x7b\xc7"
"\x6c\xe3\x43\x8b\xc0\xff\x87\x1a\x91\xaa\x07\x1a\x39\x29\xf2"
"\x81\xf8\xfe\x22\x77\x31\xbe\x89\x30\x91\x31\xe8\xa2\xe6\xd1"
"\x68\x99\x2d\x5a\xbf\x42\x26\x3b\x19\x5a\x18\x20\xf9\xd6\x21"
"\x8b\x6c\x2b\x1d\x6a\x99\xbe\x02\x39\xe9\x50\x0c\xf1\xb2\x9f"
"\x10\xdd\x7d\x85\x95\xa7\x0d\x08\x90\x73\x26\xf8\x52\xb3\x39"
"\x2c\x6a\x42\x60\x99\xf5\x65\xae\x4b\xd6\xd3\xc5\x21\x19\x96"
"\x85\x08\xcb\xd6\xb3\xce\xda\xd1\x75\xc3\x86\xd2\x7c\x79\x78"
"\xea\x8b\x88\xf4\xe1\x82\x12\x1a\xe4\x57\x57\xa6\x51\x3c\xa4"
"\xf0\x42\xbb\x21\xca\x5d\xec\xcd\x89\xec\x0c\x1b\xb8\x5b\x21"
"\x17\xb3\xca\x32\x50\xc3\xad\x06\x05\xfa\x5e\x9c\x19\xfe\x81"
"\x8a\x18\x06\x76\x46\xda\x93\xd7\x90\xee\xb7\x30\x23\x09\xfd"
"\xd9\xa8\x40\x5c\xf0\xfc\xb3\xf7\xb1\x6f\x2b\x01\xe1\x0f\x27"
"\x98\xff\xf9\xd4\x01\x89\x91\x79\x71\x11\xdb\x30\xc0\x83\x1e"
"\x12\x62\x0e\x50\xa1\x47\x80\x99\xa4\xb6\x78\x19\xc5\x50\x4f"
"\x82\x87\x35\x3e\x9c\x22\x20\x81\xef\xfe\xc3\x3e\x79\x2c\xf4"
"\x7c\x7a\xcc\xfd\xbd\x63\xb4\x6b\x98\xd3\x56\x1c\xeb\xed\x1a"
"\x3a\xff\x5c\x8e\x0e\x7e\x70\x78\xfc\x91\xfc\x29\x14\xa3\x8e"
"\xcf\x47\x78\x0f\x98\x97\xb4\x21\x3d\x9c\x19\xbf\x27\x9b\xb4"
"\x16\xe6\x50\xad\xe4\x6b\xa9\x1b\xa1\xe2\x05\xc1\x0a\x83\x1d"
"\x03\xaf\x7b\x7d\x8c\x88\xa3\x11\x7e\x5d\x72\xe0\x5d\xad\x50"
"\xc4\xc8\x75\xc8\xcc\xaa\x7d\x8f\xb4\x47\x5e\x34\xe8\x04\x71"
"\x10\xdb\x92\xb7\xfe\x9b\x77\x9f\x04\xe3\x74\x72\x16\xb7\x4e"
"\x31\xf8\x00\x98\x5c\x59\xf7\x4d\x7d\x89\xd7\x1c\xbd\xd7\x85"
"\xf5\x79\xf3\xd8\x51\xcb\xab\x14\x61\xf6\xc0\xb9\xc0\xff\xec"
"\xa2\x62\xc9\xec\x1e\xb9\xc8\x28\x20\xa8\x15\xc0\x57\xe2\xce"
"\x62\x8a\xcc\xe0\xec\x47\xe2\x9e\x82\xcf\xf8\xe7\x2b\x98\x4c"
"\x64\x8c\xec\x5e\x85\xd5\xe3\x21\x46\x82\xe4\x56\x4b\x59\x13"
"\x39\x9c\x4e\x70\xbb\xfc\x7b\xd4\xc2\xdf\x5a\xde\x21\x67\x5d"
"\x1f\xf0\xea\xd6\x4d\xaa\xb7\x2c\xdb\x70\x3c\xb4\x08\x6e\x59"
"\x02\xf8\x8d\xdc\xac\x21\xda\x51\x70\xb1\xdd\x83\x16\xd3\x9c"
"\xa6\x17\xb8\x93\x74\x57\x38\xa4\xab\x5e\x4b\x3a\x3b\xb6\xa1"
"\x45\xe0\x86\x63\xd7\xd4\x2d\xc3\xc0\x39\x06\xd2\x45\x6d\x6a"
"\x4d\xa4\x24\x48\x97\x88\x02\xa9\xb8\x10\xee\xb9\x60\xfb\x3b"
"\xdd\x2b\xd5\x51\xf2\x09\xe8\x22\x43\xf8\x67\x62\xca\x27\x49"
"\xbe\xb2\x82\x70\x57\xcd\x33\x7e\x8b\x8a\x0b\x42\x6f\xf1\x39"
"\xc1\x04\x83\x5e\xd4\xe2\xc5\x26\xfe\x5e\x07\x57\x60\x7a\x09"
"\x9e\x46\x2f\x2c\x82\xd9\x13\xf5\xdc\x70\xbd\x28\xd3\x82\x6d"
"\xb7\x68\xb2\xb7\xb7\x58\x4d\x08\x83\x04\x40\xdd\xa0\x58\x77"
"\x5a\xca\x90\x86\x7a\xa2\x14\x6a\x6a\xe3\xd7\xa6\x63\xd2\x89"
"\x44\x9c\x3a\xc1\x96\x9d\x5c\x35\x16\x70\x10\x0d\x12\xf2\xc9"
"\x1d\x50\xf9\xd6\x38\x93\x60\xc9\x3c\x3a\xd9\x3e\x89\x5e\x36"
"\x4f\x82\x8d\x0f\xb2\x1c\xcb\xd3\xc3\xaa\x37\x86\x27\x7e\x43"
"\xf1\x90\x1d\x8a\x05\xaf\xbe\x87\x52\xf5\x82\xe0\xea\x3c\xfc"
"\x71\x3d\xe6\x82\x83\xa3\x01\x77\xb4\x0d\xbc\xed\x69\xb7\xea"
"\x64\x81\x9d\x71\x7e\x9e\xfe\x96\xb3\x61\xa7\xdb\x29\xf1\x5f"
"\xdc\xcc\x39\x31\xee\x01\xaa\xe7\x66\xbd\x35\x5c\xd4\xbf\x8d"
"\x6c\x3e\x30\xe5\x12\x03\x6c\xd3\xb2\x82\x02\x8e\x3e\x17\x85"
"\x7e\x31\xe0\xd4\x74\x07\x55\x77\xac\x63\x46\x51\x33\xf0\x9d"
"\xfa\x2b\xf3\x4d\x68\xf5\x37\x64\x99\xf4\xc6\x76\xbc\x37\x07"
"\xc5\xa3\xad\x61\x98\xe2\x85\xef\x87\xf7\xf5\x11\xfc\xb4\xd9"
"\x4b\x68\xc9\xe9\xbd\x22\xc9\x22\xa1\x08\x1f\xfe\xeb\x81\x91"
"\xf0\xea\xf2\x0e\x4f\xde\x4e\xcb\xb2\x28\x7f\x34\xf4\x1a\x5a"
"\x7c\x97\x75\xbf\x94\x91\x97\xef\xcc\x2c\x52\x8d\x14\x9d\xbb"
"\xe0\x03\x15\xf2\xc5\x06\x7d\xe7\x45\xd4\x77\x9f\xa6\x88\xf0"
"\x04\x31\x81\xb8\x0b\x80\x7b\x05\x61\x48\x34\x78\x92\xdd\xa9"
"\xc3\x81\x31\xf5\xe1\xde\xac\x34\xd2\x1a\x06\x41\x67\xf4\x49"
"\x38\x2c\xce\x76\xb5\x7e\xa0\xb4\xa1\x71\xf8\x79\x62\x48\x1e"
"\x5f\x63\x85\x6e\xb0\xdd\x50\x66\xe4\xd5\x45\xaf\x08\xc4\x2f"
"\x4f\x8f\xe3\xdd\x78\x95\x8a\x4f\x79\xb0\x76\x20\xa6\x83\x59"
"\x2a\x40\x3c\x10\x8d\x10\x2d\xb6\xcb\x46\x50\x4f\x33\xdb\x97"
"\xa5\xdc\xb5\xd2\xee\xcb\xdb\xc9\x78\x33\x50\x1f\x9f\x00\x6f"
"\x9e\x83\x5a\xa6\x26\xeb\xf4\x94\x7f\x93\x2f\xb2\xa8\x33\x8d"
"\x6d\x9b\x5e\xd7\x98\x54\xc0\xaf\x96\x15\x2f\x0f\xba\x9e\x29"
"\xa7\x7b\x36\xf8\x8a\x11\xb7\xe3\x7a\x9d\xc0\xb8\x89\xe1\x70"
"\x36\xb5\x4d\x25\xff\x2f\xd1\xb4\x66\x35\xbf\xd1\x3c\xca\xb7"
"\x5e\xbf\x9b\x3e\x89\xc3\xa2\xd7\x91\x22\x57\x99\xaa\x28\xf0"
"\xb6\xc0\x96\xe2\x56\x8b\x99\xcd\x81\x23\xc3\x1e\xca\xaa\x97"
"\x02\xba\xec\x1b\xee\x07\x74\xd1\x7e\xd3\x5f\x42\xf3\x71\xe6"
"\xbf\x93\x33\x29\x89\x30\x46\xdd\x13\xb3\xf8\xee\xb2\xd7\x2a"
"\xc6\xf1\xce\xa4\xf3\x61\x67\x51\xd6\xdc\xa8\x3f\x49\x59\x85"
"\x64\xcc\x38\xff\xad\x49\x5b\x3b\xa8\x50\x82\x41\x84\x8b\x31"
"\xbf\xfc\x06\x1a\x3f\xcc\x93\x0b\xe7\x04\x4b\x1d\xa9\xa4\x63"
"\x67\xc2\xf6\xd7\x77\xef\x22\x58\x24\xa0\x4d\xf8\xd1\x36\x22"
"\x4a\xee\x97\x7d\xe1\x2d\x31\xbf\x0a\x81\x85\xc4\x23\xee\x63"
"\xab\xed\xb0\x9b\xf6\xf5\xc0\x73\x31\x22\x24\xf9\x3e\x2b\xf8"
"\xed\xd2\x2a\xa1\xd2\x77\xa8\x72\xe2\xd3\xc5\xb9\xb8\x0b\xd6"
"\x06\x22\x37\xa6\xef\x5e\xe6\x17\xdb\xb9\x7b\xfc\x8a\x89\x16"
"\x82\xf3\x16\x52\x14\xbe\x7e\x44\x78\xdf\x6d\x83\x9e\x9e\x58"
"\xb6\xdf\xd7\x83\x7d\x0e\x4a\x48\x95\x6b\x4f\xf2\xd6\x64\x89"
"\x0a\xe4\x46\x44\xe7\x2c\x2f\x6a\x87\x2e\x56\x15\x31\x8c\xe8"
"\xbf\xa4\x9d\x7a\xae\x51\xa1\xb6\xa5\xb9\x85\xcf\xa8\x8f\xd8"
"\xf7\xd9\x03\xe6\x04\x95\x2f\xd9\x93\x44\xf3\x2c\xb9\x8b\x8c"
"\x4c\x8c\xa8\xbc\xdc\xcc\x69\xf0\xc0\xef\x3f\x6b\xe5\x7d\x58"
"\x8e\xc0\x39\x3e\xaa\xd7\x3a\xfb\x00\x89\x5a\x15\xc5\x59\x11"
"\x5e\x35\xac\xa3\x29\x4e\xcc\xbb\x0d\x37\x3e\xff\xc2\xc1\xb5"
"\x7d\x0c\x3f\xde\xe3\xdd\x7a\xca\xd3\xae\x03\x6d\xd5\x0a\x2a"
"\x5a\x2f\x1b\x1b\x68\xf2\xb7\xf6\x6f\x77\xc2\x26\xb7\x64\xc2"
"\x65\x5a\x2d\x6b\x30\xe5\x2a\x71\x93\x48\x25\x4b\xe3\xfe\xb6"
"\xf6\xbc\xcc\xb6\xff\x28\x9d\xa8\x74\x24\x88\x11\x45\xba\xa5"
"\x1d\x80\xf8\x35\xb8\x3e\x22\x04\x6f\x41\x6c\x80\xe6\xd0\x0c"
"\x31\x9b\x59\x78\xbf\xaa\xb1\xc2\x57\xec\x42\xe2\xc3\x17\x1b"
"\x72\x3e\x42\x49\xda\x19\x0e\xd1\x17\x23\xcd\x59\x5f\xd3\x90"
"\xd6\x16\xe2\xdf\xe1\xcb\xf6\x72\x8d\x35\x33\xc5\xb4\xbc\xe9"
"\x0b\x58\x4b\x7a\xe6\xc7\x5c\xb3\x7a\xbd\x64\xa7\xda\x42\xa1"
"\xfd\xdf\x4d\xa6\xc9\xbf\x96\xf4\x8f\x68\xcf\xe7\x3a\xf7\x01"
"\xeb\xd2\x4a\xfb\x86\xf3\xfc\xd7\x3f\xaf\x39\x5a\xbe\x19\xb7"
"\x71\xb8\x5e\xf8\x47\xcc\xcc\xb6\x3a\x18\xbf\x4b\xea\xf0\xa6"
"\x78\xd5\x81\x84\x46\x8e\x63\x46\x90\xb5\xd9\x38\x0c\xa6\x7b"
"\x15\x61\x2d\x6f\xac\x61\xa9\xfd\xe0\x85\x94\x1d\x4e\x0f\x1e"
"\x22\x3f\x4f\x17\x80\x86\x3f\x2f\xd5\x6b\xea\x20\x54\x21\xe3"
"\x85\xd2\xdc\x9b\xbf\x83\x54\x82\xa8\x1e\xc3\xaf\xba\x1a\x35"
"\x5d\xb1\xa8\xae\x5f\x3a\xae\x48\x5b\x95\xa1\x27\x74\x4e\xa9"
"\x44\xed\x40\x11\xde\xdf\x30\x96\xea\x2a\x93\xa6\x8b\xfe\xaf"
"\x59\xd7\xe4\x8d\xc6\xde\x07\x8b\x58\xb1\xc3\x5e\xbf\xba\x51"
"\x4f\xa7\xea\x12\xb8\xfd\x8c\x9f\xa8\x04\x1c\x6e\xa7\x94\xdb"
"\x1d\x9a\x82\x36\x96\xf8\x0c\x8e\xa4\xc6\xb0\x1d\x0b\xc8\x22"
"\x74\x21\x0e\x8f\x67\xf5\xa6\xb6\xe9\x34\x8a\xca\xda\x22\xde"
"\xc7\xde\x69\x3c\x4a\xa3\xcd\xba\xf8\x0e\x1f\x5e\x48\xe0\x52"
"\x65\xa4\x6b\x74\x8e\xca\x5e\x7e\x3e\xe5\xec\xe1\x1d\x88\xc0"
"\xd6\xcb\x13\x61\xf0\x19\x74\xa1\x0a\xdc\x76\x0a\x85\x35\xaa"
"\x36\xaf\x39\x15\x60\x3c\x65\x45\x97\x2f\x72\x3a\x7e\x8e\x00"
"\x5d\x0c\x6c\x4c\xdc\xd7\xac\xa6\xc3\x63\xcd\xb9\x8a\xf8\xb2"
"\xc1\x46\xec\x1a\x88\xf1\x09\x30\x82\x8d\xcb\x07\x58\xf2\x40"
"\x5f\x97\x4f\xe4\xa3\x80\x1e\xd0\xe1\x94\x55\x20\xdd\x6b\x19"
"\xc8\x9b\x3c\x36\xdc\x4d\x5c\xf3\xba\x7c\x51\x31\x0e\x7f\xbf"
"\x1b\x13\xcb\x72\x14\xad\x7c\x34\x61\x8d\xe8\x63\x2c\x81\xab"
"\xee\x7a\x40\xcf\x19\x38\x45\xb3\x84\xe0\xa4\xcf\xe4\x7a\x34"
"\x2a\xc9\x9a\x1e\xca\xd8\x2e\x03\x79\x56\x82\xea\x2a\x68\x64"
"\xcd\x01\x51\x09\x71\x7a\xf4\x75\x63\x2c\x05\x26\x2d\x0d\xf7"
"\x50\x86\x85\x4f\x88\x0d\x37\x6a\x1e\xf4\x8d\x42\xc1\xd1\x91"
"\xfb\x7d\xff\x5a\x1e\xcc\xfa\x9e\x83\xcd\x10\x98\x7b\x35\x5c"
"\x31\xb8\x35\x28\x7f\x73\x66\xbd\xb8\x0a\x72\x5c\x46\xf2\x38"
"\x53\xfe\x45\x7c\x61\x76\x9e\x04\x89\x34\x5c\x85\xd0\x85\x5f"
"\x68\x83\x1a\x89\x7f\x00\x8f\x25\xb8\x46\xcd\x4e\x9e\xea\x18"
"\x0c\x52\x7c\x8a\xe6\x67\xa1\xc5\x2a\x53\x59\x12\x83\x56\x86"
"\xe8\x59\x1d\xc6\xa0\x2a\xf1\xc8\xaf\x0d\x98\xdc\xec\x9a\x29"
"\x1c\x8e\x55\xd3\x79\x76\x9e\xe9\xfa\x7a\x9a\xa7\xd7\xa3\xd7"
"\x8c\x00\x83\xfd\x82\x78\x23\x55\x73\xa1\xf6\x3a\xc1\xa1\x7b"
"\x18\x7d\xd0\x81\x93\x38\xcc\x57\xf8\x31\xfc\x96\x57\x0f\xe2"
"\xf2\xdd\x89\x6e\x52\x26\xf2\xfa\x57\xa5\xdc\x7b\xa2\xef\xbd"
"\x5b\x39\x1f\x42\x2d\xbd\x26\xb9\x8d\x62\xa8\x41\x37\x7d\xc9"
"\xb0\xde\x82\x42\x5a\x66\xff\x15\xbe\x60\x1a\xbc\xad\x63\xf2"
"\xf4\x8e\xe7\x22\xfb\x10\xc7\xb2\x64\x3e\xd2\x9b\x47\x48\xa3"
"\x9b\xb5\xf2\xe0\xc7\x87\x5b\x1f\x06\xc8\xaf\x47\x54\x45\x16"
"\xa7\x3f\x10\x96\x55\x83\x70\x17\x18\x93\x59\x4d\xa0\x3a\xc4"
"\x74\xe3\x04\x11\x04\x91\x20\xb5\xab\x79\xff\x00\x4a\x7e\xc1"
"\x6a\x18\x9e\x28\xbf\x6b\xc1\xe3\x32\x53\x6e\xab\xf9\xd1\xdc"
"\x68\x25\xb6\x9b\x70\x75\xf6\x00\xe3\xb8\xee\x65\x82\xf0\x89"
"\x52\x86\x6b\x33\x89\xa6\xd5\x34\x2e\x28\x0d\x30\x2f\xba\x96"
"\x5b\xba\xf1\x4e\x07\x45\x47\xa2\xb3\xb5\xd5\x38\x91\xb1\x8b"
"\x1c\x5e\x22\x73\x53\x66\x5f\xe6\x49\x7b\xa0\x48\xb7\xb0\x07"
"\x79\xa4\x22\x17\x3e\x35\xbe\xdc\xb1\x38\xd3\x17\x81\x7c\x97"
"\xfa\x7f\xb9\x33\xc6\xcb\x33\x2b\x54\xe1\xd7\x09\x32\x8a\xa8"
"\x6e\x80\x19\x8e\xe5\x1c\x76\xf9\x02\xd5\x55\x75\xeb\xa0\x68"
"\x44\x4c\xec\x7a\x4e\x0f\x25\xc8\x1d\x89\xfc\xb2\x77\x26\x46"
"\x80\xa7\xf3\xfa\xa7\x18\xd8\xa0\x13\xa6\x8c\x09\x9a\x03\xc9"
"\x66\x67\x2c\x35\x88\x98\xa3\x08\x59\xda\xe6\x60\x26\xa3\x4c"
"\x41\x44\x6c\xbd\xb8\xab\x4d\x19\x04\x5b\x36\xa1\x48\xa9\x36"
"\x9a\xfe\xdd\x58\x81\xff\x94\x93\x62\x92\x2d\x1c\x2d\x07\xc0"
"\x76\x62\xb5\x91\xfc\x0b\x03\x31\x31\x12\x76\xaf\x79\x8e\x5d"
"\xb8\x40\x69\xff\x14\x1c\xcc\x31\xc0\x01\xc8\xc5\x7a\x38\xe1"
"\xdf\x77\x15\xd5\x33\x80\xe1\x24\x94\xc7\x6c\xe2\x9f\x5c\xee"
"\x18\xa8\xe4\x60\xca\x08\x49\x17\xca\x5d\x32\xa0\x85\x63\x7d"
"\x23\xc7\x90\x7b\x3c\xf6\x51\x63\x29\x70\x99\x4e\xf9\x1d\xd0"
"\x2c\x13\x16\x8a\xf6\x09\x42\x88\x06\xfd\x19\x0e\xa0\xca\x9e"
"\xb3\x4e\x2e\x99\x34\x36\x5a\x8c\x88\xc1\x72\xf7\x66\x6b\x99"
"\xe3\x7e\x71\xb5\xb3\xed\xde\x78\x21\x16\x03\x48\x61\x52\xe4"
"\xb3\x9b\x3a\x2b\x9f\x6b\x83\x31\x0e\xe2\xc1\x7d\x8e\x03\x3c"
"\x0b\x08\x0d\x06\x88\x8b\xd8\x21\x67\xb0\xf0\xbb\xf6\x94\xbe"
"\x1a\xdc\x0c\x9f\xd1\x2f\x0e\x8e\xbb\x44\x2c\x39\x45\x0a\x82"
"\x9f\x70\x24\x3c\x41\x8a\xc5\xc2\x48\x33\x85\x72\xae\xd1\xa7"
"\xb6\x58\xb9\x06\xfc\x4e\xeb\x16\xd5\xab\x22\x82\x49\xbc\x33"
"\xa4\xab\xda\xa1\x92\xdf\xb2\xa1\x0e\x6a\x45\x7e\x00\x9b\xb7"
"\x01\x5a\xa2\x05\x77\x78\x5a\x0f\x9b\xf3\x29\x92\xa6\x1b\x2e"
"\x52\x4a\x97\xb4\x06\x16\x4e\x94\xeb\x20\x92\x40\x41\x88\x25"
"\x51\xf6\xa6\x53\xc7\xc3\x43\xa0\x05\x6a\xe0\xa5\x86\x28\x69"
"\xf7\xb7\xce\x77\xea\x78\x81\x9d\x8e\xea\x66\xdb\x08\xcc\x05"
"\x27\x82\x5a\x1d\x3a\x58\x68\x88\x0b\x86\x2e\xb4\x8b\x9a\x05"
"\xed\x30\x53\xf2\x01\x0a\x7b\x2d\x99\x9d\xb3\x53\x39\x95\x1c"
"\x73\x69\xdd\x76\xcf\x25\xb8\x26\x5e\x6a\x93\xe7\xee\x5e\xdd"
"\xf6\x01\xca\x93\x4b\xd4\x1e\xc4\x41\x68\x59\xf7\x1b\x59\x5a"
"\x12\xc6\x26\x64\xff\x0d\x44\xec\xd5\xd3\xa5\x83\xd7\x98\x63"
"\xb8\x7d\xeb\xe8\xc0\x7a\x7d\xea\x98\x29\xaa\x02\x0e\xe1\xc1"
"\x05\x09\x70\x4e\x96\x76\x3c\xcf\xfb\x4d\x6d\x50\x48\xce\x17"
"\x6c\x33\x49\x2b\xd3\xb6\xcc\x5a\x2d\xee\x0e\x76\x99\x74\x60"
"\x79\xe6\x3d\x01\x3b\x75\xf0\x13\x4f\x87\x43\x13\x74\xe2\x33"
"\x39\x7c\x3b\x0b\x52\x8c\xc7\xf2\xa4\x77\x49\x27\x1b\xb1\x9e"
"\x28\xe7\x2c\xc5\xd5\xde\x7b\x39\x55\xc5\x2a\x2c\xb9\x22\x3a"
"\x29\xc3\x71\x05\xf3\x15\xc6\x94\x11\x30\xf6\xd1\xda\x5b\xa6"
"\xdd\xf9\xb5\xe7\x87\x74\x9d\x58\x09\xdc\x65\xdc\xf0\x6a\x24"
"\xfd\x72\x09\xdd\x3c\x8c\x2d\xae\x3e\xd5\x15\x62\xd1\xa4\x65"
"\x49\x16\x57\x49\x12\x52\x0c\xf1\x1c\x7c\x26\xda\x28\xe8\x6f"
"\x57\x53\x02\x6a\xcb\x13\x4b\x00\x96\x07\xc8\xb1\xeb\xc6\x6b"
"\x96\x69\xfd\x5b\x29\x31\xfc\x35\x44\x5d\x2f\xeb\x87\x56\x9f"
"\x88\xfe\xbf\x6d\xa2\x6e\xdf\x2f\xc4\x6e\x17\xdc\xfa\x8b\xa4"
"\x26\x55\x01\xda\xfa\x81\x64\xba\x00\x5c\x83\xb2\x9e\x07\x54"
"\x9e\x40\x91\xf6\xcb\x57\xbc\x68\x72\xa7\x63\x22\x36\x57\x5b"
"\x93\x6f\x03\xd3\x90\x81\xc3\x10\x69\x25\xe4\x17\x16\xe1\x00"
"\xf3\xba\x14\x98\x4a\x73\xc9\xe6\xd2\xfc\x1c\xc3\x68\xee\x8b"
"\x7d\xec\x88\x2e\xf3\x2e\x25\x75\x6f\xf9\x7d\xd1\xde\xa8\xb4"
"\x09\xab\xda\x68\xf7\x7a\x45\x79\xba\xe7\xe9\xad\x45\x77\x33"
"\xcf\xe2\x8a\xca\x83\xa8\x2f\x75\xee\x52\xa5\x1f\xce\x4e\x75"
"\xdd\x96\x84\x4f\xd2\xa5\x19\xeb\x5f\xb0\xbb\xf7\xf7\x57\x8d"
"\x63\xd2\x92\x1a\x6b\xa1\x7f\x5e\x3d\x80\x8f\x8b\x7d\x94\x76"
"\x9d\x52\xcd\x87\x76\x58\xdc\x7e\x9f\xde\x7d\x9a\x80\x8b\xaf"
"\x22\xaf\xb8\x37\x88\xf7\x63\x88\x2c\xaa\xd2\x8a\xfc\x85\xb8"
"\x42\xe3\xad\x20\x29\xdc\x9f\xd6\x93\x38\x4a\xc4\x1d\xd5\x49"
"\xfb\x71\xaa\x25\x5a\x07\xcb\x3b\x0f\xd8\x84\xa9\x48\xe8\x0e"
"\xff\x4d\xe5\x7b\x00\x0d\x19\x47\x94\x3b\xb4\xc6\x60\xed\x83"
"\x38\x55\x56\x04\x0c\xec\x08\x2d\x2f\x19\x90\xee\xac\x35\x68"
"\xe3\x2c\x9b\x91\x99\x0c\xec\x6b\x83\x70\x3d\xd8\x92\x8d\x74"
"\x34\xfa\xf1\x09\x18\xce\x03\xe0\x89\xb6\x3c\x41\xac\x1a\x02"
"\x5c\x02\xc1\x0a\x48\x7b\xa1\x47\x19\xba\xd1\x57\x4d\xca\x7e"
"\x08\xf6\xea\xa5\x55\x9d\x91\xfb\xdb\x06\xc0\x77\xd4\xdd\xc2"
"\x3a\xfa\x7e\x31\xe7\xac\x25\x1d\xa2\x53\x1c\x79\xbe\xb1\xb7"
"\x21\x77\xee\xd3\xb1\x8b\xf9\xe2\x78\x69\x63\x31\xe9\x28\xb8"
"\x1c\x4b\xe1\x98\x41\x3c\x02\x42\x2a\x98\x5d\xbd\x75\x9d\x61"
"\xf6\xd8\xf2\x59\xf4\x54\x34\x1b\xb0\x80\x93\xa9\x52\xe6\x59"
"\xe9\x2f\xe3\xbd\x37\x75\x6d\xe4\xab\x99\x6b\xbc\xf1\x64\xda"
"\xdf\x14\xe7\x22\x1c\x20\xe7\xf7\x12\x0d\xeb\xbd\x77\x5e\x46"
"\x2c\xb9\x08\xc4\x84\xe2\x2c\xc9\xa7\xe4\x7f\xab\x84\xd9\xbb"
"\x39\xbf\xe7\x5b\xed\xeb\x75\x7d\x67\xa5\xc3\x3d\x8d\xd3\x77"
"\x52\x68\x1c\x20\x29\x66\xeb\x2f\xd5\xc7\x66\x60\x59\xfb\x85"
"\x19\xb5\x5a\x24\xbd\x99\xf9\x8e\x00\xd4\xd7\xc2\x21\x0f\x59"
"\xe8\xd2\x26\x92\x2c\x7b\x38\x95\x10\xe8\x02\x66\xee\x16\x1f"
"\x4a\xc4\x58\x72\x0b\x1f\x86\xd4\xee\x09\x3c\x4b\x4e\x74\xbc"
"\x97\x6f\x52\x12\xc1\xc7\xae\x3a\x8a\x54\x52\xe6\xc7\x7c\xb9"
"\x05\x65\xcc\x5f\x71\x07\xa3\x35\xd4\x35\xf2\x05\xf8\x0c\x27"
"\x02\xfb\x93\x10\xe6\xbe\xcc\xc2\xcf\x5d\x71\x77\x86\x03\x6c"
"\xa3\xbd\x6a\x06\xd4\x4c\xb0\xf5\xc8\xb8\xc7\x11\x2a\xda\x99"
"\xb6\xf7\x68\x39\xf3\x2c\x2f\x45\xed\xaa\x24\x56\x46\xfe\x05"
"\x8b\x9f\x93\x6a\xc7\x8e\x0b\x9f\xb3\xe9\x45\xee\x59\xcd\x69"
"\xf1\x5a\xe9\x14\x22\x66\xa0\x3f\x00\x27\x87\x6d\x67\x68\x79"
"\x54\xb8\x7f\xd2\x63\xb4\x3f\x48\xf5\xf6\x3e\xa1\x9b\x60\x66"
"\x2d\x85\xe7\x08\xd3\x37\x37\xca\x3b\xc1\xb0\xcd\x07\x3d\xec"
"\x39\x0b\x79\xd3\xd2\x7d\xfe\x1b\xaa\x35\xf6\xab\x01\xf7\x64"
"\x52\x42\xdd\x9c\xce\xea\x12\xd5\xb6\xfe\xda\x76\xf0\x28\x24"
"\x64\x61\xb2\x8b\x52",
4100);
r[27] = syscall(SYS_write, r[4], 0x20d8a029ul, 0x1004ul, 0, 0, 0);
break;
}
return 0;
}

int main()
{
long i;
pthread_t th[13];

memset(r, -1, sizeof(r));
for (i = 0; i < 13; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
for (i = 0; i < 13; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
if (i % 2 == 0)
usleep(10000);
}
usleep(100000);
return 0;
}

Takashi Iwai

unread,
Feb 1, 2016, 6:55:14 AM2/1/16
to Dmitry Vyukov, alsa-...@alsa-project.org, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Mon, 01 Feb 2016 12:31:20 +0100,
Dmitry Vyukov wrote:
>
> Hello,
>
> The following program triggers a splash of WARNINGs in rawmidi_transmit_ack.
> Takashi, I am on commit 36f90b0a2ddd60823fe193a85e60ff1906c2a9b3 + a
> bunch of your recent fixes:
> https://gist.githubusercontent.com/dvyukov/40640128a433ad16a56a/raw/ab3a08637ce3654b969b778c5700fe4a80f14456/gistfile1.txt

Ouch, this is another spot with an open race between
snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack().

Could you drop the previous fix and apply the one below instead?

FWIW, I pushed sound.git tree topic/core-fixes branch containing all
pending fixes. This should be pullable cleanly onto 4.5-rc1/rc2.

git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git topic/core-fixes


Thanks!

Takashi

-- 8< --
From: Takashi Iwai <ti...@suse.de>
Subject: [PATCH] ALSA: rawmidi: Make snd_rawmidi_transmit() race-free

A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by
syzkaller fuzzer:
WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136
[<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223
[<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273
[<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185

Also a similar warning is found but in another path:
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133
[<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163
[<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185
[< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
[<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252
[<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302
[<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185

In the former case, the reason is that virmidi has an open code
calling snd_rawmidi_transmit_ack() with the value calculated outside
the spinlock. We may use snd_rawmidi_transmit() in a loop just for
consuming the input data, but even there, there is a race between
snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack().

Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and
snd_rawmidi_tranmit_ack() separately without protection, so they are
racy as well.

The patch tries to address these issues by the following ways:
- Introduce the unlocked versions of snd_rawmidi_transmit_peek() and
snd_rawmidi_transmit_ack() to be called inside the explicit lock.
- Rewrite snd_rawmidi_transmit() to be race-free (the former case).
- Make the split calls (the latter case) protected in the rawmidi spin
lock.

BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5Xj...@mail.gmail.com
BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_...@mail.gmail.com
Reported-by: Dmitry Vyukov <dvy...@google.com>
Cc: <sta...@vger.kernel.org>
Signed-off-by: Takashi Iwai <ti...@suse.de>
---
include/sound/rawmidi.h | 4 ++
sound/core/rawmidi.c | 97 ++++++++++++++++++++++++++++++++------------
sound/core/seq/seq_virmidi.c | 14 +++++--
3 files changed, 85 insertions(+), 30 deletions(-)

diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
index fdabbb4ddba9..f730b91e472f 100644
--- a/include/sound/rawmidi.h
+++ b/include/sound/rawmidi.h
@@ -167,6 +167,10 @@ int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count);
int snd_rawmidi_transmit(struct snd_rawmidi_substream *substream,
unsigned char *buffer, int count);
+int __snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
+ unsigned char *buffer, int count);
+int __snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream,
+ int count);

/* main midi functions */

diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index f75d1656272c..c26ec9be59e8 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1055,23 +1055,16 @@ int snd_rawmidi_transmit_empty(struct snd_rawmidi_substream *substream)
EXPORT_SYMBOL(snd_rawmidi_transmit_empty);

/**
- * snd_rawmidi_transmit_peek - copy data from the internal buffer
+ * __snd_rawmidi_transmit_peek - copy data from the internal buffer
* @substream: the rawmidi substream
* @buffer: the buffer pointer
* @count: data size to transfer
*
- * Copies data from the internal output buffer to the given buffer.
- *
- * Call this in the interrupt handler when the midi output is ready,
- * and call snd_rawmidi_transmit_ack() after the transmission is
- * finished.
- *
- * Return: The size of copied data, or a negative error code on failure.
+ * This is a variant of snd_rawmidi_transmit_peek() without spinlock.
*/
-int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
+int __snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
unsigned char *buffer, int count)
{
- unsigned long flags;
int result, count1;
struct snd_rawmidi_runtime *runtime = substream->runtime;

@@ -1081,7 +1074,6 @@ int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
return -EINVAL;
}
result = 0;
- spin_lock_irqsave(&runtime->lock, flags);
if (runtime->avail >= runtime->buffer_size) {
/* warning: lowlevel layer MUST trigger down the hardware */
goto __skip;
@@ -1106,25 +1098,47 @@ int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
}
}
__skip:
+ return result;
+}
+EXPORT_SYMBOL(__snd_rawmidi_transmit_peek);
+
+/**
+ * snd_rawmidi_transmit_peek - copy data from the internal buffer
+ * @substream: the rawmidi substream
+ * @buffer: the buffer pointer
+ * @count: data size to transfer
+ *
+ * Copies data from the internal output buffer to the given buffer.
+ *
+ * Call this in the interrupt handler when the midi output is ready,
+ * and call snd_rawmidi_transmit_ack() after the transmission is
+ * finished.
+ *
+ * Return: The size of copied data, or a negative error code on failure.
+ */
+int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
+ unsigned char *buffer, int count)
+{
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+ int result;
+ unsigned long flags;
+
+ spin_lock_irqsave(&runtime->lock, flags);
+ result = __snd_rawmidi_transmit_peek(substream, buffer, count);
spin_unlock_irqrestore(&runtime->lock, flags);
return result;
}
EXPORT_SYMBOL(snd_rawmidi_transmit_peek);

/**
- * snd_rawmidi_transmit_ack - acknowledge the transmission
+ * __snd_rawmidi_transmit_ack - acknowledge the transmission
* @substream: the rawmidi substream
* @count: the transferred count
*
- * Advances the hardware pointer for the internal output buffer with
- * the given size and updates the condition.
- * Call after the transmission is finished.
- *
- * Return: The advanced size if successful, or a negative error code on failure.
+ * This is a variant of __snd_rawmidi_transmit_ack() without spinlock.
*/
-int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count)
+int __snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count)
{
- unsigned long flags;
struct snd_rawmidi_runtime *runtime = substream->runtime;

if (runtime->buffer == NULL) {
@@ -1132,7 +1146,6 @@ int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count)
"snd_rawmidi_transmit_ack: output is not active!!!\n");
return -EINVAL;
}
- spin_lock_irqsave(&runtime->lock, flags);
snd_BUG_ON(runtime->avail + count > runtime->buffer_size);
runtime->hw_ptr += count;
runtime->hw_ptr %= runtime->buffer_size;
@@ -1142,9 +1155,31 @@ int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count)
if (runtime->drain || snd_rawmidi_ready(substream))
wake_up(&runtime->sleep);
}
- spin_unlock_irqrestore(&runtime->lock, flags);
return count;
}
+
+/**
+ * snd_rawmidi_transmit_ack - acknowledge the transmission
+ * @substream: the rawmidi substream
+ * @count: the transferred count
+ *
+ * Advances the hardware pointer for the internal output buffer with
+ * the given size and updates the condition.
+ * Call after the transmission is finished.
+ *
+ * Return: The advanced size if successful, or a negative error code on failure.
+ */
+int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count)
+{
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+ int result;
+ unsigned long flags;
+
+ spin_lock_irqsave(&runtime->lock, flags);
+ result = __snd_rawmidi_transmit_ack(substream, count);
+ spin_unlock_irqrestore(&runtime->lock, flags);
+ return result;
+}
EXPORT_SYMBOL(snd_rawmidi_transmit_ack);

/**
@@ -1160,12 +1195,22 @@ EXPORT_SYMBOL(snd_rawmidi_transmit_ack);
int snd_rawmidi_transmit(struct snd_rawmidi_substream *substream,
unsigned char *buffer, int count)
{
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+ int result;
+ unsigned long flags;
+
+ spin_lock_irqsave(&runtime->lock, flags);
if (!substream->opened)
- return -EBADFD;
- count = snd_rawmidi_transmit_peek(substream, buffer, count);
- if (count < 0)
- return count;
- return snd_rawmidi_transmit_ack(substream, count);
+ result = -EBADFD;
+ else {
+ count = __snd_rawmidi_transmit_peek(substream, buffer, count);
+ if (count <= 0)
+ result = count;
+ else
+ result = __snd_rawmidi_transmit_ack(substream, count);
+ }
+ spin_unlock_irqrestore(&runtime->lock, flags);
+ return result;
}
EXPORT_SYMBOL(snd_rawmidi_transmit);

diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c
index f71aedfb408c..90186a6cf698 100644
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -155,13 +155,17 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
struct snd_virmidi *vmidi = substream->runtime->private_data;
int count, res;
unsigned char buf[32], *pbuf;
+ unsigned long flags;

if (up) {
vmidi->trigger = 1;
if (vmidi->seq_mode == SNDRV_VIRMIDI_SEQ_DISPATCH &&
!(vmidi->rdev->flags & SNDRV_VIRMIDI_SUBSCRIBE)) {
- snd_rawmidi_transmit_ack(substream, substream->runtime->buffer_size - substream->runtime->avail);
- return; /* ignored */
+ while (snd_rawmidi_transmit(substream, buf,
+ sizeof(buf)) > 0) {
+ /* ignored */
+ }
+ return;
}
if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
@@ -169,7 +173,8 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
}
while (1) {
- count = snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+ spin_lock_irqsave(&substream->runtime->lock, flags);
+ count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
if (count <= 0)
break;
pbuf = buf;
@@ -179,7 +184,7 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
snd_midi_event_reset_encode(vmidi->parser);
continue;
}
- snd_rawmidi_transmit_ack(substream, res);
+ __snd_rawmidi_transmit_ack(substream, res);
pbuf += res;
count -= res;
if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
@@ -188,6 +193,7 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
}
}
+ spin_unlock_irqrestore(&substream->runtime->lock, flags);
}
} else {
vmidi->trigger = 0;
--
2.7.0

Dmitry Vyukov

unread,
Feb 2, 2016, 5:00:10 PM2/2/16
to Takashi Iwai, alsa-...@alsa-project.org, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Mon, Feb 1, 2016 at 12:55 PM, Takashi Iwai <ti...@suse.de> wrote:
> On Mon, 01 Feb 2016 12:31:20 +0100,
> Dmitry Vyukov wrote:
>>
>> Hello,
>>
>> The following program triggers a splash of WARNINGs in rawmidi_transmit_ack.
>> Takashi, I am on commit 36f90b0a2ddd60823fe193a85e60ff1906c2a9b3 + a
>> bunch of your recent fixes:
>> https://gist.githubusercontent.com/dvyukov/40640128a433ad16a56a/raw/ab3a08637ce3654b969b778c5700fe4a80f14456/gistfile1.txt
>
> Ouch, this is another spot with an open race between
> snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack().
>
> Could you drop the previous fix and apply the one below instead?
>
> FWIW, I pushed sound.git tree topic/core-fixes branch containing all
> pending fixes. This should be pullable cleanly onto 4.5-rc1/rc2.
>
> git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git topic/core-fixes
>
>
> Thanks!
>
> Takashi


Now this program hangs the machine with:

[ 2101.730005] NMI backtrace for cpu 3
[ 2101.730005] CPU: 3 PID: 32283 Comm: a.out Not tainted 4.5.0-rc2+ #307
[ 2101.730005] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[ 2101.730005] task: ffff880061c1df00 ti: ffff8800632c0000 task.ti:
ffff8800632c0000
[ 2101.730005] RIP: 0010:[<ffffffff82c0ff55>] [<ffffffff82c0ff55>]
delay_tsc+0x25/0x70
[ 2101.730005] RSP: 0018:ffff8800632c7ab8 EFLAGS: 00000006
[ 2101.730005] RAX: 00000000884b1cf5 RBX: ffff88006540d380 RCX: 000000000000001e
[ 2101.730005] RDX: 0000051300000000 RSI: 00000513884b1cf5 RDI: 0000000000000001
[ 2101.730005] RBP: ffff8800632c7ab8 R08: 0000000000000003 R09: 0000000000000001
[ 2101.730005] R10: ffff880061c1df00 R11: ffff88006540d398 R12: ffff88006540d390
[ 2101.730005] R13: 000000009a9d2d40 R14: ffff88006540d388 R15: 000000009a849c5e
[ 2101.730005] FS: 00007f3f0b1f6700(0000) GS:ffff88006d700000(0000)
knlGS:0000000000000000
[ 2101.730005] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 2101.730005] CR2: 0000000020d8b000 CR3: 0000000061117000 CR4: 00000000000006e0
[ 2101.730005] Stack:
[ 2101.730005] ffff8800632c7ac8 ffffffff82c0fe9a ffff8800632c7b00
ffffffff81467999
[ 2101.730005] ffff88006540d380 ffff8800655b9e00 1ffff1000c658fa1
ffff88006540d338
[ 2101.730005] ffff8800632c7cb8 ffff8800632c7b20 ffffffff86660b2f
ffffffff8528758b
[ 2101.730005] Call Trace:
[ 2101.730005] [<ffffffff82c0fe9a>] __delay+0xa/0x10
[ 2101.730005] [<ffffffff81467999>] do_raw_spin_lock+0x149/0x2b0
[ 2101.730005] [<ffffffff86660b2f>] _raw_spin_lock_irq+0x6f/0x80
[ 2101.730005] [<ffffffff8528758b>] ? snd_rawmidi_write+0x21b/0xb30
[ 2101.730005] [<ffffffff8528758b>] snd_rawmidi_write+0x21b/0xb30
[ 2101.730005] [<ffffffff85287370>] ? snd_rawmidi_release+0xf0/0xf0
[ 2101.730005] [<ffffffff81794e1f>] ? get_mem_cgroup_from_mm+0x39f/0x4a0
[ 2101.730005] [<ffffffff8168131e>] ? __lru_cache_add+0xce/0x1d0
[ 2101.730005] [<ffffffff816f1d02>] ? handle_mm_fault+0x3042/0x49a0
[ 2101.730005] [<ffffffff81456670>] ? debug_check_no_locks_freed+0x3c0/0x3c0
[ 2101.730005] [<ffffffff817ba743>] __vfs_write+0x113/0x4b0
[ 2101.730005] [<ffffffff85287370>] ? snd_rawmidi_release+0xf0/0xf0
[ 2101.730005] [<ffffffff817ba630>] ? vfs_iter_write+0x360/0x360
[ 2101.730005] [<ffffffff829e5f95>] ? common_file_perm+0x155/0x3a0
[ 2101.730005] [<ffffffff829e63f2>] ? apparmor_file_permission+0x22/0x30
[ 2101.730005] [<ffffffff8291cc4c>] ? security_file_permission+0x8c/0x1f0
[ 2101.730005] [<ffffffff817bbbd2>] ? rw_verify_area+0x102/0x2c0
[ 2101.730005] [<ffffffff817bc207>] vfs_write+0x167/0x4a0
[ 2101.730005] [<ffffffff817bf4f1>] SyS_write+0x111/0x220
[ 2101.730005] [<ffffffff817bf3e0>] ? SyS_read+0x220/0x220
[ 2101.730005] [<ffffffff81005017>] ? trace_hardirqs_on_thunk+0x17/0x19
[ 2101.730005] [<ffffffff86661376>] entry_SYSCALL_64_fastpath+0x16/0x7a

Takashi Iwai

unread,
Feb 3, 2016, 2:15:05 AM2/3/16
to Dmitry Vyukov, alsa-...@alsa-project.org, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Tue, 02 Feb 2016 22:59:49 +0100,
Dmitry Vyukov wrote:
>
> On Mon, Feb 1, 2016 at 12:55 PM, Takashi Iwai <ti...@suse.de> wrote:
> > On Mon, 01 Feb 2016 12:31:20 +0100,
> > Dmitry Vyukov wrote:
> >>
> >> Hello,
> >>
> >> The following program triggers a splash of WARNINGs in rawmidi_transmit_ack.
> >> Takashi, I am on commit 36f90b0a2ddd60823fe193a85e60ff1906c2a9b3 + a
> >> bunch of your recent fixes:
> >> https://gist.githubusercontent.com/dvyukov/40640128a433ad16a56a/raw/ab3a08637ce3654b969b778c5700fe4a80f14456/gistfile1.txt
> >
> > Ouch, this is another spot with an open race between
> > snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack().
> >
> > Could you drop the previous fix and apply the one below instead?
> >
> > FWIW, I pushed sound.git tree topic/core-fixes branch containing all
> > pending fixes. This should be pullable cleanly onto 4.5-rc1/rc2.
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git topic/core-fixes
> >
> >
> > Thanks!
> >
> > Takashi
>
>
> Now this program hangs the machine with:

Mea culpa, the spinlock was applied at the wrong place.
Below is the revised patch. I updated topic/core-fixes branch as
well.


thanks,

Takashi

-- 8< --
From: Takashi Iwai <ti...@suse.de>
Subject: [PATCH v2] ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
sound/core/rawmidi.c | 98 ++++++++++++++++++++++++++++++++------------
sound/core/seq/seq_virmidi.c | 17 +++++---
3 files changed, 88 insertions(+), 31 deletions(-)

diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h
index fdabbb4ddba9..f730b91e472f 100644
--- a/include/sound/rawmidi.h
+++ b/include/sound/rawmidi.h
@@ -167,6 +167,10 @@ int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count);
int snd_rawmidi_transmit(struct snd_rawmidi_substream *substream,
unsigned char *buffer, int count);
+int __snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
+ unsigned char *buffer, int count);
+int __snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream,
+ int count);

/* main midi functions */

diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index f75d1656272c..26ca02248885 100644
@@ -1142,9 +1155,32 @@ int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count)
if (runtime->drain || snd_rawmidi_ready(substream))
wake_up(&runtime->sleep);
}
- spin_unlock_irqrestore(&runtime->lock, flags);
return count;
}
+EXPORT_SYMBOL(__snd_rawmidi_transmit_ack);
@@ -1160,12 +1196,22 @@ EXPORT_SYMBOL(snd_rawmidi_transmit_ack);
index f71aedfb408c..c82ed3e70506 100644
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -155,21 +155,26 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
struct snd_virmidi *vmidi = substream->runtime->private_data;
int count, res;
unsigned char buf[32], *pbuf;
+ unsigned long flags;

if (up) {
vmidi->trigger = 1;
if (vmidi->seq_mode == SNDRV_VIRMIDI_SEQ_DISPATCH &&
!(vmidi->rdev->flags & SNDRV_VIRMIDI_SUBSCRIBE)) {
- snd_rawmidi_transmit_ack(substream, substream->runtime->buffer_size - substream->runtime->avail);
- return; /* ignored */
+ while (snd_rawmidi_transmit(substream, buf,
+ sizeof(buf)) > 0) {
+ /* ignored */
+ }
+ return;
}
if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
return;
vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
}
+ spin_lock_irqsave(&substream->runtime->lock, flags);
while (1) {
- count = snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+ count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
if (count <= 0)
break;
pbuf = buf;
@@ -179,16 +184,18 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
snd_midi_event_reset_encode(vmidi->parser);
continue;
}
- snd_rawmidi_transmit_ack(substream, res);
+ __snd_rawmidi_transmit_ack(substream, res);
pbuf += res;
count -= res;
if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
- return;
+ goto out;
vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
}
}
}
+ out:

Dmitry Vyukov

unread,
Feb 3, 2016, 8:21:26 AM2/3/16
to Takashi Iwai, alsa-...@alsa-project.org, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Wed, Feb 3, 2016 at 8:15 AM, Takashi Iwai <ti...@suse.de> wrote:
> On Tue, 02 Feb 2016 22:59:49 +0100,
> Dmitry Vyukov wrote:
>>
>> On Mon, Feb 1, 2016 at 12:55 PM, Takashi Iwai <ti...@suse.de> wrote:
>> > On Mon, 01 Feb 2016 12:31:20 +0100,
>> > Dmitry Vyukov wrote:
>> >>
>> >> Hello,
>> >>
>> >> The following program triggers a splash of WARNINGs in rawmidi_transmit_ack.
>> >> Takashi, I am on commit 36f90b0a2ddd60823fe193a85e60ff1906c2a9b3 + a
>> >> bunch of your recent fixes:
>> >> https://gist.githubusercontent.com/dvyukov/40640128a433ad16a56a/raw/ab3a08637ce3654b969b778c5700fe4a80f14456/gistfile1.txt
>> >
>> > Ouch, this is another spot with an open race between
>> > snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack().
>> >
>> > Could you drop the previous fix and apply the one below instead?
>> >
>> > FWIW, I pushed sound.git tree topic/core-fixes branch containing all
>> > pending fixes. This should be pullable cleanly onto 4.5-rc1/rc2.
>> > git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git topic/core-fixes
>> >
>> >
>> > Thanks!
>> >
>> > Takashi
>>
>>
>> Now this program hangs the machine with:
>
> Mea culpa, the spinlock was applied at the wrong place.
> Below is the revised patch. I updated topic/core-fixes branch as
> well.


re-applied
the reproducer does not trigger any issues now

Takashi Iwai

unread,
Feb 3, 2016, 9:42:17 AM2/3/16
to Dmitry Vyukov, alsa-...@alsa-project.org, Jaroslav Kysela, LKML, Alexander Potapenko, Kostya Serebryany, syzkaller, Sasha Levin
On Wed, 03 Feb 2016 14:21:05 +0100,
Good, this was queued, too. Thanks!


Takashi
Reply all
Reply to author
Forward
0 new messages