#ifndef __SOUND_SOUNDFONT_H #define __SOUND_SOUNDFONT_H /* * Soundfont defines and definitions. * * Copyright (C) 1999 Steve Ratcliffe * Copyright (c) 1999-2000 Takashi iwai * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #define SF_MAX_INSTRUMENTS 128 /* maximum instrument number */ #define SF_MAX_PRESETS 256 /* drums are mapped from 128 to 256 */ #define SF_IS_DRUM_BANK(z) ((z) == 128) struct snd_sf_zone { struct snd_sf_zone *next; /* Link to next */ unsigned char bank; /* Midi bank for this zone */ unsigned char instr; /* Midi program for this zone */ unsigned char mapped; /* True if mapped to something else */ struct soundfont_voice_info v; /* All the soundfont parameters */ int counter; struct snd_sf_sample *sample; /* Link to sample */ /* The following deals with preset numbers (programs) */ struct snd_sf_zone *next_instr; /* Next zone of this instrument */ struct snd_sf_zone *next_zone; /* Next zone in play list */ }; struct snd_sf_sample { struct soundfont_sample_info v; int counter; struct snd_util_memblk *block; /* allocated data block */ struct snd_sf_sample *next; }; /* * This represents all the information relating to a soundfont. */ struct snd_soundfont { struct snd_soundfont *next; /* Link to next */ /*struct snd_soundfont *prev;*/ /* Link to previous */ short id; /* file id */ short type; /* font type */ unsigned char name[SNDRV_SFNT_PATCH_NAME_LEN]; /* identifier */ struct snd_sf_zone *zones; /* Font information */ struct snd_sf_sample *samples; /* The sample headers */ }; /* * Type of the sample access callback */ struct snd_sf_callback { void *private_data; int (*sample_new)(void *private_data, struct snd_sf_sample *sp, struct snd_util_memhdr *hdr, const void __user *buf, long count); int (*sample_free)(void *private_data, struct snd_sf_sample *sp, struct snd_util_memhdr *hdr); void (*sample_reset)(void *private); }; /* * List of soundfonts. */ struct snd_sf_list { struct snd_soundfont *currsf; /* The currently open soundfont */ int open_client; /* client pointer for lock */ int mem_used; /* used memory size */ struct snd_sf_zone *presets[SF_MAX_PRESETS]; struct snd_soundfont *fonts; /* The list of soundfonts */ int fonts_size; /* number of fonts allocated */ int zone_counter; /* last allocated time for zone */ int sample_counter; /* last allocated time for sample */ int zone_locked; /* locked time for zone */ int sample_locked; /* locked time for sample */ struct snd_sf_callback callback; /* callback functions */ int presets_locked; struct mutex presets_mutex; spinlock_t lock; struct snd_util_memhdr *memhdr; }; /* Prototypes for soundfont.c */ int snd_soundfont_load(struct snd_sf_list *sflist, const void __user *data, long count, int client); int snd_soundfont_load_guspatch(struct snd_sf_list *sflist, const char __user *data, long count, int client); int snd_soundfont_close_check(struct snd_sf_list *sflist, int client); struct snd_sf_list *snd_sf_new(struct snd_sf_callback *callback, struct snd_util_memhdr *hdr); void snd_sf_free(struct snd_sf_list *sflist); int snd_soundfont_remove_samples(struct snd_sf_list *sflist); int snd_soundfont_remove_unlocked(struct snd_sf_list *sflist); int snd_soundfont_search_zone(struct snd_sf_list *sflist, int *notep, int vel, int preset, int bank, int def_preset, int def_bank, struct snd_sf_zone **table, int max_layers); /* Parameter conversions */ int snd_sf_calc_parm_hold(int msec); int snd_sf_calc_parm_attack(int msec); int snd_sf_calc_parm_decay(int msec); #define snd_sf_calc_parm_delay(msec) (0x8000 - (msec) * 1000 / 725) extern int snd_sf_vol_table[128]; int snd_sf_linear_to_log(unsigned int amount, int offset, int ratio); #endif /* __SOUND_SOUNDFONT_H */ right'>2017-01-31 09:45:28 +0000 committerAl Viro <viro@zeniv.linux.org.uk>2017-01-31 13:23:09 -0500 commite26bfebdfc0d212d366de9990a096665d5c0209a (patch) tree4cdb835f1a108cf1177c1003d08abc03d0c71391 /include parent6bdded59c8933940ac7e5b416448276ac89d1144 (diff)
fscache: Fix dead object requeue
Under some circumstances, an fscache object can become queued such that it fscache_object_work_func() can be called once the object is in the OBJECT_DEAD state. This results in the kernel oopsing when it tries to invoke the handler for the state (which is hard coded to 0x2). The way this comes about is something like the following: (1) The object dispatcher is processing a work state for an object. This is done in workqueue context. (2) An out-of-band event comes in that isn't masked, causing the object to be queued, say EV_KILL. (3) The object dispatcher finishes processing the current work state on that object and then sees there's another event to process, so, without returning to the workqueue core, it processes that event too. It then follows the chain of events that initiates until we reach OBJECT_DEAD without going through a wait state (such as WAIT_FOR_CLEARANCE). At this point, object->events may be 0, object->event_mask will be 0 and oob_event_mask will be 0. (4) The object dispatcher returns to the workqueue processor, and in due course, this sees that the object's work item is still queued and invokes it again. (5) The current state is a work state (OBJECT_DEAD), so the dispatcher jumps to it - resulting in an OOPS. When I'm seeing this, the work state in (1) appears to have been either LOOK_UP_OBJECT or CREATE_OBJECT (object->oob_table is fscache_osm_lookup_oob). The window for (2) is very small: (A) object->event_mask is cleared whilst the event dispatch process is underway - though there's no memory barrier to force this to the top of the function. The window, therefore is from the time the object was selected by the workqueue processor and made requeueable to the time the mask was cleared. (B) fscache_raise_event() will only queue the object if it manages to set the event bit and the corresponding event_mask bit was set. The enqueuement is then deferred slightly whilst we get a ref on the object and get the per-CPU variable for workqueue congestion. This slight deferral slightly increases the probability by allowing extra time for the workqueue to make the item requeueable. Handle this by giving the dead state a processor function and checking the for the dead state address rather than seeing if the processor function is address 0x2. The dead state processor function can then set a flag to indicate that it's occurred and give a warning if it occurs more than once per object. If this race occurs, an oops similar to the following is seen (note the RIP value): BUG: unable to handle kernel NULL pointer dereference at 0000000000000002 IP: [<0000000000000002>] 0x1 PGD 0 Oops: 0010 [#1] SMP Modules linked in: ... CPU: 17 PID: 16077 Comm: kworker/u48:9 Not tainted 3.10.0-327.18.2.el7.x86_64 #1 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 12/27/2015 Workqueue: fscache_object fscache_object_work_func [fscache] task: ffff880302b63980 ti: ffff880717544000 task.ti: ffff880717544000 RIP: 0010:[<0000000000000002>] [<0000000000000002>] 0x1 RSP: 0018:ffff880717547df8 EFLAGS: 00010202 RAX: ffffffffa0368640 RBX: ffff880edf7a4480 RCX: dead000000200200 RDX: 0000000000000002 RSI: 00000000ffffffff RDI: ffff880edf7a4480 RBP: ffff880717547e18 R08: 0000000000000000 R09: dfc40a25cb3a4510 R10: dfc40a25cb3a4510 R11: 0000000000000400 R12: 0000000000000000 R13: ffff880edf7a4510 R14: ffff8817f6153400 R15: 0000000000000600 FS: 0000000000000000(0000) GS:ffff88181f420000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000002 CR3: 000000000194a000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffffffffa0363695 ffff880edf7a4510 ffff88093f16f900 ffff8817faa4ec00 ffff880717547e60 ffffffff8109d5db 00000000faa4ec18 0000000000000000 ffff8817faa4ec18 ffff88093f16f930 ffff880302b63980 ffff88093f16f900 Call Trace: [<ffffffffa0363695>] ? fscache_object_work_func+0xa5/0x200 [fscache] [<ffffffff8109d5db>] process_one_work+0x17b/0x470 [<ffffffff8109e4ac>] worker_thread+0x21c/0x400 [<ffffffff8109e290>] ? rescuer_thread+0x400/0x400 [<ffffffff810a5acf>] kthread+0xcf/0xe0 [<ffffffff810a5a00>] ? kthread_create_on_node+0x140/0x140 [<ffffffff816460d8>] ret_from_fork+0x58/0x90 [<ffffffff810a5a00>] ? kthread_create_on_node+0x140/0x140 Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Jeremy McNicoll <jeremymc@redhat.com> Tested-by: Frank Sorenson <sorenson@redhat.com> Tested-by: Benjamin Coddington <bcodding@redhat.com> Reviewed-by: Benjamin Coddington <bcodding@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'include')
-rw-r--r--include/linux/fscache-cache.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h