From patchwork Fri May 6 09:10:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 570952 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2AE7C433F5 for ; Fri, 6 May 2022 09:12:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235148AbiEFJQY (ORCPT ); Fri, 6 May 2022 05:16:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1381989AbiEFJQW (ORCPT ); Fri, 6 May 2022 05:16:22 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55E306339E for ; Fri, 6 May 2022 02:12:39 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2468iumA011524; Fri, 6 May 2022 02:12:24 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=dzLt0aygkLkskYLrNNvizvQJ3bQoE27lOLZKYcucZVc=; b=Vg6eNtSm76yORMnxtSjx6+H3wkEtvLbLm7ISFx1x8CJOlZREnIDPqh83fT8xfSLgEgVb tEdgx9hDW0YPzqtJQO3Y4DZFunsl3Q+T/x1POvL5FeWwiM7/Y1wCV7wKy9uITnhwIMop f19ajHfhKq9YQB6fttJAtVbH7N/lti+bT0Wzpg7zUOpLVSHUKaLnSxt2EPph0rTSRX7r ab072mPHt5H1pacepYqZadSuwoA1caC92wFgJQuD/NVM8SIpX4GSyvVzi/3++a8v6mpD J/hStgt8VHgmkStZXJ2o299oSrQj+wXLw6U9Ktxm4YhRSKwu9zwG9Jp3cBiVwvpnB6e8 lQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fs0d3cerd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 May 2022 02:12:23 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ra21t4A42JT1pmsGeyOSDHyZU3/K9aqdh7JQXI58IkC2npwsmZ1FgRrAcUT5v6n82WRw1sMTZjkoIwldzIFO2rzDbUnz6ZzWex/APIwfdU9X9iGsCqFvcPQOygKoy+Vkop94+s/tHDOPP40ND4E84THzrz9iKd5PEsmc9jF8uFL4oafqHBr85kGbPjGiGOfz/cQ8aBg54a4HW02/9avNC37qLeOB40lyyt07sSv4l6N+Iyoe5ACJIyDsJNdE3ADyPVJGXIneGVN4YwIhEhCdE638pdbQVDNm1r5z8SXDD6DrXM2PultsnCaFVSd79iEgy1YpeqxiAPs/qNute+E4Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dzLt0aygkLkskYLrNNvizvQJ3bQoE27lOLZKYcucZVc=; b=eDUKdTXXJ+d8RV1YX3qBn+TOyhyuOk4vftOz23UGIyFvzXW6b1Hcv8sCiVEleY2z+LPX+XOh7t9yLLNbQRIWN6uexw9aXFPc3j4QenRrJyjpOzuIQtJKMc5GYN2ecdagthrYfHTxMYouhW6NGqJNXo2L04pjkS3iAVC5K4IvYehH0zZmumEWuQmf8YenNqdh5VZZbEJats7cLcP0GPO0xdQTpKewg4/v8Io7fgyXhyD8uw9FtW1U6dNeQWy4aW92xMnZu+N87hvy1C5buGvwhUXnemHgwHQUs/xm+RPLFT7MNuFXUiqL/vHtMVgUQqW0T+1JjwlpTi/kqvZX6XnbtQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB4444.namprd11.prod.outlook.com (2603:10b6:5:1de::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Fri, 6 May 2022 09:12:21 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34%8]) with mapi id 15.20.5206.027; Fri, 6 May 2022 09:12:21 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: tiwai@suse.de, perex@perex.cz, kirin.say@gmail.com Subject: [PATCH 5.4 1/5] ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Date: Fri, 6 May 2022 12:10:09 +0300 Message-Id: <20220506091013.1746159-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220506091013.1746159-1-ovidiu.panait@windriver.com> References: <20220506091013.1746159-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0009.eurprd03.prod.outlook.com (2603:10a6:802:a0::21) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5f51b5c0-07af-4d4c-4fe0-08da2f4086f8 X-MS-TrafficTypeDiagnostic: DM6PR11MB4444:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 25PjDxFkAKgvOQdAKCoaukqz7Faf1u1WMgM36Z/WW04/oD/wPSh/QHxX2QHSo4/b9YLrqs7xdm2sP6GDlwkRshyUtrLYOT9mtD/umpg0nDWiJxxkaD+IQP5JNq0FG7IS4G/58F8n1UU4ee91k3lCdXaek4xNuibDBu5sAgwFVpm897pJGGSBmSgVNv9XE55kN1cbXriVhltfMQqu/erTeqp3/ZSt0UCwnU9y9Ce40KJIukmje0aCVWHo5z5CszF0TZO4WLe0paxyfwoMDOg3bBmpGluZ0X9GgE4ZopRzDTBarnNnEKz8e37BfqveJZqmjV7SWUL3YeIDD6dKl+K8ypVdzjM3s7sDIa90R9qrVb4BO1gAzM4xq6b4JBUw4/G/4/7e906O49X9F/G6pKsPNzsN8IRuWurx9ya7fogZ1x//3Ts51GL4XrEOFkbq9oADo2IhX4/YDldpBFSFRZZ80/D7MT6eqV67NGY8tdwYbu5SVArF8yknb4pHVSPbXY+0t5Ww1szoHUUIK/d0s3IslS4SYaQ1gAB/guFyS1wO+7P1qrJhoauea4CScI00y35EYp+wKk3seYsE9pNGHwU6PmZIQyo7+bs9lWfJAUI0g4wRWTHKNEb+LmXt1IAgOqnbjXN88pjqw1Z8fgO5Uu69m+XbnVWeR8MZRDB+v71JoFy/I0yIYgRM0mh06kxe3/+Bqj7dodMwyJ2NT+fviw6TTX1Ko41/mIWdu7Lx32RcredAOwtBk4L7P5BB2Fdk6ZEIdvgezXVgz1X1QD61OY8QI12TVzVo2mh+ysLAxSkBBXg= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(966005)(508600001)(6486002)(5660300002)(4326008)(8676002)(66946007)(66556008)(66476007)(8936002)(186003)(83380400001)(6916009)(6506007)(86362001)(316002)(2906002)(26005)(6512007)(1076003)(38100700002)(38350700002)(44832011)(52116002)(6666004)(36756003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: VaNXNvCesOA835U4vvRsr5SS8ITwcGc4kfNlU5ACCQaWBd7bDx/npxiVQ6aw0QUTKhvW5HdaVIoHlOW3jOSHsPs+2LQdYe6F22T1VV1bGjTv+WM1ntjwzyO4OVoxkKB+KxRV/U2SasLSeEHgkIhHiYi5Qz2erJm6tzg5+ML1PMqHKzi39gkFxLLi9vUVQDamM4RQlZKx5oo1bI3TQxoNd1FbNHwh6bccatUwmsyMywLurnZ5oYXqx9PmLmibUDWnDD1fsC06fm/W1Cfn/XjHjTCPUiAhCAxZ6PyB0iGNPc05XyH3eOat6UipHrNOB91+c19KEnn16qVZ7WD6cOI+IZ2h/jL2G7m3MjhMfT9YDat4hqLlQqZ86fJN0790JUouJ+411P/eiFvWmc3yAtRoGjrIvRRvAzRxfmZmDVgAL947XLk+6qrBbcVsg2p5JVXNX/SK8GuZOXOKf0iNkNGPdYDEcDj3gFZwUbDtjSa4HGXSDw1dqPxIr7cfBzPOscuw2GeDdMeMsB/HKThzvRYOg0DgJxMdB7Iqh8Vn0dNEisXRJPiDwbqWzSa4sdVWa6kPOhLOV+duv42uGhEt/z3TI49x/Jeg141gsK3YNzQ5ATfJm0M5FhgqqIRvFf5BX8nWbdwZdud4P9cXJUWmK8OEvfFn3Ekf1tLiKcc6295W1HdW3uPc1bcaquC4P28IbqrdpFxBDHGZKKUtFhKpivvub/pFIG0kfWnG5Gl11Cz7jj8fpcL3aqWq49iRoJcFaC+9UeZXr6s5Z0cNd/+2RumtJHfRy8cMlOtBOS/5Vmt15h2WrgGcfkcCc198mPE8VWzsw4WA/qtZzR76kxn1cCxXrj/NcPAXt6ESblYhcSTAR0FdPoTd675NH22Fn3KTd5O+ucrizq4NSagDGkTqsgBhVexoxUspm2q7HjbvrOLV0Y7d3guMCmPcyIkRXmiMQ+c+PuyVxNHKdaEOkb1TavLyXWTwaGyxZ1V2FXMFtqnWmSF7KXBzrqueW20wJcTcRc1m0pabpwS7xAlw0c1qAzM6mhjF1f6MSqQ1s5Bw1o6+YjHZi1C2XtvfaOKCC7Df+A9pGjdw3hRcY85PqBDsFfUaNnc+d77J3ra6FVOlFVg4bXxHyDVrJHZEKaVJtk4AA6uAnsZp2R7yWL8sBxkfuGnzz3x2oVM+LQ1JKiHKFUantUz1yrhqmwS+S/zicVdrcjJVShEkIntv5X3YebHNMu52HTfu4qRNMPQzmUHHOyQpyTgo2f9RfD1JLA/mpZou9bgYZpH20qhFtpa14HXhXxD2wkd0+FgSLvxXRveNFTZsJIuFViUYmaJNlI4PNgU5FNo5lxh4wY+Ag1WTYNbCGWjcwzmXtHtpEgFuEN92AfpG7BDsv/CuHy88DaOdsBoB1W3RWOuRL93IH/7MgSrARK5xKrfyYwtwfyoju7EJnuuVxx/nsFjk3wLbT9KJDLaiKOqIhUnM/ed9Cw/mGCwqIhoT7K9y9ojGzBttFovxlz84BDISL7QSrAOeAjZFwxp9AsFAbR1TH9+/7IGtN3/xJt0NQmeqoYTeWJb+scB0B0Fd37b523vIC0Zfg5CBrcNQLNGN7Kw0vjzpgTWys+mLupWGkPwiLmIQ4kFJ1jWpMLdceBE+N1Q+KzEBXbVvl6/Wryaxdlh2Agi3Rmai3DHuDAU0YXkHbEPVRxvG+iYjilav2oWZ+wSj3FicohmshODLmLJTP74NP06r3JGV9PNvmvHNSGayjk3A2UQxw4RM+cXDbxQ= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5f51b5c0-07af-4d4c-4fe0-08da2f4086f8 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 09:12:21.6272 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jiJ1Zp4058I8AT0QArQy3pI026qkCkQ4/I92D6Xf5MvQ3reNie5DKXgS6ZXg5kCt8mH713kuwK+z0Th3hhv2eZuybk7oe+xj+3ZnknhphhI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4444 X-Proofpoint-GUID: f1bUrJyXfdcM2T3Qv-412qLDhrXHnTr9 X-Proofpoint-ORIG-GUID: f1bUrJyXfdcM2T3Qv-412qLDhrXHnTr9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-06_03,2022-05-05_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1011 suspectscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 adultscore=0 mlxscore=0 mlxlogscore=931 spamscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205060051 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 92ee3c60ec9fe64404dc035e7c41277d74aa26cb upstream. Currently we have neither proper check nor protection against the concurrent calls of PCM hw_params and hw_free ioctls, which may result in a UAF. Since the existing PCM stream lock can't be used for protecting the whole ioctl operations, we need a new mutex to protect those racy calls. This patch introduced a new mutex, runtime->buffer_mutex, and applies it to both hw_params and hw_free ioctl code paths. Along with it, the both functions are slightly modified (the mmap_count check is moved into the state-check block) for code simplicity. Reported-by: Hu Jiahui Cc: Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20220322170720.3529-2-tiwai@suse.de Signed-off-by: Takashi Iwai [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait --- include/sound/pcm.h | 1 + sound/core/pcm.c | 2 ++ sound/core/pcm_native.c | 55 +++++++++++++++++++++++++++-------------- 3 files changed, 39 insertions(+), 19 deletions(-) diff --git a/include/sound/pcm.h b/include/sound/pcm.h index bbe6eb1ff5d2..24273d0f770b 100644 --- a/include/sound/pcm.h +++ b/include/sound/pcm.h @@ -395,6 +395,7 @@ struct snd_pcm_runtime { wait_queue_head_t sleep; /* poll sleep */ wait_queue_head_t tsleep; /* transfer sleep */ struct fasync_struct *fasync; + struct mutex buffer_mutex; /* protect for buffer changes */ /* -- private section -- */ void *private_data; diff --git a/sound/core/pcm.c b/sound/core/pcm.c index f8ce961c28d6..c9335d1d0e44 100644 --- a/sound/core/pcm.c +++ b/sound/core/pcm.c @@ -969,6 +969,7 @@ int snd_pcm_attach_substream(struct snd_pcm *pcm, int stream, init_waitqueue_head(&runtime->tsleep); runtime->status->state = SNDRV_PCM_STATE_OPEN; + mutex_init(&runtime->buffer_mutex); substream->runtime = runtime; substream->private_data = pcm->private_data; @@ -1000,6 +1001,7 @@ void snd_pcm_detach_substream(struct snd_pcm_substream *substream) substream->runtime = NULL; if (substream->timer) spin_unlock_irq(&substream->timer->lock); + mutex_destroy(&runtime->buffer_mutex); kfree(runtime); put_pid(substream->pid); substream->pid = NULL; diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index dbe9a65cc1d4..b15ef9df114a 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -630,33 +630,40 @@ static int snd_pcm_hw_params_choose(struct snd_pcm_substream *pcm, return 0; } +#if IS_ENABLED(CONFIG_SND_PCM_OSS) +#define is_oss_stream(substream) ((substream)->oss.oss) +#else +#define is_oss_stream(substream) false +#endif + static int snd_pcm_hw_params(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params) { struct snd_pcm_runtime *runtime; - int err, usecs; + int err = 0, usecs; unsigned int bits; snd_pcm_uframes_t frames; if (PCM_RUNTIME_CHECK(substream)) return -ENXIO; runtime = substream->runtime; + mutex_lock(&runtime->buffer_mutex); snd_pcm_stream_lock_irq(substream); switch (runtime->status->state) { case SNDRV_PCM_STATE_OPEN: case SNDRV_PCM_STATE_SETUP: case SNDRV_PCM_STATE_PREPARED: + if (!is_oss_stream(substream) && + atomic_read(&substream->mmap_count)) + err = -EBADFD; break; default: - snd_pcm_stream_unlock_irq(substream); - return -EBADFD; + err = -EBADFD; + break; } snd_pcm_stream_unlock_irq(substream); -#if IS_ENABLED(CONFIG_SND_PCM_OSS) - if (!substream->oss.oss) -#endif - if (atomic_read(&substream->mmap_count)) - return -EBADFD; + if (err) + goto unlock; params->rmask = ~0U; err = snd_pcm_hw_refine(substream, params); @@ -733,14 +740,19 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream, if ((usecs = period_to_usecs(runtime)) >= 0) pm_qos_add_request(&substream->latency_pm_qos_req, PM_QOS_CPU_DMA_LATENCY, usecs); - return 0; + err = 0; _error: - /* hardware might be unusable from this time, - so we force application to retry to set - the correct hardware parameter settings */ - snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); - if (substream->ops->hw_free != NULL) - substream->ops->hw_free(substream); + if (err) { + /* hardware might be unusable from this time, + * so we force application to retry to set + * the correct hardware parameter settings + */ + snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); + if (substream->ops->hw_free != NULL) + substream->ops->hw_free(substream); + } + unlock: + mutex_unlock(&runtime->buffer_mutex); return err; } @@ -773,22 +785,27 @@ static int snd_pcm_hw_free(struct snd_pcm_substream *substream) if (PCM_RUNTIME_CHECK(substream)) return -ENXIO; runtime = substream->runtime; + mutex_lock(&runtime->buffer_mutex); snd_pcm_stream_lock_irq(substream); switch (runtime->status->state) { case SNDRV_PCM_STATE_SETUP: case SNDRV_PCM_STATE_PREPARED: + if (atomic_read(&substream->mmap_count)) + result = -EBADFD; break; default: - snd_pcm_stream_unlock_irq(substream); - return -EBADFD; + result = -EBADFD; + break; } snd_pcm_stream_unlock_irq(substream); - if (atomic_read(&substream->mmap_count)) - return -EBADFD; + if (result) + goto unlock; if (substream->ops->hw_free) result = substream->ops->hw_free(substream); snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); pm_qos_remove_request(&substream->latency_pm_qos_req); + unlock: + mutex_unlock(&runtime->buffer_mutex); return result; } From patchwork Fri May 6 09:10:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 570951 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BA8AC433FE for ; Fri, 6 May 2022 09:12:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1390356AbiEFJQZ (ORCPT ); Fri, 6 May 2022 05:16:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352619AbiEFJQW (ORCPT ); Fri, 6 May 2022 05:16:22 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 561D7633A0 for ; Fri, 6 May 2022 02:12:39 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2468iumC011524; Fri, 6 May 2022 02:12:25 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=s5nqvEcaI5xNCc2PqoLkAehM+R0ZsrS83tG0g27VLoA=; b=LXy/dsUy3CN+2XC+Qs6svi+h3P7cgLUhAhUtbdftuXnMit4csrjqmgW0JUSBjthx/ED0 aHCLx6wGaf+hphAGE43BGumii6w1zbMMpEbIq9BeQN7PKxns/BVj9nvkGRfxFSPse4H8 CxMk6Nzo8aNyOsc1vfO29ff7B16rrF5xtWIqm7F7zrbCysYdntbw/J2fXB+1nW09Yrp9 uyaqvDYMvOYdCBZJdB75/ZeF5sTXnLaXFqZ4taeUBka10pJ2fAbfl9RTv58l2itvn1sa QlUGcurTfhkpVnXl631VORaFuAOiNOB0A1be5aMziYqz/JstNeVhqqpAFK+BM/6X26sW DA== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fs0d3cerd-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 May 2022 02:12:24 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CKLFnMaTR9Wibz2naWkwkwHU7LbXL6bIm7R5JH29rYYcABJ6EsYAAhTJIaJXZOBgrd/N6IkOmEjKDqXNFevcBBX75jq7K/ELmj8VjcpatbTo1YoaaaU3J77arib9B4iA5a3xhqHNHCVTPqH5oJSKt9YjXqMlCLuzc3yKaI9eU+JAP/cfZz+UTURV+Ukl8zhO/3MQFoR14Q6OTvgy8VGiaG3292qIZhFffhdVnJ79lCwMn29yjtgzN+TVEqpr1Fl4XyEoWSMvp32HDyz1niECcP/wACgJM//2np5jwR2m2JMvM+t3W5KpafOB6Z71SWHJ5NVn+f9z4dE+E7CG5DT/CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=s5nqvEcaI5xNCc2PqoLkAehM+R0ZsrS83tG0g27VLoA=; b=EdsL1yQaaOaITPB0tcXqeaswPkmmHl2f81+Xt+EoT/Ec8P7Wny291tgTUth69VL3MSFqTlEQNs4tDle1YNnAK0DaNK6i+dMqKN3slVRDNkMHHDBF200kK7xeFe8e2H3HJ8/0El25iGNMDFhrZJpmF5/stOnsAjergFaHK5UeFJzaVJLPJ/HtuWFOxOuLIPdLZDqizy/NjNzhy2N55OiVG0fWn6IHJeCC51v+wHYzgjKmezi17wPH9+srYe5VKFHpfxSmPx7iFa78L2araBKziLmOtwq0MkKPxnyTdIg0rg68XuGdP4wxLjppX20MvhU3dbJGQDBV6eltZ+oG4bh8Vw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB4444.namprd11.prod.outlook.com (2603:10b6:5:1de::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Fri, 6 May 2022 09:12:22 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34%8]) with mapi id 15.20.5206.027; Fri, 6 May 2022 09:12:22 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: tiwai@suse.de, perex@perex.cz, kirin.say@gmail.com Subject: [PATCH 5.4 2/5] ALSA: pcm: Fix races among concurrent read/write and buffer changes Date: Fri, 6 May 2022 12:10:10 +0300 Message-Id: <20220506091013.1746159-3-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220506091013.1746159-1-ovidiu.panait@windriver.com> References: <20220506091013.1746159-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0009.eurprd03.prod.outlook.com (2603:10a6:802:a0::21) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 18ed42a6-7dc7-4d66-372e-08da2f4087b7 X-MS-TrafficTypeDiagnostic: DM6PR11MB4444:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: XjJi6HSTnUDRDfFOXrBrMUk617fnPvJYAifjwCewnbQtyRJeK8HnrRsMbrPz/3vVldA9SiJjrV/vh65fP/BPMr9viQW5sXgvBSue5LqC5RQMNEQIp/OWrg2kiNaenlGBlkBgoCn779ljUo2Qspy/JgSATPOjMj5eF39kRMvm3GTp2HpxjOJ9da2ho6cffSjDoVqyp+lbjCOg6bfC6zPg5k2mxDh7esGljc9tNKpZUJYmeWKf1adVoHhJ2tMbwqYZbFNUF1yvKCEcHJerF6gQ5Eyd9lEoTqofV5ZiUDvFonHwBnURDHKHxLw1RPM799P6u+sB4uXXi++unQhmvcfAefrmrZex6AsHqPd3b04Wp+rW+LPVgtmhed3w33KiE9m3FpUwEREUdlR8bW+3ZqvOWVsDcKnTVAij7ESK9Vd1+GtPEVImOlRx099LHP/KHavlE+cb9LlUrCiMDLpPwXEeWYc5P9QFtZBK81z0hlbWnrE/NMUVNU2HzGBrpaA6RACFdCxcO0tauZAkHQCJvqH0z/XI/KWVUwTJEpgUqSbrgVbZ8kQYyEGNDHp0P1DoZTc1FTPYbBNfFtWxhr7ifwO1SSzOZBoT1PuGMTPi+FUIJA39gdNyLrhlwUgEpppPhvCSNPuvpKG5lb06MUwiq36UJ67YjyxvlbH3W4hI4XuWSCoq4tR8PVStGKrP9LQJVg8rhmFcTd2qYWHABPMRdgRl1whW8KXhph+83K4AuR3+lzTjeO9HUsdTStjPHrKrj8mJEtiLVfN2ePwJJmUXRIK3TcjeR+i2Zxz6ZFsIIplyVc0= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(966005)(508600001)(6486002)(5660300002)(4326008)(8676002)(66946007)(66556008)(66476007)(8936002)(186003)(83380400001)(6916009)(6506007)(86362001)(316002)(2906002)(26005)(6512007)(1076003)(38100700002)(38350700002)(44832011)(52116002)(6666004)(36756003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: OJGvLZ83xZYTk6N7lOd93jDljPMTpHEetgPjtnfscYBQ9dwKfsoIc5EQdnU6qkWvgPrJOKyWwhE3UiKjSIWJZycTyXCmbgT1RiTuTqXIco2iZuzCdzPZBdAecRu6qyPxrk79A0LZEkXPtT6Mp2HatmQ6u+xg+sTj4OsdUVAwVRAg71eGo/Mfo9fVj8F34jluV4U3ZYSQFZlLK1D8bTSVnG1JRveHQGBWXno7f2iUuv8OLlxu5BZI1RUfghOLok20sku8wTr9fL51ObIZZOskSBSFI6kbjQhYyo5tY4KWpJkIzZLjxbubWoZ6IBvNo9UTt/ElcctYkvAcjL4+hPTgcm3Wzfh67irQ3t6tMdXcTb0pwc2xKSAZa12kx8k4cH4oSbKOenj67F//Ge903pg7axRelFIL0eB68uPCUk2kGSfM9WgHcQC/myzu3DYs2f39IC0r0450wvSm+pGFFE3o4EsdDma7zbBO6b6mUDb5WRZGhfukxVIgrqaH2DmzGWjHI6JbP+Sg6YwQzTvSElLVCDqEqpVZuyThi15de7JtRQ0Kkm0GKr0hJUPWE8JKTdLaqNVS4EtLZMU4Bu/wPHIRtQ5mjKngNn4ulEGG9fpjGn4J+3rwyTixcLTzqOPSGsFwPRxS9R3ec0IX2CGA439obK/QlEtp0jVFqJ5k4TbXokYA96vtNJqGYqMZUVPE5ncFOewTnyn8ZGSbBQgiZHTwG+iCONHwKjceVrYJpAY60h7Vc3K2PQQCeiIL5fjWWb6nSE9H71kORjwQb5ymZxsjO8aSSoOkad+P9vKC4L6yz1C/owWXDO+IP9JIhvNg0O9h7pPKFc6zIwld6+tQPwUCByB4AWljtfSHexJ8ihk4K3nKqxLKZLnVF0br/4uJChdNDKs+jOJVAngcUUHY5GoBllUrqSc0+qBCRdOjDmWT4gQEjj/S7g96lkAiaHKW9ErtWX+ZmSTHpsEk1uiZN/aYQUSYqI1z4DbqLXFJScZUaFG2pj15VPcBC/NtWOaQoHb1catk43pR0NQKDrg9VQUrIwUud6rsaiNp65Ouw8QygWyTSPFtuGQQFTmv8kcsUdmovEUUH3/H6kOpxEl4rh2KKcgyok7rN1FI/AEHIjr1/NvpUT7kd4MjKUSauQW3oatooYprv3GQspqwtvlZqQYvh/cj973cMYyFQL6HKk/ZE9+E0L4LtnNa4uYmi1G+fEAGgKEvSL1gJK+4JzTA4JIfME96AS306lw7pscaeYev5snmjOB94DjTQg+/b4/FRKXUtg23aDk/3cq+QD5aD1SA+NgRaWB6sXqhhJMJsndeKWlmlEEKOxewvrIKB8Ddvx1jjxTH+uPGJRZ3F69H5sMhqyxwmOgxiPt1Es8HvT9HiyUrrDwLpxDa5MoMErrXByHyKJxLAZt8Z/25DzYE5ebNrmK3XZ66ui82vOIHTFkS81gSwXWp4cdusTDBLEB6ZRjgK9X8KN2nJry0NSJa4vGCl26NJANGMS4tDtvbPj31cYojOBzNn1xKxm4HWS0/p6MwPfE7rGJNrXTIAbEA337DwpMblXn7wkHqKLpi1ucxU+ueEQ/RwsNXUhvA8riQnpEtgRDdS8jOuyBtnRxf0dNjmKe22VZzeupya5bMY1zUcoqJS6HI4oLVlZvpS0Cna5ackBApZrvO12q+KS/fCLAs6QhE1Vmeq9pdhQ4ATJ/c7JvuOdf9kXahQPv3PkvaMKJvNEVk126nYo/0TgZcd+4xerHEj4xxX2QlQXLNQZClIeY= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 18ed42a6-7dc7-4d66-372e-08da2f4087b7 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 09:12:22.8940 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MUGCYO1RJl6jWI9zQS+lVpj2Be8BpAvQlCPsxSFHZcYtP7Tqft3xSOJVFQsANRyDOHPaen4gQLQkAIuZs1tj+Vf7LhyfM1Hs7zofrevD5a0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4444 X-Proofpoint-GUID: tdOHlQ5iF3q5YVwxQR4mXMQ3KAiefSG6 X-Proofpoint-ORIG-GUID: tdOHlQ5iF3q5YVwxQR4mXMQ3KAiefSG6 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-06_03,2022-05-05_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 suspectscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 adultscore=0 mlxscore=0 mlxlogscore=948 spamscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205060051 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit dca947d4d26dbf925a64a6cfb2ddbc035e831a3d upstream. In the current PCM design, the read/write syscalls (as well as the equivalent ioctls) are allowed before the PCM stream is running, that is, at PCM PREPARED state. Meanwhile, we also allow to re-issue hw_params and hw_free ioctl calls at the PREPARED state that may change or free the buffers, too. The problem is that there is no protection against those mix-ups. This patch applies the previously introduced runtime->buffer_mutex to the read/write operations so that the concurrent hw_params or hw_free call can no longer interfere during the operation. The mutex is unlocked before scheduling, so we don't take it too long. Cc: Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20220322170720.3529-3-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Ovidiu Panait --- sound/core/pcm_lib.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index fd300c3addde..fdb141e426ac 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c @@ -1861,9 +1861,11 @@ static int wait_for_avail(struct snd_pcm_substream *substream, if (avail >= runtime->twake) break; snd_pcm_stream_unlock_irq(substream); + mutex_unlock(&runtime->buffer_mutex); tout = schedule_timeout(wait_time); + mutex_lock(&runtime->buffer_mutex); snd_pcm_stream_lock_irq(substream); set_current_state(TASK_INTERRUPTIBLE); switch (runtime->status->state) { @@ -2157,6 +2159,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream, nonblock = !!(substream->f_flags & O_NONBLOCK); + mutex_lock(&runtime->buffer_mutex); snd_pcm_stream_lock_irq(substream); err = pcm_accessible_state(runtime); if (err < 0) @@ -2244,6 +2247,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream, if (xfer > 0 && err >= 0) snd_pcm_update_state(substream, runtime); snd_pcm_stream_unlock_irq(substream); + mutex_unlock(&runtime->buffer_mutex); return xfer > 0 ? (snd_pcm_sframes_t)xfer : err; } EXPORT_SYMBOL(__snd_pcm_lib_xfer); From patchwork Fri May 6 09:10:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 570459 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01429C433EF for ; Fri, 6 May 2022 09:12:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344517AbiEFJQX (ORCPT ); Fri, 6 May 2022 05:16:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235148AbiEFJQW (ORCPT ); Fri, 6 May 2022 05:16:22 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33DC563399 for ; Fri, 6 May 2022 02:12:39 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2468iumD011524; Fri, 6 May 2022 02:12:25 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=4grWupm3sBSQ2IA7d2PJ+ace6WO7B776ruVHznaDDlg=; b=p1mokqr3ae4r0LjpRshlVNR9029q7ekSoOEwdUSkRG+71tdOzGUiYWOQ7sVSsGuitMIP fkEsKcOM4148s9/pZFbOnNZhGLtD/LiVUSZM1jEAW8a89yJKSvBuMhCAjfwN+by3ZLYq CWzq/3DuTHgSf/kb3r9I2HXQsxc1/Gc84K9UTcGD8f0k4DE4FfR+UGIG3x9AhD1R+S8j h/t03dv3AqH+OxtkBsntcBarxWsHDnFDvAA1gPBjJxGardZtdvOWsEwMZeFwqiSInRbN 9+u+pQTjB8sgtltvNB0Lm3aEq5wP0HNpBtRqp/fd79psDmDmzu2cJxHpPcDAklKqRTSd JQ== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fs0d3cerd-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 May 2022 02:12:25 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OXTOUHUmmp6Sj8JBXh+CKXHrlmG19TRywg8RIq0V1V1Fw87xVxAbsvmB+Hv2Rep3YHBDh/PwovSXPxDwhcB4hoe4tnOvWgU7YMl7RM6bYyGyrk+5NjAKoh0ieI5rBJljhMCAqXU8HzQv2oKPS8bNc1OJsO+FLWOLhmI/jqCh5QiYSmcMHaqiLYFMGo7z25c9zZNniPxba8T/sPYTy+XPZfkCOsJwDVp8Vr0tT/52wUHqoyV2A7NDuhUiubPPaugsXW8/jKn8RV4HswVWv02t1sw/lfV0BUjdxaMsQfoCIw+al/GDYrkr9aCT33e2kW9HJrg9nhBp9AcUzTyAEMGCNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4grWupm3sBSQ2IA7d2PJ+ace6WO7B776ruVHznaDDlg=; b=LcvM9S5B63mbcV78yJiELDNwGhtlmNna3BKZ1CuecLTKtdz2F+K3f7bDmWUmaAsxzoSdlzJA/fvp9BiJqJFrFAP034YP8IEz00DPByZnGMRYlBusbwEln4Gxv+7cdrCz1trVRbo0IfiPW47Igvp4IVSlQTXKTjW1UJZFJKxDtulC579B4iYF2alS7sTvQxjXO6Zkbz8UaE9qmx54KEQe8jEYED1xdiCtxEvPq7GSq/M+Z6RNXPWsPrGbV02sJPCJL0GYFPNlLLrXSYfwOmlchOvISq9TqPWhgstP+jH9TYSuk7Q7ntfEocHMRAQdVuo3w7FgQo/d56v1NAfYd6GZ1w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB4444.namprd11.prod.outlook.com (2603:10b6:5:1de::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Fri, 6 May 2022 09:12:24 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34%8]) with mapi id 15.20.5206.027; Fri, 6 May 2022 09:12:24 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: tiwai@suse.de, perex@perex.cz, kirin.say@gmail.com Subject: [PATCH 5.4 3/5] ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls Date: Fri, 6 May 2022 12:10:11 +0300 Message-Id: <20220506091013.1746159-4-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220506091013.1746159-1-ovidiu.panait@windriver.com> References: <20220506091013.1746159-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0009.eurprd03.prod.outlook.com (2603:10a6:802:a0::21) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6f3995c8-831e-4363-4c66-08da2f408878 X-MS-TrafficTypeDiagnostic: DM6PR11MB4444:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: wODqthnhiYnF/8MSVHNXaAshF432Lu7Pnv38XYVgT+fHM8xWf8rrI8vPJWx1V9P2uzRJA3hZEMz/F+fdD1pgGyy8OdkNTiX+UvujMyiN6VELcBZzJJxAKaPkDJ11MSEsksj7ZSrY7nMJfjEYOeGbqqvCJXTfj02Ewxkn0seHdJL51fNRg2M7X5iiY9YJbkuGfRn8NYsPgm7c3cCiiwzXHxq8T4b/gWmcxyGzKP1kCMKsuFkRAaCfx8glORbgpPCJge+Ym33/MvQYV1HUubh+LnTYIGrdIqKClhMP99hOwzFh2zvU5uDLN8zoLrMvN02FN94xbVBnfBiRqYPz1Su38y56SFuLWxemaH1kQixq0oAUW23dH6AQSMQfe6AZyW4RwzWmJHqonjpBdFSA/M6QHGViQD1Y8Gc4c0CDX9z4vB5UrwuQQvNgufYSOB0LDQHrGf3jXSB0ak1dgpNgBcPA/n0Bf8tMcasjfQnBoH5F0gTLMnKtZuzBzzmaOCLhWn5IYpPhXnBMERCt3UGIfPReCcaZ0TyqZkHDyLFZXi0Y3CFzcHFhjxlbllNOSdGwQcT3ybwQ43go1Fm3bw8tlrZhIGE4tUTpi4dDeZJ/X+D7Pkx1QEWrBhPEDcvVuHs5WgIw9w6qZsB9B73/52wYgdLg92b0IzVvDU+MQjE+pU9jEAkRRYUjuHpjQY/0WKFwUJ9ocBA/Cep1RrwR0xQjeNryz1lLr9rOWMnktfLgGy3WfgabQEWJeUCFiLKpAINR3BekD3KQJMRGeq1VI0D5pINCExEzm0lc6B6OE7F4WyzMkz8= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(966005)(508600001)(6486002)(5660300002)(4326008)(8676002)(66946007)(66556008)(66476007)(8936002)(186003)(83380400001)(6916009)(6506007)(86362001)(316002)(2906002)(26005)(6512007)(1076003)(38100700002)(38350700002)(44832011)(52116002)(6666004)(36756003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +GAHIEruc/EfBq4CNo2+bJc/8DDL5iNwFO9HsvTDhUuPMVJievgnjD6NQWhnThNfpHNdUdFn+cjQ95PHYvg4y3wY1OnNiYh7gPsM45GrFMbjgJtB1gO37elIPRLuL0YYUE2SpyqnPeD3Q1rExJqMIKeJs8ccnppomFtdAfBKfN7V1503r78bqfsHVlVfEMVPzehaURW6EhNRmMPVhU+93dTf7F2++kRFAfgiwQPH+TPGO4PNDQjkHiZFBrD/DAwJ3HE6q+MQb3o/SIMuot8M5pUmbI9TptBf8Ss/Wx2NIhIs+GxG3Q4950vslBalZk6JqA7R/QNcpIePydRkeWi23Y30pqwVUSzKc3DYr51z+RRH6wJSfFDXB9d8Yx2mcCS/GJoP4aXM4WFxI+6HKNnYrgVFICm6n/yj51UzPSsKrIAC5LvocnYa4DkzxVlz/7ospE0tdFXC5HHTSlvR13nK+tG6NjkIOEXbrFSlQwLYKcxIQgEqwL53hDtYSPlXMdvhCQMlCtbebDosZtnyL6TC3yRswUPHlDjy2GDhR3Nj4QkpOihZ8vqfZPSH0+XfBIL30qn3eDHHo5gKEtfldQg+EpEIqipaU00fTOQyQ9w2OaLayzWbOw4sbGse28xrnEdFj8s/XTzGHovTAIC/zLYwwFxQpjw/FPVsWzjbfngI+Cmhr9BauAz8VsDi14fWwY0fQ8KvjFdGYglr9DCP4M7sHBoUZkb2ql3m6zSfm76hXNOcffwkI1Xy8x19V1u7Tq6pOOwNRz8ps9bxtkSHJDMTf+l2s1vI7Fx22nnbzJKghkonri2Yq5vP8zl4ULN3N618PqlbbHcWpHiCU7IDTupIH7KCluZrerPGlf+xtUlt/GKmSNRMAFTtjcNAZxJjtGQeMZqE6lb3ZA4ggMKN9LFU3WHgN+6NqaUUBpwOLl+nxfPVQQY7yGpQyAudHD3KhL8mZyF6t++2P2W5Ro60FBWpt3Wub8n96uvEzziY4W2Pby6gyyTMLqK/DRnGdHSXJAGpqkLQd1225ImarmjgPE0m1QxTWseYyc/XQ7/nJdti0rPOmUjx3rOvt7uaBseTiJD2dZS0jrT0Cr4mEQGiS8q0/HFsPyu0TdGBHfZ29m2A1QmeijvOIGe6vch3Lc9lfEzxernJj/LLBW0l6Y6U7kRl0d/p4rXGI5GhBICMe2yhyjYPsaILAE6wcs2MOGpV+fAtOwwXZW7e9akBWxhv/iAiC02ydEPGpyV61OHJDqKIUoMEK3VnA2KuJVSaGsSiBibLb00OhQe6Un8HajIs7yWvXmaaGAOkbfeFHXSIEIcP6WShfkAFo0/iYOLmmJvIDUiRpgv2kKqHNYciPDgJSmD9zaHhOh6V64HqCJlDYSLeMAgxaTlpR/w/6cbMq5OZ5ogzmMLV0vzeuKGVb/uXBoNCr0QeRtVX0ixwJcFQkVsbacNCE29BXvpaTvRoEeh82Vg3Co4L8EwugeJr0iTZ4zuQQE0abEixLTPy3uljecHb7qgsrqi6o8cBDSdq7atsZBcLKwxYU0y5HzGHXA4G2c07+JhEn9BkVkMxj4L5RorRKnuQJ3xw8lJhH9Y5r48LcfZu4eNg0q9OUZlLgcLVLYrnUQJoaOopMLWCJLiJVa14953AW56rcwr+mNF6z3k1GCMCceCOe0mlAUT7/KyR2VAm+C2CEakYcqtpC+XHgxDINgakm+eZK+lAxLIgYnO+4Ddx/2j6C659DKExDnplLAiusGBBj+FZFmG93kxVNv6PKb4= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6f3995c8-831e-4363-4c66-08da2f408878 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 09:12:24.1450 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 6fyNTMp5u4AEOeOse+I1OKCdxW9v0DMDYFLZjLO/UnXfXGIJh7zmNb+wvpgQjL+Pz3bNirB9C/TigrKdDHJNgJ31gIIlXKaKn4GuciCvhPc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4444 X-Proofpoint-GUID: QB3UgOR9tu-3LPtfyy4iSxOpb_W_bkmU X-Proofpoint-ORIG-GUID: QB3UgOR9tu-3LPtfyy4iSxOpb_W_bkmU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-06_03,2022-05-05_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 suspectscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 adultscore=0 mlxscore=0 mlxlogscore=920 spamscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205060051 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0 upstream. Like the previous fixes to hw_params and hw_free ioctl races, we need to paper over the concurrent prepare ioctl calls against hw_params and hw_free, too. This patch implements the locking with the existing runtime->buffer_mutex for prepare ioctls. Unlike the previous case for snd_pcm_hw_hw_params() and snd_pcm_hw_free(), snd_pcm_prepare() is performed to the linked streams, hence the lock can't be applied simply on the top. For tracking the lock in each linked substream, we modify snd_pcm_action_group() slightly and apply the buffer_mutex for the case stream_lock=false (formerly there was no lock applied) there. Cc: Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20220322170720.3529-4-tiwai@suse.de Signed-off-by: Takashi Iwai [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait --- sound/core/pcm_native.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index b15ef9df114a..4f53e6103fd5 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -1042,15 +1042,17 @@ struct action_ops { */ static int snd_pcm_action_group(const struct action_ops *ops, struct snd_pcm_substream *substream, - int state, int do_lock) + int state, int stream_lock) { struct snd_pcm_substream *s = NULL; struct snd_pcm_substream *s1; int res = 0, depth = 1; snd_pcm_group_for_each_entry(s, substream) { - if (do_lock && s != substream) { - if (s->pcm->nonatomic) + if (s != substream) { + if (!stream_lock) + mutex_lock_nested(&s->runtime->buffer_mutex, depth); + else if (s->pcm->nonatomic) mutex_lock_nested(&s->self_group.mutex, depth); else spin_lock_nested(&s->self_group.lock, depth); @@ -1078,18 +1080,18 @@ static int snd_pcm_action_group(const struct action_ops *ops, ops->post_action(s, state); } _unlock: - if (do_lock) { - /* unlock streams */ - snd_pcm_group_for_each_entry(s1, substream) { - if (s1 != substream) { - if (s1->pcm->nonatomic) - mutex_unlock(&s1->self_group.mutex); - else - spin_unlock(&s1->self_group.lock); - } - if (s1 == s) /* end */ - break; + /* unlock streams */ + snd_pcm_group_for_each_entry(s1, substream) { + if (s1 != substream) { + if (!stream_lock) + mutex_unlock(&s1->runtime->buffer_mutex); + else if (s1->pcm->nonatomic) + mutex_unlock(&s1->self_group.mutex); + else + spin_unlock(&s1->self_group.lock); } + if (s1 == s) /* end */ + break; } return res; } @@ -1219,10 +1221,12 @@ static int snd_pcm_action_nonatomic(const struct action_ops *ops, /* Guarantee the group members won't change during non-atomic action */ down_read(&snd_pcm_link_rwsem); + mutex_lock(&substream->runtime->buffer_mutex); if (snd_pcm_stream_linked(substream)) res = snd_pcm_action_group(ops, substream, state, 0); else res = snd_pcm_action_single(ops, substream, state); + mutex_unlock(&substream->runtime->buffer_mutex); up_read(&snd_pcm_link_rwsem); return res; } From patchwork Fri May 6 09:10:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 570953 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D492C433FE for ; Fri, 6 May 2022 09:12:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1390357AbiEFJQX (ORCPT ); Fri, 6 May 2022 05:16:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344517AbiEFJQW (ORCPT ); Fri, 6 May 2022 05:16:22 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1879763391 for ; Fri, 6 May 2022 02:12:39 -0700 (PDT) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2468n0vg028714; Fri, 6 May 2022 02:12:27 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=3VGLXMKxN1rM/BG2etzpnQCdb1e2S5nOG/61LAWwzhc=; b=oZmTFUarJ5/QpV8EMNUYHVnDwLwsPrwuqSgLXAZFRyVXB20hQCfdqv0jZj79adDp7xQj seUbOkvrdZzcbU6Bl5ogjhwGKVuiuHf+tQjhjn2ENEnQx1dDytTSBWerVaIPolggO737 D8aENdUoIrHMZdXbXNAEVGPr8+xgfUTXHaGQdq8DBjO7hzUMNZSTwE8+Lj9/3Ly0RLbe hh5mba4VEgqCdCQmudf+P5tbv+5bk66eiHMYNaYQ/7LKoOgcG3IukcAjHf06iXH0QsNZ 2FviQrvHCndq3cy3nCIUAlfP+NkAf1qQsuducy9LEt2cRc/LwNBpwJ6DlTkXQs+q9GCg Hg== Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fs4mjcaxu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 May 2022 02:12:27 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BE3q551oBJQqvCoyfSNi2gbWacniLpKjJvWrcbNOxYbpeUYz2mxE0r3E6np/0x6JTdLqSQjDskZJjTLbTX/TSX/HZVzpfucGY7635k/NaCBWF8Pc5X2Vh1zqcQGMOTrjSO1eqh2hOYVL5R666pchp5r6r3XJjFmnFlgzAZwqdi+Zj69SyAMzeoTBIfoPZAhsAr4ry0VGTnjWv5AgDlIWFgNCQNJsJ4D3s5x8kX9XkKEKEqYwT5HkqdItO1sRfESYVbsW7pZY4+ERWQbcq1ENlGmy20uiGgQW7A+5+U5SBPJyKNLrXHeWkeUbF8dgyztcBwyWDg1pPLDZlmKCoYs5wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3VGLXMKxN1rM/BG2etzpnQCdb1e2S5nOG/61LAWwzhc=; b=autgucQs9h93xzlYNqzfwuoXnhztZyaa589OX5TRBy/q2ADpxrlpfkD419UauNuAHp8kv6jR1JjSzQOyfaYXd8JibSgl4W33TwLQIXQ9v6aMzT0dKcJ1Jj6dB5gJ+HSTfqnBaPPHtyFg2uGmHnavnPmUpmenvY5gTpna/oysqgc/NEufMgRJvJl3ItW/OXpkgURpCmPTAawAVsAqbQ7x752wIMBHmZHa2jtCCU6hWtMhuMKdqUikPqJKfwNoabTVPut06licNHTrHcDfbDpso2okzQYFYgVktzY7uxDBsezeDyldzgjExZECOhXGyDhBh8nMM9MkEg9FRwclZwi+xA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by DM6PR11MB4444.namprd11.prod.outlook.com (2603:10b6:5:1de::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Fri, 6 May 2022 09:12:25 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34%8]) with mapi id 15.20.5206.027; Fri, 6 May 2022 09:12:25 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: tiwai@suse.de, perex@perex.cz, kirin.say@gmail.com Subject: [PATCH 5.4 4/5] ALSA: pcm: Fix races among concurrent prealloc proc writes Date: Fri, 6 May 2022 12:10:12 +0300 Message-Id: <20220506091013.1746159-5-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220506091013.1746159-1-ovidiu.panait@windriver.com> References: <20220506091013.1746159-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0009.eurprd03.prod.outlook.com (2603:10a6:802:a0::21) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 25625ebf-4afe-4efb-0306-08da2f408935 X-MS-TrafficTypeDiagnostic: DM6PR11MB4444:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fss0rP3bIjcuCIzve/KPmdDeb9xMl8cYMlZ76+wRZGEj8DLO/Kbw9qXnfsOk3WKs9IgfIWHpemXgBQ/wB2vY/ZBuEioMZqr6m0RwGg+iBt+Etk4q2ccY2h1J9KJMMDCVC3yZC1g+Hl+Jj+BgefwlC/4a4wYrR9D6AKGgM71rgVXd8H60lDzmPOdI8h4irg3WRjVjgAm0ZKlxILlr9KZFdB8vKlZ1d3ef8Dg7iDdixTdHSNpHDMvh6JM4p84hyI835pVIIv0ekVO+SLke1yRRm8IRnrWEjHZYM5PmGtLXziQGszL2Z4s8/Ih74uYR3Y3qspxyl1ScKO3JjgL9RunGyrceOf0lfE17GOQTDUj39iuHXUPqdQJD7pvbCoen3r2PCAdFCMVoQntGikcq9t354eRttAR4HFPHm+8PGjsowoPlVt26nWRYU+Ge5Wa3DP8lkWVi5loivh41Yia7NgHr3Dt907DCTaxZJCdIIo4pShn5MI2nrefr5fMScHxYe5aZrAIllY3dDnUXGe8ZnncaxGLAhOzxF7rJzdCZk1Unv8eSP28DNFsSfF4AbW9xDBG+RN10lJpn0ercgtP40cEbZeY1X5J6SkOTOG5dpHX76kdCO2uD1QVBJBwZOEbwLAkOe5fL7lKzAvsm2tKVmr3mJhSAbkt7qi3R8sVwEBXaT2sOBtmt1PglF5MLb61TaBYcmGvSU79k7gjZZmUJFf1pad8iHPvm3kC1idrS7LRevOKed0oyLe/5JLSox9q0ZoIb5dteEuWNYGSs0y6jKOSSZSSfypMg+P33X2FHjYz/GVM= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(966005)(508600001)(6486002)(5660300002)(4326008)(8676002)(66946007)(66556008)(66476007)(8936002)(186003)(83380400001)(6916009)(6506007)(86362001)(316002)(2906002)(26005)(6512007)(1076003)(38100700002)(38350700002)(44832011)(52116002)(6666004)(36756003)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: nzH6lOp5H2NGMCt5sGmb+lvC02Uw3mlj4721vX+UmlbMUxkXogAT3celltkVzm6r4NHtI5cYXSOFcdLUbGSW3V+URuyxw+/EThJleZzs6wzfA8b1e4PzB+ogNDGpuBTvSwKpxWIDNJd9tyY4Q7lKgf4Nlb1iXScfO69DDHQmmhOC5yc4LaPzLVFc+PJpxqkT+l/31pLYCfz/w97EXMqhKjgD/f9qSpc1Scscp31joYmcOrso1Pby8+XMt9iHnoAOSUib7QMKG1Ay+vuwfQ3njuO8df2Y51kvn+Ihf33/eOe/t8jABsgVTwQjgORyFd0+4v7Eo8UMl+9sRo8Uzr8Ul20Dae1X84pI1hXKJWX2nT/bDbJktMw7TnfjGv+fFOx+zOhFuIUGZmzwaACAXy4Q1rthKL3FALH0WMiYKmX/dpJapqSCaUkKksvMG0DaJSUNCisUgNnMaSkFUCBRUKfU2Drpfu0u5DMDaWsbWSFbaRx0BTMswtjFzE7Iy9Kx8tkX+Q11k9tPDigR5EUTzvdw4fi+dvW+TmP015VxIxVkgZSPdLf+cEA9Ew6qupHk4zhGQojRjOm1L20ok75zDFBslh4L6XJV2+olfAa1PYOUQwx4IfaH4CrAlhcEq/oG0rPGKdXlnqlk3J+WBVNmvj6M02iErLEJzE2KVuQ/8NvjcT/hcsUYpEKx84uqqdVvvikaE8TltIIOv417SFo/p3mloyN7q+EKJL7CjdagW3C+iDXVDZCpmhsx98EAUk5ejcMrZQf5+Wl6R7w+p1hiz/mJPLJfU4sI0DUnTAN2+MY+2m/lAD9EuJHudlUvs9G1sgR9t/OVQIegkjADXXv/XoL+xUeSBlulVlUlKoR+UL7TtZqXUj47VxmJClmPqVCZ8QRDjQ/Hq4mhwmwUykKDrpGRbDA6nI+mDDcBOMNGojyFuJKSF58C8yriT3z5d1zZ2+U7hYcXjNYtn0VV713cTm1+XVERtotKoAx4zgKphJuqZCLv3ShNEWnT9ejHXq+TCEXJIcxpERAUFzPWKTm7VT64TOweNXAUX4vCKl2E/5k35UPdaY+ZwIzaSXKNGVCLdXmHoNlnhCigi0aYEd7AMAhA3WLCAcWofXFg05sp4zpOpdwo2h6/jNf2WQSsNHe2k2lFTSDymqwVD32WFaGSL8GGDsvYA0AvWqj2RaRf3gvNAoxz2dAkdkk9/xNGhuEL3XW9uevR0Ei42y3SuXe+7cGttrZfWB+G4dKIa7XG4MUNsvLAZ6dZrVrnvn+Pb+3hv92DBWmyN+aYNivaivDkoaLr+ftT5ck48cHrbCemkIrDYAuZ9Rx7dyAFIjQoqEA8A+4ac0YRI6GYHgLa1xr5RULJ3CPSpW8YnN8xG8B8lpMIMbpVcLKXxQ8ZGLz9OAQTCyyaGafsHfm2QouqvIiw+e0UYg1dDdl/19OdIntSqV1MGU5cCeupGvmIKcongA6PX8t4VnjcPfs1nJu/ORgt7tX5zmG55Z8Q45FjTEg0WiMCxZAoQAG7o6IglDK6Ud11XJ7XtP3azVqpZrvrzmJZ0a0RykSfVKMHLBokEfqmS3+sr8QrWJSNpBGDv0V7ihHdVhcdBW6q2LXZUzx5rD8Pc14EQMZdqsZe4vqb37Lq1KjqRQB2JKl1jnpNxh4nU02I3bqbSKJUsdNWyT8aaKaismeGZGofPQa4QhQc1+zfZS/qupbxAG5RvlhMK4vN2UehE+EN/xs/3P6vR6fR1nW0uZvmOCl/SJZtklIPQU2uveDaDmo= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 25625ebf-4afe-4efb-0306-08da2f408935 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 09:12:25.4586 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OX2aGx0sZm2HMmAew1kxfoTJGh0WZTF/f1077KYce7uFj3FHSozr7862W5C0L+gOEHVySVDRAdokawOgsf3o2w1vYlWzvLUmuoKI7dx0PrQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4444 X-Proofpoint-GUID: KDSWX1hMSF9dVf6VR-GBIp5z9Go8LguT X-Proofpoint-ORIG-GUID: KDSWX1hMSF9dVf6VR-GBIp5z9Go8LguT X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-06_03,2022-05-05_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 lowpriorityscore=0 mlxlogscore=692 adultscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 clxscore=1015 bulkscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205060051 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream. We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). Cc: Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de Signed-off-by: Takashi Iwai [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait --- sound/core/pcm_memory.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/sound/core/pcm_memory.c b/sound/core/pcm_memory.c index 7600dcdf5fd4..9aea1d6fb054 100644 --- a/sound/core/pcm_memory.c +++ b/sound/core/pcm_memory.c @@ -133,19 +133,20 @@ static void snd_pcm_lib_preallocate_proc_write(struct snd_info_entry *entry, size_t size; struct snd_dma_buffer new_dmab; + mutex_lock(&substream->pcm->open_mutex); if (substream->runtime) { buffer->error = -EBUSY; - return; + goto unlock; } if (!snd_info_get_line(buffer, line, sizeof(line))) { snd_info_get_str(str, line, sizeof(str)); size = simple_strtoul(str, NULL, 10) * 1024; if ((size != 0 && size < 8192) || size > substream->dma_max) { buffer->error = -EINVAL; - return; + goto unlock; } if (substream->dma_buffer.bytes == size) - return; + goto unlock; memset(&new_dmab, 0, sizeof(new_dmab)); new_dmab.dev = substream->dma_buffer.dev; if (size > 0) { @@ -153,7 +154,7 @@ static void snd_pcm_lib_preallocate_proc_write(struct snd_info_entry *entry, substream->dma_buffer.dev.dev, size, &new_dmab) < 0) { buffer->error = -ENOMEM; - return; + goto unlock; } substream->buffer_bytes_max = size; } else { @@ -165,6 +166,8 @@ static void snd_pcm_lib_preallocate_proc_write(struct snd_info_entry *entry, } else { buffer->error = -EINVAL; } + unlock: + mutex_unlock(&substream->pcm->open_mutex); } static inline void preallocate_info_init(struct snd_pcm_substream *substream) From patchwork Fri May 6 09:10:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 570458 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AD74C4332F for ; Fri, 6 May 2022 09:12:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381989AbiEFJQY (ORCPT ); Fri, 6 May 2022 05:16:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1390356AbiEFJQW (ORCPT ); Fri, 6 May 2022 05:16:22 -0400 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34C5F6339A for ; Fri, 6 May 2022 02:12:39 -0700 (PDT) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2468qdL7028605; Fri, 6 May 2022 02:12:30 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=PPS06212021; bh=9YAL0PWJu6Y2Ajp7wN+cqAlwA+3sCHexHMJZcBzkVvA=; b=gqPWagK3GPhZXY2v3VEfgf9H6tNifnybwOMkwh4IuCfgHWBp8tjZtrrwQzgBfjU/dDQE Q4bM4FhEUkhZFvU0RfKmYR3DWb30jORBbK5IAlrlO5aCv0ktQo51xrthv5loqDvM0lUb +OMCxwBG2lfekHZXfQbGbVYckRjkYPrNlbdWc60cn7T5BCx6pecNB6M94SrTPvhmYTVv 0FDjPbWcUjZLGLQ+4DYzRgWlM/THrqgdmHEQvj1ASKqyxckJ1FJoFF6cCY7og3tkReiV eqPgopxamI+gd4Np/yWufd2eIOmsrrQmuz+G1Cgbt0FskajbpNUkdh9aVgyrZhQLk49v wA== Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3fs0d3cere-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 May 2022 02:12:29 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dyCN3Q598wAJu4Tm4ubGrCrAGACuMYnQbC8JfTQ/I7tdyMfJL1/RyVgJEutLWqZeZcFYoCVzN2QS7q4oFzAzmdQeMi08OIY02tN4H6k0l6ZoighgKNWj9ihf5vlJ1V/SArhWkaGEhV/mYNQO7qf20tz6dxjE3t56Y9pTxa7e3++JWp2zKjtf3qzBH7xh39R4RO+LwNfebXrjhJc2jHRaOrymu+LlqtjsC344b6Woor+vtDelfKW+xTrUZPhmHF5UVPbALcL/J77gfzyYuANXfTRW9LdzPabHRkJIQzTb4P+A8uHY4Yj+2XSwIiUAwI8pki1sLZt5wbDGC2SsS1nkDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9YAL0PWJu6Y2Ajp7wN+cqAlwA+3sCHexHMJZcBzkVvA=; b=bUlwIAx4sicsAFl8EPE9BukcBSRZpAadr5e3XGRVcV/aRTkRJQTHsGY4qy2ExMUzkKobcvs8qCPXHWrcj2m9/ixgubpSdV+CgOWFHTsk4zP61TAAFO2A2Q9GMZ8oTElACf0DcNTCQLX0XKYQPKh0B5VRp9GNL44oK78CKEdTRujE9AgMR0YEJNH58PugUmA/OGK6oOsOLSqAbgsDHo9cp7cqEq31mBogRgdNy1QaMzDVvBjOTB5zEh6A6R8rlivLDrAWS+KUX5HiZjfh7IRCTRo7BrbWY5sfRVRv3ZBJ+0b8SXn9CEz1ZhiXYmP96dsMbAEylx9ed6Jp+XU85+9Sgw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) by BN7PR11MB2660.namprd11.prod.outlook.com (2603:10b6:406:b2::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.13; Fri, 6 May 2022 09:12:26 +0000 Received: from DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34]) by DM4PR11MB5327.namprd11.prod.outlook.com ([fe80::806f:3f7a:c1be:ff34%8]) with mapi id 15.20.5206.027; Fri, 6 May 2022 09:12:26 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: tiwai@suse.de, perex@perex.cz, kirin.say@gmail.com Subject: [PATCH 5.4 5/5] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock Date: Fri, 6 May 2022 12:10:13 +0300 Message-Id: <20220506091013.1746159-6-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220506091013.1746159-1-ovidiu.panait@windriver.com> References: <20220506091013.1746159-1-ovidiu.panait@windriver.com> X-ClientProxiedBy: VE1PR03CA0009.eurprd03.prod.outlook.com (2603:10a6:802:a0::21) To DM4PR11MB5327.namprd11.prod.outlook.com (2603:10b6:5:392::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c64e6c46-b51c-4cbd-0b46-08da2f408a02 X-MS-TrafficTypeDiagnostic: BN7PR11MB2660:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Dj6MMx6DcwxPgBw27znlFqvAjcJwQwiUNZZZWxF77ZcrW1hLdjk91qndhIWGY7xfm1ntVIM9pvFa4cu18i1haTOAcM/V8Vfi53lTcaaQV5f9cg6nmfsotScsnkog6bKudm12TojZtmE2YrRPmbzwDzFi4pE23SP2XJ81P1UkHzdPCBR+H0iNRR58vOI0nfuzUrMKYGImlIWQOmUAAaK0Z75X/HZZjuTJ96ZZS2m4MlcRdfu4uHwU2k2T0KLdm+Iz5FUfrpMuFVohA2PeILL2noTiXQyvVJWeYa2FwfixJ0NyRbZ2J7KO1PXs6nzzn78P+FTlE72EIu81BCnQ+WUZHwZM0t18m8SnVcjsU3BBNzb2sKH+bDeURnNvvBSw8hDY9O+1fg+6wTOM7LYOPY5GYN1ulYK+kXr5YBiClTYT8pWz4lvLN2Ji2BfoTyp+Y8IaU/Hveml/3o+NjRAoSv4HDLgKr/AvX0HxZ/w7Ipl8uFR9W9K6fUKAsV49eZOSop6sIkGkGtY3n5WVcKSZwkGzSVHO8t0BN9S5yjMvMPIM+7TgLM/cqWQMzwSaoDaVOt3TqZkz++rnJyTKRew0YGlQMyzyOVXJ1vkSjCeYboDFFwV6kcfSh9KLEDkYACOsjggbniXVQ/Q6ewG3QEmfRlgnNn07ryz7MUgpKRwtfWmtnI8PiHUIo0d5lgRWHE8RC4PuubHTrR8pxZ35y7Y5hIVxF0yVX8HVtYW28J9Lh9WUbZPLnQNJFhOkNxLvs41X7+Lsh3c+NgtRohfmls0go0kOHQCyyzEW67y0V6YsyZu3FxPHE71RBRkHejYvpmc4c05wk152WxGlDb0TwSu4fuiOng== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6506007)(508600001)(2906002)(6666004)(44832011)(36756003)(52116002)(5660300002)(8676002)(4326008)(86362001)(6512007)(66476007)(66946007)(66556008)(26005)(8936002)(38350700002)(6486002)(966005)(38100700002)(1076003)(186003)(316002)(2616005)(83380400001)(6916009); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: AeLDyiqhCXhaiMLk8qQAfU1aKLBy7URL2RqlWAJuuzRzY+z0ScykHVvDX2Uew3xmmeg9HXZSo+rBsPKw5OaMaw1lF/EZtGfo7Bfp7f2Sm8eQUugXb6+z3WXIKMwTeYD7xgZXWkWWE0jlZKJ6EOJ0cqVLVraLjkL9qDfcSlDtEMBIMfoO57hpdsLeuhooX7K8BArjdPE6h8TMIF4qKsk5Ml5rBU450dNmLe8FeP4OFywNfOuusnAWUweX+Ni4pgciQiC2DBkIBo//J2C8Dd8KKk2S3ctRSb8FAXqC4qKz5cBnazGSfPoCx1m6jPTX9EhqNTWt871pDOhCYP0faW1Dd2v0xQkbe0MHRw2Ubpo7DqkyYf++q42IVyW3Gf/lj1jT4xkiUSWA+h4h2kXXl0dIQbftkywRhiZQBFJSLtq6bn0dFOf47DIwun9STWCE7wazjXww1hMpJinXmSckFY64UdpeVOkqnezLp9RFoxLtLUPkpVHH2ZK7HLhD15HbzNQAqO+v9s2YSmRzzml5NyBVJKT+/4OV9lUXzegwGEQCH01HDxfnPHdb7WB2oCGUY0TD0/KD23VMvqEK72oLztgfHUaLyjLZAxqNvgeWVdqD3GxtBa04ZSqN/VmGVKuk0V+onmWg4plu75CqHNA1Y8pwbZ7GLxcJdbtzyVooGscis4D2k9cgqeKIHc6dUak38Ak5kimdMWodOJqiNOCIY7k45wx5kEYwVoqTTZpnqujn84gS8oxM15jrMMDm8SLqjSzPWySFZzF6++6s7D45ur6AkYmZ1W3Xa5zen9oExpginCYjuQ8/2FW9IetJPV5aKKi1MC/Jl9Iddl4wF1U+TBr3PR4p8hmmbz6K/2tF0uZl0B+8sOYn4jPlpHhF0IX03WHCFvfolPE/q2J8aOZsej2eXe4mOFBvDcwI/9zz3O3aYJ6HCk9Nu6WWtFKBrD2CgkyG/s0S2XZlnYpW6Ac6Go38oQUTb6AiUxN10VL2IhwgtJJQCmJFrSXhKxZt4+8sW50AIgWI50o5tpMqi3rlDlrCCoS6Y0gdTd87Yx8oUU5GqVcNSX070ijoal5IL5XnncY7ti0CmG7TbD8SI+JdzAKRadJcNL3jVO+woyvB8af/KUQAcmqpHoIUfmFSLhr3BvYtKaOUFtno6KiIGeMWp39XruwfL9sbcFulhrZk8npWg63UqyqTNI4UXcUODj6uckk2TSyPgH3H6lywGwmHf1OsbdgWIu4swqWyqAs9rm924OIieDvLmBG3goCwAZiAPk2BJJ/0272K1QoTZUpc/YLUlW/ZQGdGHZYWt134YWZE9YQftPraW9jQNpk7LfeWBcmg0VTDc+4m3LUr+D51GVVx8S6Jkfr93eiOK0dXd1CLfab6jHxSOXeVqNml3KLdXqICQ8qvoZVS5KWuGLLMJ5uHkVb5Q0GEbgtt6Eiobf6d8sUZj1pgnsu87jn38hP2plC2cygawfJluNd6ImQ5Q8/3nD2SP5uptsjS89UaUPfIbKBqeiIT7bLmLeuiCN0ZtPJqnBaDbfofwNgOCOga5+WB7TClyHbxgnPJxL1r0f75hqy3w7ccecOtIXlaEgDSiLncFY7dU5oka/2pMQJzizHE5y49KFh8ZFyi+k9PLXrawptl3Zqjg57SfLKFcrLoMQZWCHzGIBhBXuD8hnt6CZYA9Y+ysa3GXC5gkszKG7lLmS6TYrqI7Wn4idcLzezoBCxvoDS17cewm6s0uLLxh0Np7BOZh2L9DYpB3e9tKw/ie1Y= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: c64e6c46-b51c-4cbd-0b46-08da2f408a02 X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2022 09:12:26.7086 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 3QmHug58NHRVBJNmRTfmrurWzTboEuaz0uFlq7bpCqKGFvCjtKsWW/ZjrHzmmpD8fgnOKq7Kui7lO/s5coumWZYkaVZ76iCVcoVGc3DL/q4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2660 X-Proofpoint-GUID: mVNQ6Jf62Sc1YqwzG4LgauzrujnGrQd3 X-Proofpoint-ORIG-GUID: mVNQ6Jf62Sc1YqwzG4LgauzrujnGrQd3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-06_03,2022-05-05_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 suspectscore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 adultscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205060051 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream. syzbot caught a potential deadlock between the PCM runtime->buffer_mutex and the mm->mmap_lock. It was brought by the recent fix to cover the racy read/write and other ioctls, and in that commit, I overlooked a (hopefully only) corner case that may take the revert lock, namely, the OSS mmap. The OSS mmap operation exceptionally allows to re-configure the parameters inside the OSS mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the copy_from/to_user calls at read/write operations also take the mm->mmap_lock internally, hence it may lead to a AB/BA deadlock. A similar problem was already seen in the past and we fixed it with a refcount (in commit b248371628aa). The former fix covered only the call paths with OSS read/write and OSS ioctls, while we need to cover the concurrent access via both ALSA and OSS APIs now. This patch addresses the problem above by replacing the buffer_mutex lock in the read/write operations with a refcount similar as we've used for OSS. The new field, runtime->buffer_accessing, keeps the number of concurrent read/write operations. Unlike the former buffer_mutex protection, this protects only around the copy_from/to_user() calls; the other codes are basically protected by the PCM stream lock. The refcount can be a negative, meaning blocked by the ioctls. If a negative value is seen, the read/write aborts with -EBUSY. In the ioctl side, OTOH, they check this refcount, too, and set to a negative value for blocking unless it's already being accessed. Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes") Cc: Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de Signed-off-by: Takashi Iwai [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait --- include/sound/pcm.h | 1 + sound/core/pcm.c | 1 + sound/core/pcm_lib.c | 9 +++++---- sound/core/pcm_native.c | 39 ++++++++++++++++++++++++++++++++------- 4 files changed, 39 insertions(+), 11 deletions(-) diff --git a/include/sound/pcm.h b/include/sound/pcm.h index 24273d0f770b..f0045f842a60 100644 --- a/include/sound/pcm.h +++ b/include/sound/pcm.h @@ -396,6 +396,7 @@ struct snd_pcm_runtime { wait_queue_head_t tsleep; /* transfer sleep */ struct fasync_struct *fasync; struct mutex buffer_mutex; /* protect for buffer changes */ + atomic_t buffer_accessing; /* >0: in r/w operation, <0: blocked */ /* -- private section -- */ void *private_data; diff --git a/sound/core/pcm.c b/sound/core/pcm.c index c9335d1d0e44..3561cdceaadc 100644 --- a/sound/core/pcm.c +++ b/sound/core/pcm.c @@ -970,6 +970,7 @@ int snd_pcm_attach_substream(struct snd_pcm *pcm, int stream, runtime->status->state = SNDRV_PCM_STATE_OPEN; mutex_init(&runtime->buffer_mutex); + atomic_set(&runtime->buffer_accessing, 0); substream->runtime = runtime; substream->private_data = pcm->private_data; diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index fdb141e426ac..1bce55533519 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c @@ -1861,11 +1861,9 @@ static int wait_for_avail(struct snd_pcm_substream *substream, if (avail >= runtime->twake) break; snd_pcm_stream_unlock_irq(substream); - mutex_unlock(&runtime->buffer_mutex); tout = schedule_timeout(wait_time); - mutex_lock(&runtime->buffer_mutex); snd_pcm_stream_lock_irq(substream); set_current_state(TASK_INTERRUPTIBLE); switch (runtime->status->state) { @@ -2159,7 +2157,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream, nonblock = !!(substream->f_flags & O_NONBLOCK); - mutex_lock(&runtime->buffer_mutex); snd_pcm_stream_lock_irq(substream); err = pcm_accessible_state(runtime); if (err < 0) @@ -2214,10 +2211,15 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream, err = -EINVAL; goto _end_unlock; } + if (!atomic_inc_unless_negative(&runtime->buffer_accessing)) { + err = -EBUSY; + goto _end_unlock; + } snd_pcm_stream_unlock_irq(substream); err = writer(substream, appl_ofs, data, offset, frames, transfer); snd_pcm_stream_lock_irq(substream); + atomic_dec(&runtime->buffer_accessing); if (err < 0) goto _end_unlock; err = pcm_accessible_state(runtime); @@ -2247,7 +2249,6 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream, if (xfer > 0 && err >= 0) snd_pcm_update_state(substream, runtime); snd_pcm_stream_unlock_irq(substream); - mutex_unlock(&runtime->buffer_mutex); return xfer > 0 ? (snd_pcm_sframes_t)xfer : err; } EXPORT_SYMBOL(__snd_pcm_lib_xfer); diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c index 4f53e6103fd5..57a4991fa0f3 100644 --- a/sound/core/pcm_native.c +++ b/sound/core/pcm_native.c @@ -630,6 +630,24 @@ static int snd_pcm_hw_params_choose(struct snd_pcm_substream *pcm, return 0; } +/* acquire buffer_mutex; if it's in r/w operation, return -EBUSY, otherwise + * block the further r/w operations + */ +static int snd_pcm_buffer_access_lock(struct snd_pcm_runtime *runtime) +{ + if (!atomic_dec_unless_positive(&runtime->buffer_accessing)) + return -EBUSY; + mutex_lock(&runtime->buffer_mutex); + return 0; /* keep buffer_mutex, unlocked by below */ +} + +/* release buffer_mutex and clear r/w access flag */ +static void snd_pcm_buffer_access_unlock(struct snd_pcm_runtime *runtime) +{ + mutex_unlock(&runtime->buffer_mutex); + atomic_inc(&runtime->buffer_accessing); +} + #if IS_ENABLED(CONFIG_SND_PCM_OSS) #define is_oss_stream(substream) ((substream)->oss.oss) #else @@ -640,14 +658,16 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params) { struct snd_pcm_runtime *runtime; - int err = 0, usecs; + int err, usecs; unsigned int bits; snd_pcm_uframes_t frames; if (PCM_RUNTIME_CHECK(substream)) return -ENXIO; runtime = substream->runtime; - mutex_lock(&runtime->buffer_mutex); + err = snd_pcm_buffer_access_lock(runtime); + if (err < 0) + return err; snd_pcm_stream_lock_irq(substream); switch (runtime->status->state) { case SNDRV_PCM_STATE_OPEN: @@ -752,7 +772,7 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream, substream->ops->hw_free(substream); } unlock: - mutex_unlock(&runtime->buffer_mutex); + snd_pcm_buffer_access_unlock(runtime); return err; } @@ -785,7 +805,9 @@ static int snd_pcm_hw_free(struct snd_pcm_substream *substream) if (PCM_RUNTIME_CHECK(substream)) return -ENXIO; runtime = substream->runtime; - mutex_lock(&runtime->buffer_mutex); + result = snd_pcm_buffer_access_lock(runtime); + if (result < 0) + return result; snd_pcm_stream_lock_irq(substream); switch (runtime->status->state) { case SNDRV_PCM_STATE_SETUP: @@ -805,7 +827,7 @@ static int snd_pcm_hw_free(struct snd_pcm_substream *substream) snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN); pm_qos_remove_request(&substream->latency_pm_qos_req); unlock: - mutex_unlock(&runtime->buffer_mutex); + snd_pcm_buffer_access_unlock(runtime); return result; } @@ -1221,12 +1243,15 @@ static int snd_pcm_action_nonatomic(const struct action_ops *ops, /* Guarantee the group members won't change during non-atomic action */ down_read(&snd_pcm_link_rwsem); - mutex_lock(&substream->runtime->buffer_mutex); + res = snd_pcm_buffer_access_lock(substream->runtime); + if (res < 0) + goto unlock; if (snd_pcm_stream_linked(substream)) res = snd_pcm_action_group(ops, substream, state, 0); else res = snd_pcm_action_single(ops, substream, state); - mutex_unlock(&substream->runtime->buffer_mutex); + snd_pcm_buffer_access_unlock(substream->runtime); + unlock: up_read(&snd_pcm_link_rwsem); return res; }