AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
8fbd54ab06
kernel_optimize_test/include/sound
History
Takashi Iwai 9017201e8d ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock 
commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream.

syzbot caught a potential deadlock between the PCM
runtime->buffer_mutex and the mm->mmap_lock.  It was brought by the
recent fix to cover the racy read/write and other ioctls, and in that
commit, I overlooked a (hopefully only) corner case that may take the
revert lock, namely, the OSS mmap.  The OSS mmap operation
exceptionally allows to re-configure the parameters inside the OSS
mmap syscall, where mm->mmap_mutex is already held.  Meanwhile, the
copy_from/to_user calls at read/write operations also take the
mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.

A similar problem was already seen in the past and we fixed it with a
refcount (in commit b248371628).  The former fix covered only the
call paths with OSS read/write and OSS ioctls, while we need to cover
the concurrent access via both ALSA and OSS APIs now.

This patch addresses the problem above by replacing the buffer_mutex
lock in the read/write operations with a refcount similar as we've
used for OSS.  The new field, runtime->buffer_accessing, keeps the
number of concurrent read/write operations.  Unlike the former
buffer_mutex protection, this protects only around the
copy_from/to_user() calls; the other codes are basically protected by
the PCM stream lock.  The refcount can be a negative, meaning blocked
by the ioctls.  If a negative value is seen, the read/write aborts
with -EBUSY.  In the ioctl side, OTOH, they check this refcount, too,
and set to a negative value for blocking unless it's already being
accessed.

Reported-by: syzbot+6e5c88838328e99c7e1c@syzkaller.appspotmail.com
Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000381a0d05db622a81@google.com
Link: https://lore.kernel.org/r/20220330120903.4738-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-08 14:39:53 +02:00
..
ac97
sof
ac97_codec.h
aci.h
ad1816a.h
ad1843.h
adau1373.h
ak4xxx-adda.h
ak4113.h
ak4114.h
ak4117.h
ak4531_codec.h
ak4641.h
alc5623.h
asequencer.h
asound.h
asoundef.h
compress_driver.h
control.h
core.h
cs35l33.h
cs35l34.h
cs35l35.h
cs35l36.h
cs42l52.h
cs42l56.h
cs42l73.h
cs4231-regs.h
cs4271.h
cs8403.h
cs8427.h
da7213.h
da7218.h
da7219-aad.h
da7219.h
da9055.h
designware_i2s.h
dmaengine_pcm.h
emu10k1_synth.h
emu10k1.h
emu8000_reg.h
emu8000.h
emux_legacy.h
emux_synth.h
es1688.h
gus.h
hda_chmap.h
hda_codec.h
hda_component.h
hda_hwdep.h
hda_i915.h
hda_register.h
hda_regmap.h
hda_verbs.h
hdaudio_ext.h
hdaudio.h
hdmi-codec.h
hwdep.h
i2c.h
info.h
initval.h
intel-dsp-config.h
intel-nhlt.h
jack.h
l3.h
madera-pdata.h
max9768.h
max98088.h
max98090.h
max98095.h
memalloc.h
minors.h
mixer_oss.h
mpu401.h
omap-hdmi-audio.h
opl3.h
opl4.h
pcm_drm_eld.h
pcm_iec958.h
pcm_oss.h
pcm_params.h
pcm-indirect.h
pcm.h
pt2258.h
pxa2xx-lib.h
rawmidi.h
rt286.h
rt298.h
rt1015.h
rt5514.h
rt5645.h
rt5659.h
rt5660.h
rt5663.h
rt5665.h
rt5668.h
rt5682.h
s3c24xx_uda134x.h
sb.h
sb16_csp.h
seq_device.h
seq_kernel.h
seq_midi_emul.h
seq_midi_event.h
seq_oss_legacy.h
seq_oss.h
seq_virmidi.h
sh_dac_audio.h
sh_fsi.h
simple_card_utils.h
simple_card.h
snd_wavefront.h
soc-acpi-intel-match.h
soc-acpi.h
soc-card.h
soc-component.h
soc-dai.h
soc-dapm.h
soc-dpcm.h
soc-link.h
soc-topology.h
soc.h
sof.h
soundfont.h
spear_dma.h
spear_spdif.h
sta32x.h
sta350.h
tas2552-plat.h
tas5086.h
tea6330t.h
timer.h
tlv.h
tlv320aic3x.h
tlv320aic32x4.h
tlv320dac33-plat.h
tpa6130a2-plat.h
uda134x.h
uda1380.h
util_mem.h
vx_core.h
wavefront.h
wm0010.h
wm1250-ev1.h
wm2000.h
wm2200.h
wm5100.h
wm8903.h
wm8904.h
wm8955.h
wm8960.h
wm8962.h
wm8993.h
wm8996.h
wm9081.h
wm9090.h
wss.h