| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Sep 2021 07:46:13 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
Cc: Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>,
Mark Brown <broonie@...nel.org>,
Sasha Levin <sashal@...nel.org>, alsa-devel@...a-project.org
Subject: [PATCH AUTOSEL 5.13 197/219] ASoC: soc-pcm: protect BE dailink state changes in trigger
From: Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>
[ Upstream commit 0c75fc7193387776c10f7c7b440d93496e3d5e21 ]
When more than one FE is connected to a BE, e.g. in a mixing use case,
the BE can be triggered multiple times when the FE are opened/started
concurrently. This race condition is problematic in the case of
SoundWire BE dailinks, and this is not desirable in a general
case. The code carefully checks when the BE can be stopped or
hw_free'ed, but the trigger code does not use any mutual exclusion.
Fix by using the same spinlock already used to check FE states, and
set the state before the trigger. In case of errors, the initial
state will be restored.
This patch does not change how the triggers are handled, it only makes
sure the states are handled in critical sections.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@...ux.intel.com>
Message-Id: <20210817164054.250028-2-pierre-louis.bossart@...ux.intel.com>
Signed-off-by: Mark Brown <broonie@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
sound/soc/soc-pcm.c | 103 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 85 insertions(+), 18 deletions(-)
diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index d1c570ca21ea..b944f56a469a 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -2001,6 +2001,8 @@ int dpcm_be_dai_trigger(struct snd_soc_pcm_runtime *fe, int stream,
struct snd_soc_pcm_runtime *be;
struct snd_soc_dpcm *dpcm;
int ret = 0;
+ unsigned long flags;
+ enum snd_soc_dpcm_state state;
for_each_dpcm_be(fe, stream, dpcm) {
struct snd_pcm_substream *be_substream;
@@ -2017,76 +2019,141 @@ int dpcm_be_dai_trigger(struct snd_soc_pcm_runtime *fe, int stream,
switch (cmd) {
case SNDRV_PCM_TRIGGER_START:
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_PREPARE) &&
(be->dpcm[stream].state != SND_SOC_DPCM_STATE_STOP) &&
- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED))
+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED)) {
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
continue;
+ }
+ state = be->dpcm[stream].state;
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_START;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
ret = soc_pcm_trigger(be_substream, cmd);
- if (ret)
+ if (ret) {
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ be->dpcm[stream].state = state;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
goto end;
+ }
- be->dpcm[stream].state = SND_SOC_DPCM_STATE_START;
break;
case SNDRV_PCM_TRIGGER_RESUME:
- if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND))
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ if (be->dpcm[stream].state != SND_SOC_DPCM_STATE_SUSPEND) {
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
continue;
+ }
+
+ state = be->dpcm[stream].state;
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_START;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
ret = soc_pcm_trigger(be_substream, cmd);
- if (ret)
+ if (ret) {
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ be->dpcm[stream].state = state;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
goto end;
+ }
- be->dpcm[stream].state = SND_SOC_DPCM_STATE_START;
break;
case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
- if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED))
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ if (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED) {
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
continue;
+ }
+
+ state = be->dpcm[stream].state;
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_START;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
ret = soc_pcm_trigger(be_substream, cmd);
- if (ret)
+ if (ret) {
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ be->dpcm[stream].state = state;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
goto end;
+ }
- be->dpcm[stream].state = SND_SOC_DPCM_STATE_START;
break;
case SNDRV_PCM_TRIGGER_STOP:
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_START) &&
- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED))
+ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_PAUSED)) {
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
continue;
+ }
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
if (!snd_soc_dpcm_can_be_free_stop(fe, be, stream))
continue;
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ state = be->dpcm[stream].state;
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_STOP;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
+
ret = soc_pcm_trigger(be_substream, cmd);
- if (ret)
+ if (ret) {
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ be->dpcm[stream].state = state;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
goto end;
+ }
- be->dpcm[stream].state = SND_SOC_DPCM_STATE_STOP;
break;
case SNDRV_PCM_TRIGGER_SUSPEND:
- if (be->dpcm[stream].state != SND_SOC_DPCM_STATE_START)
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ if (be->dpcm[stream].state != SND_SOC_DPCM_STATE_START) {
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
continue;
+ }
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
if (!snd_soc_dpcm_can_be_free_stop(fe, be, stream))
continue;
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ state = be->dpcm[stream].state;
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_STOP;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
+
ret = soc_pcm_trigger(be_substream, cmd);
- if (ret)
+ if (ret) {
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ be->dpcm[stream].state = state;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
goto end;
+ }
- be->dpcm[stream].state = SND_SOC_DPCM_STATE_SUSPEND;
break;
case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
- if (be->dpcm[stream].state != SND_SOC_DPCM_STATE_START)
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ if (be->dpcm[stream].state != SND_SOC_DPCM_STATE_START) {
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
continue;
+ }
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
if (!snd_soc_dpcm_can_be_free_stop(fe, be, stream))
continue;
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ state = be->dpcm[stream].state;
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_PAUSED;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
+
ret = soc_pcm_trigger(be_substream, cmd);
- if (ret)
+ if (ret) {
+ spin_lock_irqsave(&fe->card->dpcm_lock, flags);
+ be->dpcm[stream].state = state;
+ spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
goto end;
+ }
- be->dpcm[stream].state = SND_SOC_DPCM_STATE_PAUSED;
break;
}
}
--
2.30.2
Powered by blists - more mailing lists