mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 12:11:40 +00:00
ALSA: line6: Fix racy access to midibuf
There can be concurrent accesses to line6 midibuf from both the URB completion callback and the rawmidi API access. This could be a cause of KMSAN warning triggered by syzkaller below (so put as reported-by here). This patch protects the midibuf call of the former code path with a spinlock for avoiding the possible races. Reported-by: syzbot+78eccfb8b3c9a85fc6c5@syzkaller.appspotmail.com Closes: https://lore.kernel.org/00000000000000949c061df288c5@google.com Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20240805130129.10872-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
parent
312c04cee4
commit
15b7a03205
@ -286,12 +286,14 @@ static void line6_data_received(struct urb *urb)
|
||||
{
|
||||
struct usb_line6 *line6 = (struct usb_line6 *)urb->context;
|
||||
struct midi_buffer *mb = &line6->line6midi->midibuf_in;
|
||||
unsigned long flags;
|
||||
int done;
|
||||
|
||||
if (urb->status == -ESHUTDOWN)
|
||||
return;
|
||||
|
||||
if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) {
|
||||
spin_lock_irqsave(&line6->line6midi->lock, flags);
|
||||
done =
|
||||
line6_midibuf_write(mb, urb->transfer_buffer, urb->actual_length);
|
||||
|
||||
@ -300,12 +302,15 @@ static void line6_data_received(struct urb *urb)
|
||||
dev_dbg(line6->ifcdev, "%d %d buffer overflow - message skipped\n",
|
||||
done, urb->actual_length);
|
||||
}
|
||||
spin_unlock_irqrestore(&line6->line6midi->lock, flags);
|
||||
|
||||
for (;;) {
|
||||
spin_lock_irqsave(&line6->line6midi->lock, flags);
|
||||
done =
|
||||
line6_midibuf_read(mb, line6->buffer_message,
|
||||
LINE6_MIDI_MESSAGE_MAXLEN,
|
||||
LINE6_MIDIBUF_READ_RX);
|
||||
spin_unlock_irqrestore(&line6->line6midi->lock, flags);
|
||||
|
||||
if (done <= 0)
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user