leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a976486977
linux/sound/soc
History
KaiChieh Chuang a976486977
ASoC: dpcm: prevent snd_soc_dpcm use after free 
The dpcm get from fe_clients/be_clients
may be free before use

Add a spin lock at snd_soc_card level,
to protect the dpcm instance.
The lock may be used in atomic context, so use spin lock.

Use irq spin lock version,
since the lock may be used in interrupts.

possible race condition between
void dpcm_be_disconnect(
	...
	list_del(&dpcm->list_be);
	list_del(&dpcm->list_fe);
	kfree(dpcm);
	...

and
	for_each_dpcm_fe()
	for_each_dpcm_be*()

race condition example
Thread 1:
    snd_soc_dapm_mixer_update_power()
        -> soc_dpcm_runtime_update()
            -> dpcm_be_disconnect()
                -> kfree(dpcm);
Thread 2:
    dpcm_fe_dai_trigger()
        -> dpcm_be_dai_trigger()
            -> snd_soc_dpcm_can_be_free_stop()
                -> if (dpcm->fe == fe)

Excpetion Scenario:
	two FE link to same BE
	FE1 -> BE
	FE2 ->

	Thread 1: switch of mixer between FE2 -> BE
	Thread 2: pcm_stop FE1

Exception:

Unable to handle kernel paging request at virtual address dead0000000000e0

pc=<> [<ffffff8960e2cd10>] dpcm_be_dai_trigger+0x29c/0x47c
	sound/soc/soc-pcm.c:3226
		if (dpcm->fe == fe)
lr=<> [<ffffff8960e2f694>] dpcm_fe_dai_do_trigger+0x94/0x26c

Backtrace:
[<ffffff89602dba80>] notify_die+0x68/0xb8
[<ffffff896028c7dc>] die+0x118/0x2a8
[<ffffff89602a2f84>] __do_kernel_fault+0x13c/0x14c
[<ffffff89602a27f4>] do_translation_fault+0x64/0xa0
[<ffffff8960280cf8>] do_mem_abort+0x4c/0xd0
[<ffffff8960282ad0>] el1_da+0x24/0x40
[<ffffff8960e2cd10>] dpcm_be_dai_trigger+0x29c/0x47c
[<ffffff8960e2f694>] dpcm_fe_dai_do_trigger+0x94/0x26c
[<ffffff8960e2edec>] dpcm_fe_dai_trigger+0x3c/0x44
[<ffffff8960de5588>] snd_pcm_do_stop+0x50/0x5c
[<ffffff8960dded24>] snd_pcm_action+0xb4/0x13c
[<ffffff8960ddfdb4>] snd_pcm_drop+0xa0/0x128
[<ffffff8960de69bc>] snd_pcm_common_ioctl+0x9d8/0x30f0
[<ffffff8960de1cac>] snd_pcm_ioctl_compat+0x29c/0x2f14
[<ffffff89604c9d60>] compat_SyS_ioctl+0x128/0x244
[<ffffff8960283740>] el0_svc_naked+0x34/0x38
[<ffffffffffffffff>] 0xffffffffffffffff

Signed-off-by: KaiChieh Chuang <kaichieh.chuang@mediatek.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2019-03-11 16:58:49 +00:00
..
adi
amd ASoC: amd: Fix potential NULL pointer dereference 2019-01-15 19:06:23 +00:00
atmel ASoC: atmel: add SND_SOC_I2C_AND_SPI dependency 2018-09-27 23:22:40 +01:00
au1x treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
bcm ASoC: bcm: use devm_snd_soc_register_component() 2018-09-10 15:13:12 +01:00
cirrus ASoC: cirrus: i2s: IRQ-based stream watchdog 2018-05-11 11:27:33 +09:00
codecs ASoC:hdac_hda:use correct format to setup hda codec 2019-03-11 16:58:40 +00:00
dwc Merge remote-tracking branches 'asoc/topic/dwc', 'asoc/topic/es7134', 'asoc/topic/es8316', 'asoc/topic/es8328' and 'asoc/topic/fsl' into asoc-next 2018-03-28 10:29:36 +08:00
fsl ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() 2019-02-20 12:02:50 +00:00
generic ASoC: simple-card: Fix of-node refcount unbalance in DAI-link parser 2019-02-20 12:12:37 +00:00
hisilicon ASoC: hisilicon: fix fall-through annotations 2018-09-17 10:30:23 -07:00
img treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
intel ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform 2019-03-11 16:58:45 +00:00
jz4740
kirkwood ASoC: Remove depends on HAS_DMA in case of platform dependency 2018-04-18 11:17:09 +01:00
mediatek ASoC: mediatek: btcvsd add loopback 2019-02-28 14:18:26 +00:00
meson ASoC: meson: fix do_div warning in spdifin 2018-12-13 16:20:28 +00:00
mxs
nuc900 ASoC: nuc900: use devm_snd_soc_register_component() 2018-09-10 15:14:14 +01:00
pxa ASoC: eliminate left-over from Raumfeld machine driver removal 2019-01-07 16:58:19 +00:00
qcom ASoC: qcom: Kconfig: fix dependency for sdm845 2019-02-26 11:45:46 +00:00
rockchip ASoC: rockchip: add missing slave_config setting for I2S 2018-11-13 10:06:23 -08:00
samsung ASoC: samsung: i2s: Fix DAPM routes for capture stream 2019-03-11 16:27:06 +00:00
sh Merge branch 'for-5.0' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into asoc-5.1 2019-02-26 12:18:11 +00:00
sirf ASoC: sirf: Fix potential NULL pointer dereference 2018-07-30 12:02:30 +01:00
spear
sprd ASoC: sprd: Add Spreadtrum audio DMA platfrom driver 2019-01-29 18:10:12 +00:00
sti ASoC: sti: Use snd_pcm_stop_xrun() helper 2018-07-04 15:41:35 +01:00
stm ASoC: stm32: sai: fix set_sync service 2019-03-03 23:40:13 +00:00
sunxi ASoC: sunxi: sun50i-codec-analog: Rename hpvcc regulator supply to cpvdd 2019-02-19 15:36:02 +00:00
tegra ASoC: tegra_sgtl5000: fix device_node refcounting 2018-10-17 19:51:22 +01:00
ti ASoC: ti: davinci-mcasp: Add support for GPIO mode of the pins 2019-01-04 15:20:48 +00:00
txx9 ASoC: txx9: use devm_snd_soc_register_component() 2018-09-10 15:14:47 +01:00
uniphier ASoC: uniphier: change functions to static 2018-07-30 12:02:32 +01:00
ux500
xilinx ASoC: xlnx: parse AES audio parameters 2019-01-14 22:16:10 +00:00
xtensa ASoC: xtfpga-i2s: replace platform to component 2018-02-12 11:45:32 +00:00
zte ASoC: zte: Fix incorrect PCM format bit usages 2018-07-26 15:48:19 +01:00
Kconfig ASoC: sprd: Add Spreadtrum audio DMA platfrom driver 2019-01-29 18:10:12 +00:00
Makefile ASoC: sprd: Add Spreadtrum audio DMA platfrom driver 2019-01-29 18:10:12 +00:00
soc-ac97.c ASoC: ac97: convert to SPDX identifiers 2018-07-02 10:56:09 +01:00
soc-acpi.c ASoC: acpi: fix: continue searching when machine is ignored 2018-11-20 16:53:17 +00:00
soc-compress.c ASoC: compress: Add helper functions for component trigger/set_params 2019-02-06 15:51:04 +00:00
soc-core.c ASoC: dpcm: prevent snd_soc_dpcm use after free 2019-03-11 16:58:49 +00:00
soc-dapm.c ASoC: dapm: Potential small memory leak in dapm_cnew_widget() 2019-02-19 15:23:25 +00:00
soc-devres.c ASoC: soc-devres.c: convert to SPDX identifiers 2018-07-02 10:55:22 +01:00
soc-generic-dmaengine-pcm.c ASoC: dmaengine: Remove unused SND_DMAENGINE_PCM_FLAG_CUSTOM_CHANNEL_NAME flag 2019-02-14 16:17:35 +00:00
soc-io.c ASoC: soc-io.c: convert to SPDX identifiers 2018-07-02 10:53:55 +01:00
soc-jack.c ASoC: soc-jack.c: convert to SPDX identifiers 2018-07-02 10:55:12 +01:00
soc-ops.c ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx() 2018-09-11 11:58:52 +01:00
soc-pcm.c ASoC: dpcm: prevent snd_soc_dpcm use after free 2019-03-11 16:58:49 +00:00
soc-topology.c Merge branch 'for-5.0' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into asoc-5.1 for refcount fix 2019-02-18 18:51:48 +00:00
soc-utils.c ASoC: soc-utils: Rename dummy_dma_ops to snd_dummy_dma_ops 2018-09-27 23:15:46 +01:00