linux

History

KaiChieh Chuang a976486977 ASoC: dpcm: prevent snd_soc_dpcm use after free The dpcm get from fe_clients/be_clients may be free before use Add a spin lock at snd_soc_card level, to protect the dpcm instance. The lock may be used in atomic context, so use spin lock. Use irq spin lock version, since the lock may be used in interrupts. possible race condition between void dpcm_be_disconnect( ... list_del(&dpcm->list_be); list_del(&dpcm->list_fe); kfree(dpcm); ... and for_each_dpcm_fe() for_each_dpcm_be*() race condition example Thread 1: snd_soc_dapm_mixer_update_power() -> soc_dpcm_runtime_update() -> dpcm_be_disconnect() -> kfree(dpcm); Thread 2: dpcm_fe_dai_trigger() -> dpcm_be_dai_trigger() -> snd_soc_dpcm_can_be_free_stop() -> if (dpcm->fe == fe) Excpetion Scenario: two FE link to same BE FE1 -> BE FE2 -> Thread 1: switch of mixer between FE2 -> BE Thread 2: pcm_stop FE1 Exception: Unable to handle kernel paging request at virtual address dead0000000000e0 pc=<> [<ffffff8960e2cd10>] dpcm_be_dai_trigger+0x29c/0x47c sound/soc/soc-pcm.c:3226 if (dpcm->fe == fe) lr=<> [<ffffff8960e2f694>] dpcm_fe_dai_do_trigger+0x94/0x26c Backtrace: [<ffffff89602dba80>] notify_die+0x68/0xb8 [<ffffff896028c7dc>] die+0x118/0x2a8 [<ffffff89602a2f84>] __do_kernel_fault+0x13c/0x14c [<ffffff89602a27f4>] do_translation_fault+0x64/0xa0 [<ffffff8960280cf8>] do_mem_abort+0x4c/0xd0 [<ffffff8960282ad0>] el1_da+0x24/0x40 [<ffffff8960e2cd10>] dpcm_be_dai_trigger+0x29c/0x47c [<ffffff8960e2f694>] dpcm_fe_dai_do_trigger+0x94/0x26c [<ffffff8960e2edec>] dpcm_fe_dai_trigger+0x3c/0x44 [<ffffff8960de5588>] snd_pcm_do_stop+0x50/0x5c [<ffffff8960dded24>] snd_pcm_action+0xb4/0x13c [<ffffff8960ddfdb4>] snd_pcm_drop+0xa0/0x128 [<ffffff8960de69bc>] snd_pcm_common_ioctl+0x9d8/0x30f0 [<ffffff8960de1cac>] snd_pcm_ioctl_compat+0x29c/0x2f14 [<ffffff89604c9d60>] compat_SyS_ioctl+0x128/0x244 [<ffffff8960283740>] el0_svc_naked+0x34/0x38 [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: KaiChieh Chuang <kaichieh.chuang@mediatek.com> Signed-off-by: Mark Brown <broonie@kernel.org>		2019-03-11 16:58:49 +00:00
..
ac97	ALSA: ac97: fix unbalanced pm_runtime_enable	2018-08-19 18:37:04 +02:00
aoa	cross-tree: phase out dma_zalloc_coherent()	2019-01-08 07:58:37 -05:00
arm	ASoC: pxa: switch to new ac97 bus support	2018-09-10 18:47:58 +01:00
atmel
core	ASoC: Fixes for v5.0	2019-01-18 15:17:17 +01:00
drivers	ALSA: opl3: Mark expected switch fall-through	2018-08-08 21:40:14 +02:00
firewire	ALSA: bebob: fix model-id of unit for Apogee Ensemble	2018-12-19 14:36:35 +01:00
hda	ALSA: HDA: export process_unsol_events()	2018-12-19 18:07:18 +01:00
i2c	ALSA: i2c/cs8427: Fix int to char conversion	2018-10-18 15:44:08 +02:00
isa	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
mips	ALSA: mips: Cleanup indirect PCM helper usages	2018-09-04 12:13:46 +02:00
oss	treewide: kmalloc() -> kmalloc_array()	2018-06-12 16:19:22 -07:00
parisc
pci	ALSA: hda - Add mute LED support for HP ProBook 470 G5	2019-01-21 15:31:04 +01:00
pcmcia	Merge branch 'for-linus' into topic/virmidi	2018-07-29 22:39:29 +02:00
ppc	ALSA: aoa: Use of_node_name_eq for node name comparisons	2018-12-06 10:54:54 +01:00
sh
soc	ASoC: dpcm: prevent snd_soc_dpcm use after free	2019-03-11 16:58:49 +00:00
sparc	cross-tree: phase out dma_zalloc_coherent()	2019-01-08 07:58:37 -05:00
spi
synth	ALSA: emux: Fix potential Spectre v1 vulnerabilities	2018-12-13 09:13:04 +01:00
usb	ALSA: usb-audio: fix CM6206 register definitions	2019-01-08 22:51:44 +01:00
x86	Merge drm/drm-next into drm-intel-next-queued	2018-11-20 13:14:08 +02:00
xen	ALSA: xen-front: Use Xen common shared buffer implementation	2018-12-18 12:19:37 -05:00
ac97_bus.c
Kconfig	ALSA: xen-front: Introduce Xen para-virtualized sound frontend driver	2018-05-16 12:58:36 +02:00
last.c
Makefile	ALSA: xen-front: Introduce Xen para-virtualized sound frontend driver	2018-05-16 12:58:36 +02:00
sound_core.c	sound: Use octal not symbolic permissions	2018-05-28 11:27:20 +02:00