linux/include/sound
Takashi Iwai 06ab30034e ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by
syzkaller fuzzer:
  WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
 [<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136
 [<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163
 [<     inline     >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
 [<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223
 [<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273
 [<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
 [<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
 [<     inline     >] SYSC_write fs/read_write.c:624
 [<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185

Also a similar warning is found but in another path:
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
 [<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133
 [<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163
 [<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185
 [<     inline     >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150
 [<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252
 [<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302
 [<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528
 [<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577
 [<     inline     >] SYSC_write fs/read_write.c:624
 [<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616
 [<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185

In the former case, the reason is that virmidi has an open code
calling snd_rawmidi_transmit_ack() with the value calculated outside
the spinlock.   We may use snd_rawmidi_transmit() in a loop just for
consuming the input data, but even there, there is a race between
snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack().

Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and
snd_rawmidi_tranmit_ack() separately without protection, so they are
racy as well.

The patch tries to address these issues by the following ways:
- Introduce the unlocked versions of snd_rawmidi_transmit_peek() and
  snd_rawmidi_transmit_ack() to be called inside the explicit lock.
- Rewrite snd_rawmidi_transmit() to be race-free (the former case).
- Make the split calls (the latter case) protected in the rawmidi spin
  lock.

BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com
BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-02-03 14:51:28 +01:00
..
ac97_codec.h ASoC: ac97: add gpio chip 2015-11-18 18:08:54 +00:00
aci.h
ad1816a.h ALSA: ad1816a: Remove always NULL parameters 2015-01-02 16:26:20 +01:00
ad1843.h
adau1373.h
aess.h
ak4xxx-adda.h
ak4113.h ALSA: ak411x: Fix race of reinit() calls 2015-01-28 22:30:18 +01:00
ak4114.h ALSA: ak411x: Fix race of reinit() calls 2015-01-28 22:30:18 +01:00
ak4117.h
ak4531_codec.h
ak4641.h
alc5623.h
asequencer.h
asound.h
asoundef.h
atmel-abdac.h dmaengine: dw: move dw_dmac.h to where it belongs to 2014-09-11 11:48:12 +05:30
atmel-ac97c.h dmaengine: dw: move dw_dmac.h to where it belongs to 2014-09-11 11:48:12 +05:30
compress_driver.h ALSA: compress: Pass id string to snd_compress_new 2015-11-30 11:44:59 +01:00
control.h ALSA: hda - Update to use the new jack kctls method 2015-04-27 21:37:42 +02:00
core.h ALSA: hda_intel: add card number to irq description 2016-01-12 21:05:16 +01:00
cs42l52.h
cs42l56.h
cs42l73.h
cs4231-regs.h
cs4271.h
cs8403.h
cs8427.h
da7213.h ASoC: da7213: Add support to handle mclk data provided to driver 2015-10-07 15:11:34 +01:00
da7218.h ASoC: da7218: Add da7218 codec driver 2015-11-30 12:24:12 +00:00
da7219-aad.h ASoC: codecs: Add da7219 codec driver 2015-10-02 18:11:27 +01:00
da7219.h ASoC: da7219: Add support for 1.6V micbias level 2015-12-23 00:11:57 +00:00
da9055.h
designware_i2s.h ASoC: dwc: add quirk to override COMP_PARAM_1 register 2016-01-10 12:11:50 +00:00
dmaengine_pcm.h ASoC: dmaengine_pcm: Make FLAG_NO_RESIDUE internal 2015-04-27 19:26:07 +01:00
emu10k1.h ALSA: emu10k1: Emu10k2 32 bit DMA mode 2015-04-29 07:27:30 +02:00
emu10k1_synth.h
emu8000.h
emu8000_reg.h
emux_legacy.h
emux_synth.h ALSA: emux: Fix/cleanup old ifdef CONFIG_PROC_FS 2015-05-29 07:58:11 +02:00
es1688.h ALSA: es1688: Remove almost always NULL parameter 2015-01-02 16:27:03 +01:00
gus.h ALSA: Include linux/io.h instead of asm/io.h 2015-01-28 16:49:33 +01:00
hda_hwdep.h
hda_i915.h ALSA: hda - Move audio component accesses to hdac_i915.c 2015-12-10 14:41:07 +01:00
hda_register.h Merge branch 'topic/hdac' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into asoc-intel 2016-01-10 12:13:34 +00:00
hda_regmap.h ALSA: hda - Fix typos in snd_hdac_regmap_*() documents 2015-09-28 12:19:08 +02:00
hda_verbs.h
hdaudio.h ALSA: hda - Add a common helper to give the codec modalias string 2015-10-20 10:14:59 +02:00
hdaudio_ext.h ALSA: hdac: add snd_hdac_ext_bus_link_power_up_all 2016-01-10 12:02:47 +00:00
hwdep.h ALSA: hwdep: Embed struct device 2015-02-02 14:42:42 +01:00
i2c.h ALSA: i2c: constify snd_i2c_ops structures 2015-11-30 11:40:08 +01:00
info.h ALSA: replace CONFIG_PROC_FS with CONFIG_SND_PROC_FS 2015-05-27 21:25:19 +02:00
initval.h
jack.h ALSA: jack: extend snd_jack_new to support phantom jack 2015-04-27 21:37:41 +02:00
l3.h
max9768.h
max98088.h
max98090.h
max98095.h
memalloc.h
minors.h
mixer_oss.h
mpu401.h
omap-hdmi-audio.h ASoC: omap-hdmi-audio: Add platform device for OMAP HDMI audio support 2014-12-01 11:09:23 +02:00
omap-pcm.h
opl3.h
opl4.h
pcm-indirect.h
pcm.h ALSA: Constify ratden/ratnum constraints 2015-10-28 11:42:22 +01:00
pcm_drm_eld.h ALSA: pcm: add DRM ELD helper 2015-05-22 16:01:44 +02:00
pcm_iec958.h ALSA: pcm: add IEC958 channel status helper 2015-05-22 16:01:47 +02:00
pcm_oss.h
pcm_params.h ALSA: Add params_set_format helper 2015-02-24 00:43:18 +09:00
pt2258.h
pxa2xx-lib.h ASoC: pxa: pxa-pcm-lib: switch over to snd-soc-dmaengine-pcm 2015-09-30 23:21:16 +01:00
rawmidi.h ALSA: rawmidi: Make snd_rawmidi_transmit() race-free 2016-02-03 14:51:28 +01:00
rt286.h
rt298.h ASoC: add rt298 codec driver 2015-07-09 12:00:11 +01:00
rt5640.h ASoC: rt5640: Fill up the IN3's support 2015-10-22 13:33:00 +01:00
rt5645.h ASoC: rt5645: Add jd_invert for Broadwell 2015-09-22 09:46:33 -07:00
rt5651.h
rt5659.h ASoC: rt5659: add rt5659 codec driver 2015-11-18 12:55:25 +00:00
rt5670.h ASoC: rt5670: Add IRQ function 2015-03-11 12:08:20 +00:00
rt5677.h ASoC: rt5677: Add the MICBIAS VDD setting in the platform data 2015-01-08 18:36:02 +00:00
s3c24xx_uda134x.h
sb.h ALSA: Include linux/io.h instead of asm/io.h 2015-01-28 16:49:33 +01:00
sb16_csp.h
seq_device.h ALSA: seq: Define driver object in each driver 2015-02-12 14:15:54 +01:00
seq_kernel.h ALSA: seq: Drop snd_seq_autoload_lock() and _unlock() 2015-02-12 14:42:31 +01:00
seq_midi_emul.h
seq_midi_event.h
seq_oss.h
seq_oss_legacy.h
seq_virmidi.h
sh_dac_audio.h
sh_fsi.h
simple_card.h ASoC: simple-card: Add tdm slot mask support to simple-card 2015-09-16 18:00:30 +01:00
snd_wavefront.h
soc-dai.h ASoC: Support registering a DAI dynamically 2016-01-10 12:06:19 +00:00
soc-dapm.h Merge branch 'fix/intel' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into asoc-intel 2016-01-05 18:06:29 +00:00
soc-dpcm.h ASoC: Make soc_dpcm_debugfs_add() non-fatal 2015-04-09 11:32:29 +01:00
soc-topology.h ASoC: core: Pass kcontrol to bytes tlv callbacks 2015-11-18 12:57:50 +00:00
soc.h Merge remote-tracking branch 'asoc/topic/pcm-list' into asoc-next 2016-01-11 13:54:31 +00:00
soundfont.h
spear_dma.h ASoC: Update email-id of Rajeev Kumar 2015-04-28 16:31:01 +01:00
spear_spdif.h
sta32x.h ASoC: sta32x: add device tree binding. 2015-01-27 17:13:25 +00:00
sta350.h
tas2552-plat.h
tas5086.h
tea6330t.h
timer.h ALSA: timer: Introduce disconnect op to snd_timer_instance 2016-01-21 17:51:42 +01:00
tlv.h ALSA: topology: Export ID types for TLV controls. 2015-06-04 09:40:03 +01:00
tlv320aic3x.h
tlv320aic32x4.h
tlv320dac33-plat.h
tpa6130a2-plat.h
uda134x.h ASoC: uda134x: Remove is_powered_on_standby from platform data 2014-11-24 18:04:49 +00:00
uda1380.h
util_mem.h
vx_core.h ALSA: vx: Use nonatomic PCM ops 2014-09-15 15:52:03 +02:00
wavefront.h
wm0010.h
wm1250-ev1.h
wm2000.h
wm2200.h
wm5100.h
wm8903.h
wm8904.h ASoC: wm8904: Correct number of EQ registers 2015-10-20 15:46:09 +01:00
wm8955.h
wm8960.h
wm8962.h
wm8993.h
wm8996.h
wm9081.h
wm9090.h
wss.h ALSA: wss: Remove (almost) always NULL parameters 2015-01-02 16:30:08 +01:00