Patch "ALSA: pcm: Fix potential deadlock in OSS emulation" has been added to the 4.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    ALSA: pcm: Fix potential deadlock in OSS emulation

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-pcm-fix-potential-deadlock-in-oss-emulation.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From b248371628aad599a48540962f6b85a21a8a0c3f Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@xxxxxxx>
Date: Sun, 31 Jan 2016 10:32:37 +0100
Subject: ALSA: pcm: Fix potential deadlock in OSS emulation

From: Takashi Iwai <tiwai@xxxxxxx>

commit b248371628aad599a48540962f6b85a21a8a0c3f upstream.

There are potential deadlocks in PCM OSS emulation code while
accessing read/write and mmap concurrently.  This comes from the
infamous mmap_sem usage in copy_from/to_user().  Namely,

   snd_pcm_oss_write() ->
     &runtime->oss.params_lock ->
        copy_to_user() ->
          &mm->mmap_sem
  mmap() ->
    &mm->mmap_sem ->
      snd_pcm_oss_mmap() ->
        &runtime->oss.params_lock

Since we can't avoid taking params_lock from mmap code path, use
trylock variant and aborts with -EAGAIN as a workaround of this AB/BA
deadlock.

BugLink: http://lkml.kernel.org/r/CACT4Y+bVrBKDG0G2_AcUgUQa+X91VKTeS4v+wN7BSHwHtqn3kQ@xxxxxxxxxxxxxx
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 sound/core/oss/pcm_oss.c |   21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -834,7 +834,8 @@ static int choose_rate(struct snd_pcm_su
 	return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL);
 }
 
-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream)
+static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
+				     bool trylock)
 {
 	struct snd_pcm_runtime *runtime = substream->runtime;
 	struct snd_pcm_hw_params *params, *sparams;
@@ -848,7 +849,10 @@ static int snd_pcm_oss_change_params(str
 	struct snd_mask sformat_mask;
 	struct snd_mask mask;
 
-	if (mutex_lock_interruptible(&runtime->oss.params_lock))
+	if (trylock) {
+		if (!(mutex_trylock(&runtime->oss.params_lock)))
+			return -EAGAIN;
+	} else if (mutex_lock_interruptible(&runtime->oss.params_lock))
 		return -EINTR;
 	sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL);
 	params = kmalloc(sizeof(*params), GFP_KERNEL);
@@ -1092,7 +1096,7 @@ static int snd_pcm_oss_get_active_substr
 		if (asubstream == NULL)
 			asubstream = substream;
 		if (substream->runtime->oss.params) {
-			err = snd_pcm_oss_change_params(substream);
+			err = snd_pcm_oss_change_params(substream, false);
 			if (err < 0)
 				return err;
 		}
@@ -1132,7 +1136,7 @@ static int snd_pcm_oss_make_ready(struct
 		return 0;
 	runtime = substream->runtime;
 	if (runtime->oss.params) {
-		err = snd_pcm_oss_change_params(substream);
+		err = snd_pcm_oss_change_params(substream, false);
 		if (err < 0)
 			return err;
 	}
@@ -2163,7 +2167,7 @@ static int snd_pcm_oss_get_space(struct
 	runtime = substream->runtime;
 
 	if (runtime->oss.params &&
-	    (err = snd_pcm_oss_change_params(substream)) < 0)
+	    (err = snd_pcm_oss_change_params(substream, false)) < 0)
 		return err;
 
 	info.fragsize = runtime->oss.period_bytes;
@@ -2800,7 +2804,12 @@ static int snd_pcm_oss_mmap(struct file
 		return -EIO;
 	
 	if (runtime->oss.params) {
-		if ((err = snd_pcm_oss_change_params(substream)) < 0)
+		/* use mutex_trylock() for params_lock for avoiding a deadlock
+		 * between mmap_sem and params_lock taken by
+		 * copy_from/to_user() in snd_pcm_oss_write/read()
+		 */
+		err = snd_pcm_oss_change_params(substream, true);
+		if (err < 0)
 			return err;
 	}
 #ifdef CONFIG_SND_PCM_OSS_PLUGINS


Patches currently in stable-queue which might be from tiwai@xxxxxxx are

queue-4.4/alsa-seq-fix-race-at-closing-in-virmidi-driver.patch
queue-4.4/alsa-hda-fix-bad-dereference-of-jack-object.patch
queue-4.4/alsa-usb-audio-add-quirk-for-microsoft-lifecam-hd-6000.patch
queue-4.4/alsa-rawmidi-remove-kernel-warning-for-null-user-space-buffer-check.patch
queue-4.4/alsa-usb-audio-fix-oppo-ha-1-vendor-id.patch
queue-4.4/alsa-timer-fix-race-at-concurrent-reads.patch
queue-4.4/alsa-hda-realtek-support-dell-headset-mode-for-alc225.patch
queue-4.4/alsa-hda-fix-static-checker-warning-in-patch_hdmi.c.patch
queue-4.4/alsa-seq-fix-lockdep-warnings-due-to-double-mutex-locks.patch
queue-4.4/alsa-usb-audio-fix-teac-ud-501-ud-503-nt-503-usb-delay.patch
queue-4.4/alsa-timer-fix-wrong-instance-passed-to-slave-callbacks.patch
queue-4.4/alsa-hda-disable-dynamic-clock-gating-on-broxton-before-reset.patch
queue-4.4/alsa-hda-realtek-support-headset-mode-for-alc225.patch
queue-4.4/alsa-hda-implement-loopback-control-switch-for-realtek-and-other-codecs.patch
queue-4.4/alsa-hda-realtek-new-codec-support-of-alc225.patch
queue-4.4/alsa-seq-degrade-the-error-message-for-too-many-opens.patch
queue-4.4/alsa-compress-disable-get_codec_caps-ioctl-for-some-architectures.patch
queue-4.4/alsa-rawmidi-make-snd_rawmidi_transmit-race-free.patch
queue-4.4/alsa-hda-fix-speaker-output-from-vaio-aio-machines.patch
queue-4.4/alsa-bebob-use-a-signed-return-type-for-get_formation_index.patch
queue-4.4/alsa-add-missing-dependency-on-config_snd_timer.patch
queue-4.4/alsa-dummy-implement-timer-backend-switching-more-safely.patch
queue-4.4/alsa-dummy-disable-switching-timer-backend-via-sysfs.patch
queue-4.4/alsa-seq-fix-incorrect-sanity-check-at-snd_seq_oss_synth_cleanup.patch
queue-4.4/alsa-seq-fix-yet-another-races-among-alsa-timer-accesses.patch
queue-4.4/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
queue-4.4/revert-alsa-hda-fix-noise-on-gigabyte-z170x-mobo.patch
queue-4.4/alsa-hda-add-fixup-for-mac-mini-7-1-model.patch
queue-4.4/alsa-usb-audio-add-native-dsd-support-for-ps-audio-nuwave-dac.patch
queue-4.4/alsa-timer-fix-leftover-link-at-closing.patch
queue-4.4/alsa-rawmidi-fix-race-at-copying-updating-the-position.patch
queue-4.4/alsa-pcm-fix-potential-deadlock-in-oss-emulation.patch
queue-4.4/alsa-timer-fix-link-corruption-due-to-double-start-or-stop.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]