Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 4345544b authored by zhangh12's avatar zhangh12 Committed by Pranav Vashi
Browse files

ASoC: dpcm: prevent snd_soc_dpcm use after free 



pick from mr-r-qsm8250:
The dpcm get from fe_clients/be_clients may be free before use
Add a spin lock at snd_soc_card level,to protect the dpcm instance.
The lock may be used in atomic context, so use spin lock.

possible race condition between
void dpcm_be_disconnect(
	...
	list_del(&dpcm->list_be);
	list_del(&dpcm->list_fe);
	kfree(dpcm);
	...

and
	for_each_dpcm_fe()
	for_each_dpcm_be*()

race condition example
Thread 1:
    snd_soc_dapm_mixer_update_power()
        -> soc_dpcm_runtime_update()
            -> dpcm_be_disconnect()
                -> kfree(dpcm);
Thread 2:
    dpcm_fe_dai_trigger()
        -> dpcm_be_dai_trigger()
            -> snd_soc_dpcm_can_be_free_stop()
                -> if (dpcm->fe == fe)

Excpetion Scenario:
	two FE link to same BE
	FE1 -> BE
	FE2 ->

	Thread 1: switch of mixer between FE2 -> BE
	Thread 2: pcm_stop FE1

Exception:

Unable to handle kernel paGing request at virtual address dead0000000000e0

pc=<> [<ffffff9fdb095a98>] dpcm_be_dai_trigger+0x1a0/0x360
	sound/soc/soc-pcm.c:3226
		if (dpcm->fe == fe)
lr=<> [<ffffff9fdb098a54>] dpcm_fe_dai_do_trigger+0x184/0x258

Backtrace:
dpcm_be_dai_trigger+0x1a0/0x360
dpcm_fe_dai_do_trigger+0x184/0x258
dpcm_fe_dai_trigger+0x40/0x48
snd_pcm_do_stop+0x48/0x58
snd_pcm_action+0xb0/0x140
snd_pcm_release_substream+0xac/0x198
snd_pcm_release+0x3c/0x98
__fput+0xbc/0x1b8
____fput+0xc/0x18
task_work_run+0x8c/0xb0
do_notify_resume+0x410/0x2068
work_pending+0x8/0x10

Signed-off-by: default avatarKaiChieh Chuang <kaichieh.chuang@mediatek.com>
Signed-off-by: default avatarMark Brown <broonie@kernel.org>
Git-commit: bbfaa7d36c1eb465f120f2a3dfe25c1fe022195d
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: default avatarSoumya Managoli <smanag@codeaurora.org>

Change-Id: I8974d25435d6faf54117ca209c9a00e3515fc314
Signed-off-by: default avatarzhangh12 <zhangh12@motorola.com>
Reviewed-on: https://gerrit.mot.com/2062908


SLTApproved: Slta Waiver
SME-Granted: SME Approvals Granted
Tested-by: Jira Key
Reviewed-by: default avatarXiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
Signed-off-by: default avatarPranav Vashi <neobuddy89@gmail.com>
parent 77408c66
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment