Commit 1465d06a authored by Pierre-Louis Bossart's avatar Pierre-Louis Bossart Committed by Takashi Iwai
Browse files

ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign() 



The fields 'opened', 'running', 'assigned_key' are all protected by a
spinlock, but the spinlock is not taken when looking for a
stream. This can result in a possible race between assign() and
release().

Fix by taking the spinlock before walking through the bus stream list.

Signed-off-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20210924192417.169243-2-pierre-louis.bossart@linux.intel.com


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 882e013a

sound/hda/hdac_stream.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -296,6 +296,7 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus, 
	int key = (substream->pcm->device << 16) | (substream->number << 2) |

	int key = (substream->pcm->device << 16) | (substream->number << 2) |

		(substream->stream + 1);

		(substream->stream + 1);





	spin_lock_irq(&bus->reg_lock);

	list_for_each_entry(azx_dev, &bus->stream_list, list) {

	list_for_each_entry(azx_dev, &bus->stream_list, list) {

		if (azx_dev->direction != substream->stream)

		if (azx_dev->direction != substream->stream)

			continue;

			continue;
@@ -309,13 +310,12 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus, 
			res = azx_dev;

			res = azx_dev;

	}

	}

	if (res) {

	if (res) {

		spin_lock_irq(&bus->reg_lock);

		res->opened = 1;

		res->opened = 1;

		res->running = 0;

		res->running = 0;

		res->assigned_key = key;

		res->assigned_key = key;

		res->substream = substream;

		res->substream = substream;

		spin_unlock_irq(&bus->reg_lock);

	}

	}

	spin_unlock_irq(&bus->reg_lock);

	return res;

	return res;

}

}

EXPORT_SYMBOL_GPL(snd_hdac_stream_assign);

EXPORT_SYMBOL_GPL(snd_hdac_stream_assign);