From: Jia-Ju Bai <baijiaju1990@gmail.com>
To: perex@perex.cz, tiwai@suse.com, rfontana@redhat.com,
tglx@linutronix.de, allison@lohutok.net
Cc: alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] ALSA: cmipci: Fix possible a data race in snd_cmipci_interrupt()
Date: Sun, 12 Jan 2020 00:30:27 +0800 [thread overview]
Message-ID: <20200111163027.27135-1-baijiaju1990@gmail.com> (raw)
The functions snd_cmipci_interrupt() and snd_cmipci_capture_trigger()
may be concurrently executed.
The function snd_cmipci_capture_trigger() calls
snd_cmipci_pcm_trigger(). In snd_cmipci_pcm_trigger(), the variable
rec->running is written with holding a spinlock cm->reg_lock. But in
snd_cmipci_interrupt(), the identical variable cm->channel[0].running
or cm->channel[1].running is read without holding this spinlock. Thus,
a possible data race may occur.
To fix this data race, in snd_cmipci_interrupt(), the variables
cm->channel[0].running and cm->channel[1].running are read with holding
the spinlock cm->reg_lock.
This data race is found by the runtime testing of our tool DILP-2.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
sound/pci/cmipci.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/sound/pci/cmipci.c b/sound/pci/cmipci.c
index dd9d62e2b633..f791152ec48f 100644
--- a/sound/pci/cmipci.c
+++ b/sound/pci/cmipci.c
@@ -1430,7 +1430,7 @@ static int snd_cmipci_capture_spdif_hw_free(struct snd_pcm_substream *subs)
static irqreturn_t snd_cmipci_interrupt(int irq, void *dev_id)
{
struct cmipci *cm = dev_id;
- unsigned int status, mask = 0;
+ unsigned int run_flag0, run_flag1, status, mask = 0;
/* fastpath out, to ease interrupt sharing */
status = snd_cmipci_read(cm, CM_REG_INT_STATUS);
@@ -1445,15 +1445,17 @@ static irqreturn_t snd_cmipci_interrupt(int irq, void *dev_id)
mask |= CM_CH1_INT_EN;
snd_cmipci_clear_bit(cm, CM_REG_INT_HLDCLR, mask);
snd_cmipci_set_bit(cm, CM_REG_INT_HLDCLR, mask);
+ run_flag0 = cm->channel[0].running;
+ run_flag1 = cm->channel[1].running;
spin_unlock(&cm->reg_lock);
if (cm->rmidi && (status & CM_UARTINT))
snd_mpu401_uart_interrupt(irq, cm->rmidi->private_data);
if (cm->pcm) {
- if ((status & CM_CHINT0) && cm->channel[0].running)
+ if ((status & CM_CHINT0) && run_flag0)
snd_pcm_period_elapsed(cm->channel[0].substream);
- if ((status & CM_CHINT1) && cm->channel[1].running)
+ if ((status & CM_CHINT1) && run_flag1)
snd_pcm_period_elapsed(cm->channel[1].substream);
}
return IRQ_HANDLED;
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Jia-Ju Bai <baijiaju1990@gmail.com>
To: perex@perex.cz, tiwai@suse.com, rfontana@redhat.com,
tglx@linutronix.de, allison@lohutok.net
Cc: alsa-devel@alsa-project.org, Jia-Ju Bai <baijiaju1990@gmail.com>,
linux-kernel@vger.kernel.org
Subject: [alsa-devel] [PATCH] ALSA: cmipci: Fix possible a data race in snd_cmipci_interrupt()
Date: Sun, 12 Jan 2020 00:30:27 +0800 [thread overview]
Message-ID: <20200111163027.27135-1-baijiaju1990@gmail.com> (raw)
The functions snd_cmipci_interrupt() and snd_cmipci_capture_trigger()
may be concurrently executed.
The function snd_cmipci_capture_trigger() calls
snd_cmipci_pcm_trigger(). In snd_cmipci_pcm_trigger(), the variable
rec->running is written with holding a spinlock cm->reg_lock. But in
snd_cmipci_interrupt(), the identical variable cm->channel[0].running
or cm->channel[1].running is read without holding this spinlock. Thus,
a possible data race may occur.
To fix this data race, in snd_cmipci_interrupt(), the variables
cm->channel[0].running and cm->channel[1].running are read with holding
the spinlock cm->reg_lock.
This data race is found by the runtime testing of our tool DILP-2.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
sound/pci/cmipci.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/sound/pci/cmipci.c b/sound/pci/cmipci.c
index dd9d62e2b633..f791152ec48f 100644
--- a/sound/pci/cmipci.c
+++ b/sound/pci/cmipci.c
@@ -1430,7 +1430,7 @@ static int snd_cmipci_capture_spdif_hw_free(struct snd_pcm_substream *subs)
static irqreturn_t snd_cmipci_interrupt(int irq, void *dev_id)
{
struct cmipci *cm = dev_id;
- unsigned int status, mask = 0;
+ unsigned int run_flag0, run_flag1, status, mask = 0;
/* fastpath out, to ease interrupt sharing */
status = snd_cmipci_read(cm, CM_REG_INT_STATUS);
@@ -1445,15 +1445,17 @@ static irqreturn_t snd_cmipci_interrupt(int irq, void *dev_id)
mask |= CM_CH1_INT_EN;
snd_cmipci_clear_bit(cm, CM_REG_INT_HLDCLR, mask);
snd_cmipci_set_bit(cm, CM_REG_INT_HLDCLR, mask);
+ run_flag0 = cm->channel[0].running;
+ run_flag1 = cm->channel[1].running;
spin_unlock(&cm->reg_lock);
if (cm->rmidi && (status & CM_UARTINT))
snd_mpu401_uart_interrupt(irq, cm->rmidi->private_data);
if (cm->pcm) {
- if ((status & CM_CHINT0) && cm->channel[0].running)
+ if ((status & CM_CHINT0) && run_flag0)
snd_pcm_period_elapsed(cm->channel[0].substream);
- if ((status & CM_CHINT1) && cm->channel[1].running)
+ if ((status & CM_CHINT1) && run_flag1)
snd_pcm_period_elapsed(cm->channel[1].substream);
}
return IRQ_HANDLED;
--
2.17.1
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
next reply other threads:[~2020-01-11 16:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-11 16:30 Jia-Ju Bai [this message]
2020-01-11 16:30 ` [alsa-devel] [PATCH] ALSA: cmipci: Fix possible a data race in snd_cmipci_interrupt() Jia-Ju Bai
2020-01-12 8:20 ` Takashi Iwai
2020-01-12 8:20 ` [alsa-devel] " Takashi Iwai
2020-01-13 8:20 ` Jia-Ju Bai
2020-01-13 8:20 ` [alsa-devel] " Jia-Ju Bai
2020-01-13 8:40 ` Takashi Iwai
2020-01-13 8:40 ` [alsa-devel] " Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200111163027.27135-1-baijiaju1990@gmail.com \
--to=baijiaju1990@gmail.com \
--cc=allison@lohutok.net \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=rfontana@redhat.com \
--cc=tglx@linutronix.de \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.