Alsa-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
@ 2020-10-13 15:26 Kai Vehmanen
  2020-10-13 16:34 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: Kai Vehmanen @ 2020-10-13 15:26 UTC (permalink / raw)
  To: alsa-devel, tiwai; +Cc: Kai Vehmanen

A race exists between closing a PCM and update of ELD data. In
hdmi_pcm_close(), hinfo->nid value is modified without taking
spec->pcm_lock. If this happens concurrently while processing an ELD
update in hdmi_pcm_setup_pin(), converter assignment may be done
incorrectly.

This bug was found by hitting a WARN_ON in snd_hda_spdif_ctls_assign()
in a HDMI receiver connection stress test:

[2739.684569] WARNING: CPU: 5 PID: 2090 at sound/pci/hda/patch_hdmi.c:1898 check_non_pcm_per_cvt+0x41/0x50 [snd_hda_codec_hdmi]
...
[2739.684707] Call Trace:
[2739.684720]  update_eld+0x121/0x5a0 [snd_hda_codec_hdmi]
[2739.684736]  hdmi_present_sense+0x21e/0x3b0 [snd_hda_codec_hdmi]
[2739.684750]  check_presence_and_report+0x81/0xd0 [snd_hda_codec_hdmi]
[2739.684842]  intel_audio_codec_enable+0x122/0x190 [i915]

Fixes: 42b2987079ec ("ALSA: hda - hdmi playback without monitor in dynamic pcm bind mode")
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
---
 sound/pci/hda/patch_hdmi.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 0ffbfcb91256..ccd1df059654 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -2046,22 +2046,25 @@ static int hdmi_pcm_close(struct hda_pcm_stream *hinfo,
 	int pinctl;
 	int err = 0;
 
+	mutex_lock(&spec->pcm_lock);
 	if (hinfo->nid) {
 		pcm_idx = hinfo_to_pcm_index(codec, hinfo);
-		if (snd_BUG_ON(pcm_idx < 0))
-			return -EINVAL;
+		if (snd_BUG_ON(pcm_idx < 0)) {
+			err = -EINVAL;
+			goto unlock;
+		}
 		cvt_idx = cvt_nid_to_cvt_index(codec, hinfo->nid);
-		if (snd_BUG_ON(cvt_idx < 0))
-			return -EINVAL;
+		if (snd_BUG_ON(cvt_idx < 0)) {
+			err = -EINVAL;
+			goto unlock;
+		}
 		per_cvt = get_cvt(spec, cvt_idx);
-
 		snd_BUG_ON(!per_cvt->assigned);
 		per_cvt->assigned = 0;
 		hinfo->nid = 0;
 
 		azx_stream(get_azx_dev(substream))->stripe = 0;
 
-		mutex_lock(&spec->pcm_lock);
 		snd_hda_spdif_ctls_unassign(codec, pcm_idx);
 		clear_bit(pcm_idx, &spec->pcm_in_use);
 		pin_idx = hinfo_to_pin_index(codec, hinfo);
@@ -2091,10 +2094,11 @@ static int hdmi_pcm_close(struct hda_pcm_stream *hinfo,
 		per_pin->setup = false;
 		per_pin->channels = 0;
 		mutex_unlock(&per_pin->lock);
-	unlock:
-		mutex_unlock(&spec->pcm_lock);
 	}
 
+unlock:
+	mutex_unlock(&spec->pcm_lock);
+
 	return err;
 }
 
-- 
2.28.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close
  2020-10-13 15:26 [PATCH] ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close Kai Vehmanen
@ 2020-10-13 16:34 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2020-10-13 16:34 UTC (permalink / raw)
  To: Kai Vehmanen; +Cc: alsa-devel

On Tue, 13 Oct 2020 17:26:28 +0200,
Kai Vehmanen wrote:
> 
> A race exists between closing a PCM and update of ELD data. In
> hdmi_pcm_close(), hinfo->nid value is modified without taking
> spec->pcm_lock. If this happens concurrently while processing an ELD
> update in hdmi_pcm_setup_pin(), converter assignment may be done
> incorrectly.
> 
> This bug was found by hitting a WARN_ON in snd_hda_spdif_ctls_assign()
> in a HDMI receiver connection stress test:
> 
> [2739.684569] WARNING: CPU: 5 PID: 2090 at sound/pci/hda/patch_hdmi.c:1898 check_non_pcm_per_cvt+0x41/0x50 [snd_hda_codec_hdmi]
> ...
> [2739.684707] Call Trace:
> [2739.684720]  update_eld+0x121/0x5a0 [snd_hda_codec_hdmi]
> [2739.684736]  hdmi_present_sense+0x21e/0x3b0 [snd_hda_codec_hdmi]
> [2739.684750]  check_presence_and_report+0x81/0xd0 [snd_hda_codec_hdmi]
> [2739.684842]  intel_audio_codec_enable+0x122/0x190 [i915]
> 
> Fixes: 42b2987079ec ("ALSA: hda - hdmi playback without monitor in dynamic pcm bind mode")
> Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>

Applied now.  Thanks.


Takashi

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-13 15:26 [PATCH] ALSA: hda/hdmi: fix incorrect locking in hdmi_pcm_close Kai Vehmanen
2020-10-13 16:34 ` Takashi Iwai

Alsa-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/alsa-devel/0 alsa-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 alsa-devel alsa-devel/ https://lore.kernel.org/alsa-devel \
		alsa-devel@alsa-project.org
	public-inbox-index alsa-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.alsa-project.alsa-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git