mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 02:01:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger

Browse Source 
Currently the runtime.oss.trigger field may be accessed concurrently
without protection, which may lead to the data race.  And, in this
case, it may lead to more severe problem because it's a bit field; as
writing the data, it may overwrite other bit fields as well, which
confuses the operation completely, as spotted by fuzzing.

Fix it by covering runtime.oss.trigger bit fled also with the existing
params_lock mutex in both snd_pcm_oss_get_trigger() and
snd_pcm_oss_poll().

Reported-and-tested-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This commit is contained in:
Takashi Iwai
2026-04-24 13:21:55 +02:00
parent 0faacc0841
commit 901ac0ff15
1 changed files with 23 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
sound/core/oss/pcm_oss.c
View File

@@ -2155,10 +2155,16 @@ static int snd_pcm_oss_get_trigger(struct snd_pcm_oss_file *pcm_oss_file)
psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
if (psubstream && psubstream->runtime && psubstream->runtime->oss.trigger)
result |= PCM_ENABLE_OUTPUT;
if (csubstream && csubstream->runtime && csubstream->runtime->oss.trigger)
result |= PCM_ENABLE_INPUT;
if (psubstream && psubstream->runtime) {
guard(mutex)(&psubstream->runtime->oss.params_lock);
if (psubstream->runtime->oss.trigger)
result |= PCM_ENABLE_OUTPUT;
}
if (csubstream && csubstream->runtime) {
guard(mutex)(&csubstream->runtime->oss.params_lock);
if (csubstream->runtime->oss.trigger)
result |= PCM_ENABLE_INPUT;
}
return result;
}
@@ -2832,6 +2838,17 @@ static int snd_pcm_oss_capture_ready(struct snd_pcm_substream *substream)
runtime->oss.period_frames;
}
static bool need_input_retrigger(struct snd_pcm_runtime *runtime)
{
bool ret;
guard(mutex)(&runtime->oss.params_lock);
ret = runtime->oss.trigger;
if (ret)
runtime->oss.trigger = 0;
return ret;
}
static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait)
{
struct snd_pcm_oss_file *pcm_oss_file;
@@ -2864,11 +2881,11 @@ static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait)
snd_pcm_oss_capture_ready(csubstream))
mask |= EPOLLIN | EPOLLRDNORM;
}
if (ostate != SNDRV_PCM_STATE_RUNNING && runtime->oss.trigger) {
if (ostate != SNDRV_PCM_STATE_RUNNING &&
need_input_retrigger(runtime)) {
struct snd_pcm_oss_file ofile;
memset(&ofile, 0, sizeof(ofile));
ofile.streams[SNDRV_PCM_STREAM_CAPTURE] = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
runtime->oss.trigger = 0;
snd_pcm_oss_set_trigger(&ofile, PCM_ENABLE_INPUT);
}
}