All of lore.kernel.org
 help / color / mirror / Atom feed
From: Omer Cohen <nevergfx1@gmail.com>
To: tiwai@suse.de, broonie@kernel.org
Cc: alsa-devel@alsa-project.org, security@kernel.org,
	Omer Cohen <nevergfx1@gmail.com>
Subject: [PATCH 0/6] ALSA: sound/core: fix multiple data races and bugs
Date: Fri, 26 Jun 2026 16:47:03 +0300	[thread overview]
Message-ID: <20260626134709.27883-1-nevergfx1@gmail.com> (raw)

To: Takashi Iwai <tiwai@suse.de>, Mark Brown <broonie@kernel.org>
Cc: alsa-devel@alsa-project.org
Cc: security@kernel.org

Hi Takashi, Mark,

This is my first patch series to the Linux kernel.  I am CCing the
security team as recommended by the docs for initial reports.

This series fixes 6 bugs found via code review and KCSAN dynamic
analysis in the ALSA sound/core subsystem.  All patches are against
current HEAD (4edcdefd4083).

Patch 1 is confirmed with KCSAN.  The remaining patches address bugs
found during analysis of the same code paths.

This work was AI-assisted.  Per the kernel documentation on reporting
security bugs, it is sent to the public mailing list.  All
reproducers have been tested on arm64 QEMU.

Summary:

  [1/6] ALSA: compress: remove illegal state mutation in poll()
    snd_compr_poll() writes runtime->state = SETUP when it sees
    DRAINING.  This races with snd_compress_wait_for_drain() which
    reads runtime->state concurrently.  KCSAN confirms:

      BUG: KCSAN: data-race in snd_compr_poll / snd_compress_wait_for_drain

      write to 0xffff0000c75c8200 of 4 bytes by task 282 on cpu 3:
       snd_compr_poll+0x29c/0x2c8
       do_sys_poll+0x2b0/0x628

      read to 0xffff0000c75c8200 of 4 bytes by task 279 on cpu 1:
       snd_compress_wait_for_drain+0xa4/0x270
       snd_compr_ioctl+0x1ba0/0x1bc8

      value changed: 0x00000005 -> 0x00000001

    poll() is a query operation and must not mutate state.  The
    DRAINING->SETUP transition is already handled by drivers via
    snd_compr_drain_notify().

  [2/6] ALSA: compress: fix buffer leak on set_params driver failure
    If ops->set_params() fails after buffer allocation, the buffer
    leaks on retry because runtime->buffer was already overwritten.

  [3/6] ALSA: timer: fix lockless tu->tread read in read()
    snd_timer_user_read() reads tu->tread without ioctl_lock to
    determine entry size, then re-reads it under lock for the copy
    format.  A concurrent TREAD ioctl can change the format between
    reads, causing a size/format mismatch.

  [4/6] ALSA: timer: copy queue entries under lock before copy_to_user
    After dequeuing under qlock, read() drops the lock and calls
    copy_to_user() directly from the queue slot.  Timer callbacks
    can overwrite that slot via queue wraparound during the copy.
    Same bug class as CVE-2017-1000380.

  [5/6] ALSA: pcm: use locked state read in snd_pcm_drop()
    snd_pcm_drop() reads runtime->state without the stream lock.
    Commit 7bc02ab446d3 fixed this pattern in read/write paths
    but missed drop().

  [6/6] ALSA: rawmidi: propagate resize_runtime_buffer() error
    snd_rawmidi_input_params() ignores the return value from
    resize_runtime_buffer() and unconditionally returns 0.

KCSAN reproducer for patch 1:

  The race is triggered by concurrent poll() and DRAIN ioctl on a
  compress offload stream.  A minimal reproducer uses four threads:

    Thread 1: DRAIN ioctl loop
    Thread 2: PARTIAL_DRAIN ioctl loop
    Thread 3: STOP ioctl loop (random delay)
    Thread 4: poll() loop

  The main thread repeatedly sets up and starts the stream.  With
  CONFIG_KCSAN=y and CONFIG_KCSAN_STRICT=y, the race is flagged
  within ~2000 iterations.

  Any compress offload driver (hardware or virtual) exposes the
  race since the bug is in the framework, not driver code.

  Tested on arm64 QEMU, kernel 7.1.0-rc7+ (4edcdefd4083).

Thanks,
Omer

             reply	other threads:[~2026-06-30 11:55 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 13:47 Omer Cohen [this message]
2026-06-26 13:47 ` [PATCH 1/6] ALSA: compress: remove illegal state mutation in poll() Omer Cohen
2026-06-26 13:47 ` [PATCH 2/6] ALSA: compress: fix buffer leak on set_params driver failure Omer Cohen
2026-06-26 13:47 ` [PATCH 3/6] ALSA: timer: fix lockless tu->tread read in snd_timer_user_read() Omer Cohen
2026-06-26 13:47 ` [PATCH 4/6] ALSA: timer: copy queue entries to local buffer before copy_to_user Omer Cohen
2026-06-26 13:47 ` [PATCH 5/6] ALSA: pcm: use locked state read in snd_pcm_drop() Omer Cohen
2026-06-26 13:47 ` [PATCH 6/6] ALSA: rawmidi: propagate resize_runtime_buffer() error in input_params Omer Cohen
2026-07-02  7:30 ` [PATCH 0/6] ALSA: sound/core: fix multiple data races and bugs Takashi Iwai
2026-07-02  7:41   ` Omer Cohen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626134709.27883-1-nevergfx1@gmail.com \
    --to=nevergfx1@gmail.com \
    --cc=alsa-devel@alsa-project.org \
    --cc=broonie@kernel.org \
    --cc=security@kernel.org \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.