From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.4 102/266] ALSA: usb-audio: Fix racy list management in output queue
Date: Wed, 17 Jun 2020 21:13:47 -0400 [thread overview]
Message-ID: <20200618011631.604574-102-sashal@kernel.org> (raw)
In-Reply-To: <20200618011631.604574-1-sashal@kernel.org>
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5b6cc38f3f3f37109ce72b60bda215a5f6892c0b ]
The linked list entry from FIFO is peeked at
queue_pending_output_urbs() but the actual element pop-out is
performed outside the spinlock, and it's potentially racy.
Do delete the link at the right place inside the spinlock.
Fixes: 8fdff6a319e7 ("ALSA: snd-usb: implement new endpoint streaming model")
Link: https://lore.kernel.org/r/20200424074016.14301-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/endpoint.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index d8dc7cb56d43..50104f658ed4 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -346,17 +346,17 @@ static void queue_pending_output_urbs(struct snd_usb_endpoint *ep)
ep->next_packet_read_pos %= MAX_URBS;
/* take URB out of FIFO */
- if (!list_empty(&ep->ready_playback_urbs))
+ if (!list_empty(&ep->ready_playback_urbs)) {
ctx = list_first_entry(&ep->ready_playback_urbs,
struct snd_urb_ctx, ready_list);
+ list_del_init(&ctx->ready_list);
+ }
}
spin_unlock_irqrestore(&ep->lock, flags);
if (ctx == NULL)
return;
- list_del_init(&ctx->ready_list);
-
/* copy over the length information */
for (i = 0; i < packet->packets; i++)
ctx->packet_size[i] = packet->packet_size[i];
--
2.25.1
next prev parent reply other threads:[~2020-06-18 1:38 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618011631.604574-1-sashal@kernel.org>
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 003/266] ASoC: tegra: tegra_wm8903: Support nvidia, headset property Sasha Levin
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 005/266] ASoC: SOF: imx8: Fix randbuild error Sasha Levin
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 010/266] ASoC: fsl_esai: Disable exception interrupt before scheduling tasklet Sasha Levin
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 013/266] ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type Sasha Levin
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 019/266] ALSA: hda/realtek - Introduce polarity for micmute LED GPIO Sasha Levin
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 020/266] ALSA: isa/wavefront: prevent out of bounds write in ioctl Sasha Levin
2020-06-18 1:12 ` [PATCH AUTOSEL 5.4 041/266] ASoC: SOF: Do nothing when DSP PM callbacks are not set Sasha Levin
2020-06-18 1:13 ` [PATCH AUTOSEL 5.4 067/266] ASoC: qcom: q6asm-dai: kCFI fix Sasha Levin
2020-06-18 1:13 ` [PATCH AUTOSEL 5.4 079/266] ASoC: meson: add missing free_irq() in error path Sasha Levin
2020-06-18 1:13 ` [PATCH AUTOSEL 5.4 101/266] ALSA: usb-audio: Improve frames size computation Sasha Levin
2020-06-18 1:13 ` Sasha Levin [this message]
2020-06-18 1:13 ` [PATCH AUTOSEL 5.4 106/266] slimbus: ngd: get drvdata from correct device Sasha Levin
2020-06-18 1:13 ` [PATCH AUTOSEL 5.4 113/266] ASoC: max98373: reorder max98373_reset() in resume Sasha Levin
2020-06-18 1:13 ` [PATCH AUTOSEL 5.4 114/266] soundwire: slave: don't init debugfs on device registration error Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 127/266] ALSA: firewire-lib: fix invalid assignment to union data for directional parameter Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 130/266] ASoC: SOF: core: fix error return code in sof_probe_continue() Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 134/266] SoC: rsnd: add interrupt support for SSI BUSIF buffer Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 135/266] ASoC: ux500: mop500: Fix some refcounted resources issues Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 136/266] ASoC: ti: omap-mcbsp: Fix an error handling path in 'asoc_mcbsp_probe()' Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 145/266] ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback Sasha Levin
2020-06-18 1:14 ` [PATCH AUTOSEL 5.4 157/266] ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT8-A tablet Sasha Levin
2020-06-18 1:15 ` [PATCH AUTOSEL 5.4 190/266] ASoC: fix incomplete error-handling in img_i2s_in_probe Sasha Levin
2020-06-18 1:15 ` [PATCH AUTOSEL 5.4 209/266] ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed Sasha Levin
2020-06-18 1:16 ` [PATCH AUTOSEL 5.4 250/266] ASoC: core: only convert non DPCM link to DPCM link Sasha Levin
2020-06-18 1:16 ` [PATCH AUTOSEL 5.4 251/266] ASoC: SOF: nocodec: conditionally set dpcm_capture/dpcm_playback flags Sasha Levin
2020-06-18 1:16 ` [PATCH AUTOSEL 5.4 252/266] ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT10-A tablet Sasha Levin
2020-06-18 1:16 ` [PATCH AUTOSEL 5.4 253/266] ASoC: rt5645: Add platform-data for Asus T101HA Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618011631.604574-102-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox