From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>,
syzbot+2d373c9936c00d7e120c@syzkaller.appspotmail.com,
Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, viro@zeniv.linux.org.uk,
linux-sound@vger.kernel.org
Subject: [PATCH AUTOSEL 6.14 226/642] ALSA: seq: Improve data consistency at polling
Date: Mon, 5 May 2025 18:07:22 -0400 [thread overview]
Message-ID: <20250505221419.2672473-226-sashal@kernel.org> (raw)
In-Reply-To: <20250505221419.2672473-1-sashal@kernel.org>
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit e3cd33ab17c33bd8f1a9df66ec83a15dd8f7afbb ]
snd_seq_poll() calls snd_seq_write_pool_allocated() that reads out a
field in client->pool object, while it can be updated concurrently via
ioctls, as reported by syzbot. The data race itself is harmless, as
it's merely a poll() call, and the state is volatile. OTOH, the read
out of poll object info from the caller side is fragile, and we can
leave it better in snd_seq_pool_poll_wait() alone.
A similar pattern is seen in snd_seq_kernel_client_write_poll(), too,
which is called from the OSS sequencer.
This patch drops the pool checks from the caller side and add the
pool->lock in snd_seq_pool_poll_wait() for better data consistency.
Reported-by: syzbot+2d373c9936c00d7e120c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/67c88903.050a0220.15b4b9.0028.GAE@google.com
Link: https://patch.msgid.link/20250307084246.29271-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/seq/seq_clientmgr.c | 5 +----
sound/core/seq/seq_memory.c | 1 +
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 706f53e39b53c..7f03e1ec92355 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1150,8 +1150,7 @@ static __poll_t snd_seq_poll(struct file *file, poll_table * wait)
if (snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT) {
/* check if data is available in the pool */
- if (!snd_seq_write_pool_allocated(client) ||
- snd_seq_pool_poll_wait(client->pool, file, wait))
+ if (snd_seq_pool_poll_wait(client->pool, file, wait))
mask |= EPOLLOUT | EPOLLWRNORM;
}
@@ -2586,8 +2585,6 @@ int snd_seq_kernel_client_write_poll(int clientid, struct file *file, poll_table
if (client == NULL)
return -ENXIO;
- if (! snd_seq_write_pool_allocated(client))
- return 1;
if (snd_seq_pool_poll_wait(client->pool, file, wait))
return 1;
return 0;
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index 20155e3e87c6a..ccde0ca3d2082 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -427,6 +427,7 @@ int snd_seq_pool_poll_wait(struct snd_seq_pool *pool, struct file *file,
poll_table *wait)
{
poll_wait(file, &pool->output_sleep, wait);
+ guard(spinlock_irq)(&pool->lock);
return snd_seq_output_ok(pool);
}
--
2.39.5
next prev parent reply other threads:[~2025-05-05 22:23 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250505221419.2672473-1-sashal@kernel.org>
2025-05-05 22:04 ` [PATCH AUTOSEL 6.14 036/642] ASoC: codecs: wsa884x: Correct VI sense channel mask Sasha Levin
2025-05-05 22:04 ` [PATCH AUTOSEL 6.14 037/642] ASoC: codecs: wsa883x: " Sasha Levin
2025-05-05 22:05 ` [PATCH AUTOSEL 6.14 136/642] ASoC: sma1307: Add NULL check in sma1307_setting_loaded() Sasha Levin
2025-05-05 22:05 ` [PATCH AUTOSEL 6.14 137/642] ASoC: pcm6240: Drop bogus code handling IRQ as GPIO Sasha Levin
2025-05-05 22:05 ` [PATCH AUTOSEL 6.14 138/642] ASoC: mediatek: mt6359: Add stub for mt6359_accdet_enable_jack_detect Sasha Levin
2025-05-05 22:06 ` [PATCH AUTOSEL 6.14 153/642] ASoC: sun4i-codec: support hp-det-gpios property Sasha Levin
2025-05-05 22:06 ` [PATCH AUTOSEL 6.14 154/642] ASoC: sun4i-codec: correct dapm widgets and controls for h616 Sasha Levin
2025-05-05 22:06 ` [PATCH AUTOSEL 6.14 201/642] ASoC: qcom: sm8250: explicitly set format in sm8250_be_hw_params_fixup() Sasha Levin
2025-05-05 22:07 ` Sasha Levin [this message]
2025-05-05 22:08 ` [PATCH AUTOSEL 6.14 271/642] ALSA: hda/realtek: Enable PC beep passthrough for HP EliteBook 855 G7 Sasha Levin
2025-05-05 22:09 ` [PATCH AUTOSEL 6.14 327/642] ASoC: mediatek: mt8188: Treat DMIC_GAINx_CUR as non-volatile Sasha Levin
2025-05-05 22:09 ` [PATCH AUTOSEL 6.14 328/642] ASoC: mediatek: mt8188: Add reference for dmic clocks Sasha Levin
2025-05-05 22:10 ` [PATCH AUTOSEL 6.14 414/642] ASoC: ops: Enforce platform maximum on initial value Sasha Levin
2025-05-05 22:10 ` [PATCH AUTOSEL 6.14 415/642] ASoC: tas2764: Add reg defaults for TAS2764_INT_CLK_CFG Sasha Levin
2025-05-05 22:10 ` [PATCH AUTOSEL 6.14 416/642] ASoC: tas2764: Mark SW_RESET as volatile Sasha Levin
2025-05-05 22:10 ` [PATCH AUTOSEL 6.14 417/642] ASoC: tas2764: Power up/down amp on mute ops Sasha Levin
2025-05-05 22:10 ` [PATCH AUTOSEL 6.14 418/642] ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() Sasha Levin
2025-05-05 22:11 ` [PATCH AUTOSEL 6.14 453/642] soundwire: amd: change the soundwire wake enable/disable sequence Sasha Levin
2025-05-05 22:11 ` [PATCH AUTOSEL 6.14 454/642] soundwire: cadence_master: set frame shape and divider based on actual clk freq Sasha Levin
2025-05-05 22:13 ` [PATCH AUTOSEL 6.14 572/642] ASoC: codecs: pcm3168a: Allow for 24-bit in provider mode Sasha Levin
2025-05-05 22:13 ` [PATCH AUTOSEL 6.14 573/642] ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Sasha Levin
2025-05-05 22:13 ` [PATCH AUTOSEL 6.14 574/642] ASoC: rt722-sdca: Add some missing readable registers Sasha Levin
2025-05-05 22:13 ` [PATCH AUTOSEL 6.14 591/642] ASoC: cpcap: Implement .set_bias_level Sasha Levin
2025-05-05 22:46 ` Mark Brown
2025-05-05 22:13 ` [PATCH AUTOSEL 6.14 601/642] ASoC: hdmi-codec: allow to refine formats actually supported Sasha Levin
2025-05-05 22:47 ` Mark Brown
2025-05-20 14:08 ` Sasha Levin
2025-05-05 22:13 ` [PATCH AUTOSEL 6.14 623/642] ASoC: sma1307: Fix error handling in sma1307_setting_loaded() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250505221419.2672473-226-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=syzbot+2d373c9936c00d7e120c@syzkaller.appspotmail.com \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox