From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Amadeusz Sławiński" <amadeuszx.slawinski@linux.intel.com>,
"Cezary Rojewski" <cezary.rojewski@intel.com>,
"Takashi Iwai" <tiwai@suse.de>, "Sasha Levin" <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, xkernel.wang@foxmail.com,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 4.9 07/24] ALSA: jack: Access input_dev under mutex
Date: Mon, 30 May 2022 09:51:54 -0400 [thread overview]
Message-ID: <20220530135211.1937674-7-sashal@kernel.org> (raw)
In-Reply-To: <20220530135211.1937674-1-sashal@kernel.org>
From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
[ Upstream commit 1b6a6fc5280e97559287b61eade2d4b363e836f2 ]
It is possible when using ASoC that input_dev is unregistered while
calling snd_jack_report, which causes NULL pointer dereference.
In order to prevent this serialize access to input_dev using mutex lock.
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20220412091628.3056922-1-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/jack.h | 1 +
sound/core/jack.c | 34 +++++++++++++++++++++++++++-------
2 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/include/sound/jack.h b/include/sound/jack.h
index 1e84bfb553cf..4742f842b457 100644
--- a/include/sound/jack.h
+++ b/include/sound/jack.h
@@ -77,6 +77,7 @@ struct snd_jack {
const char *id;
#ifdef CONFIG_SND_JACK_INPUT_DEV
struct input_dev *input_dev;
+ struct mutex input_dev_lock;
int registered;
int type;
char name[100];
diff --git a/sound/core/jack.c b/sound/core/jack.c
index 36cfe1c54109..d2f9a92453f2 100644
--- a/sound/core/jack.c
+++ b/sound/core/jack.c
@@ -48,8 +48,11 @@ static int snd_jack_dev_disconnect(struct snd_device *device)
#ifdef CONFIG_SND_JACK_INPUT_DEV
struct snd_jack *jack = device->device_data;
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return 0;
+ }
/* If the input device is registered with the input subsystem
* then we need to use a different deallocator. */
@@ -58,6 +61,7 @@ static int snd_jack_dev_disconnect(struct snd_device *device)
else
input_free_device(jack->input_dev);
jack->input_dev = NULL;
+ mutex_unlock(&jack->input_dev_lock);
#endif /* CONFIG_SND_JACK_INPUT_DEV */
return 0;
}
@@ -96,8 +100,11 @@ static int snd_jack_dev_register(struct snd_device *device)
snprintf(jack->name, sizeof(jack->name), "%s %s",
card->shortname, jack->id);
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return 0;
+ }
jack->input_dev->name = jack->name;
@@ -122,6 +129,7 @@ static int snd_jack_dev_register(struct snd_device *device)
if (err == 0)
jack->registered = 1;
+ mutex_unlock(&jack->input_dev_lock);
return err;
}
#endif /* CONFIG_SND_JACK_INPUT_DEV */
@@ -242,9 +250,11 @@ int snd_jack_new(struct snd_card *card, const char *id, int type,
return -ENOMEM;
}
- /* don't creat input device for phantom jack */
- if (!phantom_jack) {
#ifdef CONFIG_SND_JACK_INPUT_DEV
+ mutex_init(&jack->input_dev_lock);
+
+ /* don't create input device for phantom jack */
+ if (!phantom_jack) {
int i;
jack->input_dev = input_allocate_device();
@@ -262,8 +272,8 @@ int snd_jack_new(struct snd_card *card, const char *id, int type,
input_set_capability(jack->input_dev, EV_SW,
jack_switch_types[i]);
-#endif /* CONFIG_SND_JACK_INPUT_DEV */
}
+#endif /* CONFIG_SND_JACK_INPUT_DEV */
err = snd_device_new(card, SNDRV_DEV_JACK, jack, &ops);
if (err < 0)
@@ -303,10 +313,14 @@ EXPORT_SYMBOL(snd_jack_new);
void snd_jack_set_parent(struct snd_jack *jack, struct device *parent)
{
WARN_ON(jack->registered);
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return;
+ }
jack->input_dev->dev.parent = parent;
+ mutex_unlock(&jack->input_dev_lock);
}
EXPORT_SYMBOL(snd_jack_set_parent);
@@ -354,6 +368,8 @@ EXPORT_SYMBOL(snd_jack_set_key);
/**
* snd_jack_report - Report the current status of a jack
+ * Note: This function uses mutexes and should be called from a
+ * context which can sleep (such as a workqueue).
*
* @jack: The jack to report status for
* @status: The current status of the jack
@@ -373,8 +389,11 @@ void snd_jack_report(struct snd_jack *jack, int status)
status & jack_kctl->mask_bits);
#ifdef CONFIG_SND_JACK_INPUT_DEV
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return;
+ }
for (i = 0; i < ARRAY_SIZE(jack->key); i++) {
int testbit = SND_JACK_BTN_0 >> i;
@@ -393,6 +412,7 @@ void snd_jack_report(struct snd_jack *jack, int status)
}
input_sync(jack->input_dev);
+ mutex_unlock(&jack->input_dev_lock);
#endif /* CONFIG_SND_JACK_INPUT_DEV */
}
EXPORT_SYMBOL(snd_jack_report);
--
2.35.1
next prev parent reply other threads:[~2022-05-30 14:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-30 13:51 [PATCH AUTOSEL 4.9 01/24] drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 02/24] mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 03/24] b43legacy: Fix assigning negative value to unsigned variable Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 04/24] b43: " Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 05/24] ipw2x00: Fix potential NULL dereference in libipw_xmit() Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 06/24] ACPICA: Avoid cache flush inside virtual machines Sasha Levin
2022-05-30 13:51 ` Sasha Levin [this message]
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 08/24] drm/amd/pm: fix double free in si_parse_power_table() Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 09/24] ath9k: fix QCA9561 PA bias level Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 10/24] media: cx25821: Fix the warning when removing the module Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 11/24] scsi: megaraid: Fix error check return value of register_chrdev() Sasha Levin
2022-05-30 13:51 ` [PATCH AUTOSEL 4.9 12/24] drm/amd/pm: fix the compile warning Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 13/24] ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 14/24] ASoC: dapm: Don't fold register value changes into notifications Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 15/24] net: remove two BUG() from skb_checksum_help() Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 16/24] dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 17/24] ipmi:ssif: Check for NULL msg when handling events and messages Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 18/24] openrisc: start CPU timer early in boot Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 19/24] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 20/24] ASoC: rt5645: Fix errorenous cleanup order Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 21/24] media: exynos4-is: Fix compile warning Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 22/24] ARM: 9201/1: spectre-bhb: rely on linker to emit cross-section literal loads Sasha Levin
2022-05-30 13:53 ` Ard Biesheuvel
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 23/24] rxrpc: Return an error to sendmsg if call failed Sasha Levin
2022-05-30 13:52 ` [PATCH AUTOSEL 4.9 24/24] eth: tg3: silence the GCC 12 array-bounds warning Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220530135211.1937674-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=amadeuszx.slawinski@linux.intel.com \
--cc=cezary.rojewski@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=xkernel.wang@foxmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox