From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alan Stern <stern@rowland.harvard.edu>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.14 57/59] ALSA: usb-audio: Fix races at disconnection and PCM closing
Date: Fri, 4 Jul 2014 15:19:46 -0700 [thread overview]
Message-ID: <20140704221542.239710678@linuxfoundation.org> (raw)
In-Reply-To: <20140704221539.544876024@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 92a586bdc06de6629dae1b357dac221253f55ff8 upstream.
When a USB-audio device is disconnected while PCM is still running, we
still see some race: the disconnect callback calls
snd_usb_endpoint_free() that calls release_urbs() and then kfree()
while a PCM stream would be closed at the same time and calls
stop_endpoints() that leads to wait_clear_urbs(). That is, the EP
object might be deallocated while a PCM stream is syncing with
wait_clear_urbs() with the same EP.
Basically calling multiple wait_clear_urbs() would work fine, also
calling wait_clear_urbs() and release_urbs() would work, too, as
wait_clear_urbs() just reads some fields in ep. The problem is the
succeeding kfree() in snd_pcm_endpoint_free().
This patch moves out the EP deallocation into the later point, the
destructor callback. At this stage, all PCMs must have been already
closed, so it's safe to free the objects.
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/card.c | 13 ++++++++++---
sound/usb/endpoint.c | 17 ++++++++++++++---
sound/usb/endpoint.h | 1 +
3 files changed, 25 insertions(+), 6 deletions(-)
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -304,6 +304,11 @@ static int snd_usb_create_streams(struct
static int snd_usb_audio_free(struct snd_usb_audio *chip)
{
+ struct list_head *p, *n;
+
+ list_for_each_safe(p, n, &chip->ep_list)
+ snd_usb_endpoint_free(p);
+
mutex_destroy(&chip->mutex);
kfree(chip);
return 0;
@@ -580,7 +585,7 @@ static void snd_usb_audio_disconnect(str
struct snd_usb_audio *chip)
{
struct snd_card *card;
- struct list_head *p, *n;
+ struct list_head *p;
if (chip == (void *)-1L)
return;
@@ -593,14 +598,16 @@ static void snd_usb_audio_disconnect(str
mutex_lock(®ister_mutex);
chip->num_interfaces--;
if (chip->num_interfaces <= 0) {
+ struct snd_usb_endpoint *ep;
+
snd_card_disconnect(card);
/* release the pcm resources */
list_for_each(p, &chip->pcm_list) {
snd_usb_stream_disconnect(p);
}
/* release the endpoint resources */
- list_for_each_safe(p, n, &chip->ep_list) {
- snd_usb_endpoint_free(p);
+ list_for_each_entry(ep, &chip->ep_list, list) {
+ snd_usb_endpoint_release(ep);
}
/* release the midi resources */
list_for_each(p, &chip->midi_list) {
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -981,19 +981,30 @@ void snd_usb_endpoint_deactivate(struct
}
/**
+ * snd_usb_endpoint_release: Tear down an snd_usb_endpoint
+ *
+ * @ep: the endpoint to release
+ *
+ * This function does not care for the endpoint's use count but will tear
+ * down all the streaming URBs immediately.
+ */
+void snd_usb_endpoint_release(struct snd_usb_endpoint *ep)
+{
+ release_urbs(ep, 1);
+}
+
+/**
* snd_usb_endpoint_free: Free the resources of an snd_usb_endpoint
*
* @ep: the list header of the endpoint to free
*
- * This function does not care for the endpoint's use count but will tear
- * down all the streaming URBs immediately and free all resources.
+ * This free all resources of the given ep.
*/
void snd_usb_endpoint_free(struct list_head *head)
{
struct snd_usb_endpoint *ep;
ep = list_entry(head, struct snd_usb_endpoint, list);
- release_urbs(ep, 1);
kfree(ep);
}
--- a/sound/usb/endpoint.h
+++ b/sound/usb/endpoint.h
@@ -23,6 +23,7 @@ void snd_usb_endpoint_stop(struct snd_us
void snd_usb_endpoint_sync_pending_stop(struct snd_usb_endpoint *ep);
int snd_usb_endpoint_activate(struct snd_usb_endpoint *ep);
void snd_usb_endpoint_deactivate(struct snd_usb_endpoint *ep);
+void snd_usb_endpoint_release(struct snd_usb_endpoint *ep);
void snd_usb_endpoint_free(struct list_head *head);
int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep);
next prev parent reply other threads:[~2014-07-04 22:19 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-04 22:18 [PATCH 3.14 00/59] 3.14.11-stable review Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 01/59] ARM: dts: disable MDMA1 node for exynos5420 Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 02/59] target: Fix left-over se_lun->lun_sep pointer OOPs Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 03/59] iscsi-target: Avoid rejecting incorrect ITT for Data-Out Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 04/59] iscsi-target: Explicily clear login response PDU in exception path Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 05/59] iscsi-target: fix iscsit_del_np deadlock on unload Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 06/59] Input: synaptics - fix resolution for manually provided min/max Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 07/59] Input: elantech - deal with clickpads reporting right button events Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 08/59] Input: elantech - dont set bit 1 of reg_10 when the no_hw_res quirk is set Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 09/59] PCI: Add new ID for Intel GPU "spurious interrupt" quirk Greg Kroah-Hartman
2014-07-04 22:18 ` [PATCH 3.14 10/59] PCI: Fix incorrect vgaarb conditional in WARN_ON() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 11/59] mtip32xx: Fix ERO and NoSnoop values in PCIe upstream on AMD systems Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 12/59] mtip32xx: Increase timeout for STANDBY IMMEDIATE command Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 13/59] mtip32xx: Remove dfs_parent after pci unregister Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 14/59] recordmcount/MIPS: Fix possible incorrect mcount_loc table entries in modules Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 15/59] MIPS: MSC: Prevent out-of-bounds writes to MIPS SC ioremapd region Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 16/59] UBIFS: fix an mmap and fsync race condition Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 17/59] UBIFS: Remove incorrect assertion in shrink_tnc() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 18/59] watchdog: sp805: Set watchdog_device->timeout from ->set_timeout() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 19/59] watchdog: ath79_wdt: avoid spurious restarts on AR934x Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 20/59] watchdog: kempld-wdt: Use the correct value when configuring the prescaler with the watchdog Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 21/59] kernel/watchdog.c: remove preemption restrictions when restarting lockup detector Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 22/59] IB/mlx5: add missing padding at end of struct mlx5_ib_create_cq Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 23/59] IB/mlx5: add missing padding at end of struct mlx5_ib_create_srq Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 24/59] IB/qib: Fix port in pkey change event Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 25/59] IB/ipath: Translate legacy diagpkt into newer extended diagpkt Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 26/59] IB/srp: Fix a sporadic crash triggered by cable pulling Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 27/59] IB/umad: Fix error handling Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 28/59] IB/umad: Fix use-after-free on close Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 29/59] SUNRPC: Fix a module reference leak in svc_handle_xprt Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 30/59] pNFS: Handle allocation errors correctly in filelayout_alloc_layout_hdr() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 31/59] nfsd4: fix FREE_STATEID lockowner leak Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 32/59] nfsd: getattr for FATTR4_WORD0_FILES_AVAIL needs the statfs buffer Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 33/59] NFS: Dont declare inode uptodate unless all attributes were checked Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 34/59] NFS: Use raw_write_seqcount_begin/end int nfs4_reclaim_open_state Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 35/59] NFS: populate ->net in mount data when remounting Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 36/59] nfs: Fix cache_validity check in nfs_write_pageuptodate() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 37/59] powerpc/pseries: Fix overwritten PE state Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 38/59] powerpc/mm: Check paca psize is up to date for huge mappings Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 39/59] powerpc/serial: Use saner flags when creating legacy ports Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 40/59] powerpc: 64bit sendfile is capped at 2GB Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 41/59] powerpc: fix typo CONFIG_PMAC Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 42/59] powerpc/perf: Ensure all EBB register state is cleared on fork() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 43/59] powerpc: fix typo CONFIG_PPC_CPU Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 44/59] powerpc: Dont setup CPUs with bad status Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 45/59] powerpc: Add AT_HWCAP2 to indicate V.CRYPTO category support Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 46/59] powerpc: Dont skip ePAPR spin-table CPUs Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 47/59] xfs: xfs_readsb needs to check for magic numbers Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 48/59] reiserfs: call truncate_setsize under tailpack mutex Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 49/59] MIPS: KVM: Remove redundant NULL checks before kfree() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 50/59] MIPS: KVM: Fix memory leak on VCPU Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 51/59] ipvs: Fix panic due to non-linear skb Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 52/59] ptrace,x86: force IRET path after a ptrace_stop() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 53/59] lz4: add overrun checks to lz4_uncompress_unknownoutputsize() Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 54/59] Documentation/SubmittingPatches: describe the Fixes: tag Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 55/59] tracing: Try again for saved cmdline if failed due to locking Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 56/59] tracing: Fix syscall_*regfunc() vs copy_process() race Greg Kroah-Hartman
2014-07-04 22:19 ` Greg Kroah-Hartman [this message]
2014-07-04 22:19 ` [PATCH 3.14 58/59] ALSA: hda - hdmi: call overridden init on resume Greg Kroah-Hartman
2014-07-04 22:19 ` [PATCH 3.14 59/59] ALSA: hda - Adjust speaker HPF and add LED support for HP Spectre 13 Greg Kroah-Hartman
2014-07-04 23:20 ` Holger Hoffstätte
2014-07-05 12:58 ` Takashi Iwai
2014-07-05 19:10 ` Greg Kroah-Hartman
2014-07-05 0:47 ` [PATCH 3.14 00/59] 3.14.11-stable review Holger Hoffstätte
2014-07-05 5:45 ` Guenter Roeck
2014-07-05 7:00 ` Satoru Takeuchi
2014-07-05 7:08 ` Guenter Roeck
2014-07-05 9:21 ` Satoru Takeuchi
2014-07-05 12:56 ` Takashi Iwai
2014-07-05 19:10 ` Greg Kroah-Hartman
2014-07-05 21:53 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140704221542.239710678@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).