From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Amadeusz Sławiński" <amadeuszx.slawinski@linux.intel.com>,
"Cezary Rojewski" <cezary.rojewski@intel.com>,
"Takashi Iwai" <tiwai@suse.de>, "Sasha Levin" <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, xkernel.wang@foxmail.com,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.4 10/55] ALSA: jack: Access input_dev under mutex
Date: Mon, 30 May 2022 09:46:16 -0400 [thread overview]
Message-ID: <20220530134701.1935933-10-sashal@kernel.org> (raw)
In-Reply-To: <20220530134701.1935933-1-sashal@kernel.org>
From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
[ Upstream commit 1b6a6fc5280e97559287b61eade2d4b363e836f2 ]
It is possible when using ASoC that input_dev is unregistered while
calling snd_jack_report, which causes NULL pointer dereference.
In order to prevent this serialize access to input_dev using mutex lock.
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20220412091628.3056922-1-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/jack.h | 1 +
sound/core/jack.c | 34 +++++++++++++++++++++++++++-------
2 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/include/sound/jack.h b/include/sound/jack.h
index 9eb2b5ec1ec4..78f3619f3de9 100644
--- a/include/sound/jack.h
+++ b/include/sound/jack.h
@@ -62,6 +62,7 @@ struct snd_jack {
const char *id;
#ifdef CONFIG_SND_JACK_INPUT_DEV
struct input_dev *input_dev;
+ struct mutex input_dev_lock;
int registered;
int type;
char name[100];
diff --git a/sound/core/jack.c b/sound/core/jack.c
index b00ae6f39f05..e7ac82d46821 100644
--- a/sound/core/jack.c
+++ b/sound/core/jack.c
@@ -34,8 +34,11 @@ static int snd_jack_dev_disconnect(struct snd_device *device)
#ifdef CONFIG_SND_JACK_INPUT_DEV
struct snd_jack *jack = device->device_data;
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return 0;
+ }
/* If the input device is registered with the input subsystem
* then we need to use a different deallocator. */
@@ -44,6 +47,7 @@ static int snd_jack_dev_disconnect(struct snd_device *device)
else
input_free_device(jack->input_dev);
jack->input_dev = NULL;
+ mutex_unlock(&jack->input_dev_lock);
#endif /* CONFIG_SND_JACK_INPUT_DEV */
return 0;
}
@@ -82,8 +86,11 @@ static int snd_jack_dev_register(struct snd_device *device)
snprintf(jack->name, sizeof(jack->name), "%s %s",
card->shortname, jack->id);
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return 0;
+ }
jack->input_dev->name = jack->name;
@@ -108,6 +115,7 @@ static int snd_jack_dev_register(struct snd_device *device)
if (err == 0)
jack->registered = 1;
+ mutex_unlock(&jack->input_dev_lock);
return err;
}
#endif /* CONFIG_SND_JACK_INPUT_DEV */
@@ -228,9 +236,11 @@ int snd_jack_new(struct snd_card *card, const char *id, int type,
return -ENOMEM;
}
- /* don't creat input device for phantom jack */
- if (!phantom_jack) {
#ifdef CONFIG_SND_JACK_INPUT_DEV
+ mutex_init(&jack->input_dev_lock);
+
+ /* don't create input device for phantom jack */
+ if (!phantom_jack) {
int i;
jack->input_dev = input_allocate_device();
@@ -248,8 +258,8 @@ int snd_jack_new(struct snd_card *card, const char *id, int type,
input_set_capability(jack->input_dev, EV_SW,
jack_switch_types[i]);
-#endif /* CONFIG_SND_JACK_INPUT_DEV */
}
+#endif /* CONFIG_SND_JACK_INPUT_DEV */
err = snd_device_new(card, SNDRV_DEV_JACK, jack, &ops);
if (err < 0)
@@ -289,10 +299,14 @@ EXPORT_SYMBOL(snd_jack_new);
void snd_jack_set_parent(struct snd_jack *jack, struct device *parent)
{
WARN_ON(jack->registered);
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return;
+ }
jack->input_dev->dev.parent = parent;
+ mutex_unlock(&jack->input_dev_lock);
}
EXPORT_SYMBOL(snd_jack_set_parent);
@@ -340,6 +354,8 @@ EXPORT_SYMBOL(snd_jack_set_key);
/**
* snd_jack_report - Report the current status of a jack
+ * Note: This function uses mutexes and should be called from a
+ * context which can sleep (such as a workqueue).
*
* @jack: The jack to report status for
* @status: The current status of the jack
@@ -359,8 +375,11 @@ void snd_jack_report(struct snd_jack *jack, int status)
status & jack_kctl->mask_bits);
#ifdef CONFIG_SND_JACK_INPUT_DEV
- if (!jack->input_dev)
+ mutex_lock(&jack->input_dev_lock);
+ if (!jack->input_dev) {
+ mutex_unlock(&jack->input_dev_lock);
return;
+ }
for (i = 0; i < ARRAY_SIZE(jack->key); i++) {
int testbit = SND_JACK_BTN_0 >> i;
@@ -379,6 +398,7 @@ void snd_jack_report(struct snd_jack *jack, int status)
}
input_sync(jack->input_dev);
+ mutex_unlock(&jack->input_dev_lock);
#endif /* CONFIG_SND_JACK_INPUT_DEV */
}
EXPORT_SYMBOL(snd_jack_report);
--
2.35.1
next prev parent reply other threads:[~2022-05-30 14:21 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-30 13:46 [PATCH AUTOSEL 5.4 01/55] drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 02/55] mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 03/55] b43legacy: Fix assigning negative value to unsigned variable Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 04/55] b43: " Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 05/55] ipw2x00: Fix potential NULL dereference in libipw_xmit() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 06/55] ipv6: fix locking issues with loops over idev->addr_list Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 07/55] fbcon: Consistently protect deferred_takeover with console_lock() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 08/55] ACPICA: Avoid cache flush inside virtual machines Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 09/55] drm/komeda: return early if drm_universal_plane_init() fails Sasha Levin
2022-05-30 13:46 ` Sasha Levin [this message]
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 11/55] spi: spi-rspi: Remove setting {src,dst}_{addr,addr_width} based on DMA direction Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 12/55] tools/power turbostat: fix ICX DRAM power numbers Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 13/55] drm/amd/pm: fix double free in si_parse_power_table() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 14/55] ath9k: fix QCA9561 PA bias level Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 15/55] media: venus: hfi: avoid null dereference in deinit Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 16/55] media: pci: cx23885: Fix the error handling in cx23885_initdev() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 17/55] media: cx25821: Fix the warning when removing the module Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 18/55] md/bitmap: don't set sb values if can't pass sanity check Sasha Levin
2022-06-01 21:36 ` John Stoffel
2022-06-05 13:27 ` Sasha Levin
2022-06-05 14:01 ` John Stoffel
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 19/55] mmc: jz4740: Apply DMA engine limits to maximum segment size Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 20/55] drm/sun4i: Add support for D1 TCONs Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 21/55] scsi: megaraid: Fix error check return value of register_chrdev() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 22/55] arm64/sme: Add ID_AA64SMFR0_EL1 to __read_sysreg_by_encoding() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 23/55] drm/plane: Move range check for format_count earlier Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 24/55] drm/amd/pm: fix the compile warning Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 25/55] arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 26/55] drm: msm: fix error check return value of irq_of_parse_and_map() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 27/55] ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 28/55] net/mlx5: fs, delete the FTE when there are no rules attached to it Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 29/55] ASoC: dapm: Don't fold register value changes into notifications Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 30/55] mlxsw: spectrum_dcb: Do not warn about priority changes Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 31/55] drm/amdgpu/ucode: Remove firmware load type check in amdgpu_ucode_free_bo Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 32/55] HID: bigben: fix slab-out-of-bounds Write in bigben_probe Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 33/55] ASoC: tscs454: Add endianness flag in snd_soc_component_driver Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 34/55] net: remove two BUG() from skb_checksum_help() Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 35/55] s390/preempt: disable __preempt_count_add() optimization for PROFILE_ALL_BRANCHES Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 36/55] spi: stm32-qspi: Fix wait_cmd timeout in APM mode Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 37/55] dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 38/55] ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 39/55] ipmi:ssif: Check for NULL msg when handling events and messages Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 40/55] ipmi: Fix pr_fmt to avoid compilation issues Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 41/55] rtlwifi: Use pr_warn instead of WARN_ONCE Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 42/55] media: coda: limit frame interval enumeration to supported encoder frame sizes Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 43/55] media: cec-adap.c: fix is_configuring state Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 44/55] openrisc: start CPU timer early in boot Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 45/55] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 46/55] ASoC: rt5645: Fix errorenous cleanup order Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 47/55] nbd: Fix hung on disconnect request if socket is closed before Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 48/55] net: phy: micrel: Allow probing without .driver_data Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 49/55] media: exynos4-is: Fix compile warning Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 50/55] ASoC: max98357a: remove dependency on GPIOLIB Sasha Levin
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 51/55] ARM: 9201/1: spectre-bhb: rely on linker to emit cross-section literal loads Sasha Levin
2022-05-30 13:52 ` Ard Biesheuvel
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 52/55] hwmon: Make chip parameter for with_info API mandatory Sasha Levin
2022-05-30 14:29 ` Guenter Roeck
2022-05-30 13:46 ` [PATCH AUTOSEL 5.4 53/55] rxrpc: Return an error to sendmsg if call failed Sasha Levin
2022-05-30 13:47 ` [PATCH AUTOSEL 5.4 54/55] eth: tg3: silence the GCC 12 array-bounds warning Sasha Levin
2022-05-30 13:47 ` [PATCH AUTOSEL 5.4 55/55] selftests/bpf: fix btf_dump/btf_dump due to recent clang change Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220530134701.1935933-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=amadeuszx.slawinski@linux.intel.com \
--cc=cezary.rojewski@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=xkernel.wang@foxmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).