From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBAA6C001B0 for ; Mon, 24 Jul 2023 01:49:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232741AbjGXBt3 (ORCPT ); Sun, 23 Jul 2023 21:49:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47974 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230261AbjGXBrU (ORCPT ); Sun, 23 Jul 2023 21:47:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9CAE26195; Sun, 23 Jul 2023 18:39:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3D45261033; Mon, 24 Jul 2023 01:34:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C5F22C433C8; Mon, 24 Jul 2023 01:34:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690162484; bh=carLZAnzeepngFZ6fbl19DxRXzpR/DKyVAdnK6yCE/4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZFrkZGnx2e0CuGV68kSsuXF9OeSso1cl81Ho77K/fbR0q0L4vpKIXFEhnu9/SboWq c6ZbF7f6m0RogjkCYUyg6Fuj5du25Xcwu/9jvsAdD3hdPBYvdfxy8vyKhsHr4b40n3 ki+hUEIvL9CX9HJZRrhdkeVb8C7a4MWfF6khER8ZbB8phKbGRwmFd9Jk4iQ1fxIJTJ LRduwg+k9Pk7D+0qDOLz7CqJhoEmUcytwZpMmCWNYgO1GvvqHJPD2a1q8EU/ERfO7d 6HfoljB9otuB+wKR3MBE8i7WBHcsLSMleljU2pmdbDRLkXRA3ZYbnZfo971rwwsmdZ 3hJWfGD9WxOtQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tuo Li , BassCheck , Takashi Iwai , Sasha Levin , perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org Subject: [PATCH AUTOSEL 5.4 12/12] ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() Date: Sun, 23 Jul 2023 21:34:25 -0400 Message-Id: <20230724013426.2333833-12-sashal@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230724013426.2333833-1-sashal@kernel.org> References: <20230724013426.2333833-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 5.4.249 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Tuo Li [ Upstream commit 1f4a08fed450db87fbb5ff5105354158bdbe1a22 ] The variable codec->regmap is often protected by the lock codec->regmap_lock when is accessed. However, it is accessed without holding the lock when is accessed in snd_hdac_regmap_sync(): if (codec->regmap) In my opinion, this may be a harmful race, because if codec->regmap is set to NULL right after the condition is checked, a null-pointer dereference can occur in the called function regcache_sync(): map->lock(map->lock_arg); --> Line 360 in drivers/base/regmap/regcache.c To fix this possible null-pointer dereference caused by data race, the mutex_lock coverage is extended to protect the if statement as well as the function call to regcache_sync(). [ Note: the lack of the regmap_lock itself is harmless for the current codec driver implementations, as snd_hdac_regmap_sync() is only for PM runtime resume that is prohibited during the codec probe. But the change makes the whole code more consistent, so it's merged as is -- tiwai ] Reported-by: BassCheck Signed-off-by: Tuo Li Link: https://lore.kernel.org/r/20230703031016.1184711-1-islituo@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/hda/hdac_regmap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sound/hda/hdac_regmap.c b/sound/hda/hdac_regmap.c index 49780399c2849..a035a7d74ce09 100644 --- a/sound/hda/hdac_regmap.c +++ b/sound/hda/hdac_regmap.c @@ -596,10 +596,9 @@ EXPORT_SYMBOL_GPL(snd_hdac_regmap_update_raw_once); */ void snd_hdac_regmap_sync(struct hdac_device *codec) { - if (codec->regmap) { - mutex_lock(&codec->regmap_lock); + mutex_lock(&codec->regmap_lock); + if (codec->regmap) regcache_sync(codec->regmap); - mutex_unlock(&codec->regmap_lock); - } + mutex_unlock(&codec->regmap_lock); } EXPORT_SYMBOL_GPL(snd_hdac_regmap_sync); -- 2.39.2