diff options
| author | Karthikeyan Mani <kmani@codeaurora.org> | 2017-11-28 18:16:21 -0800 |
|---|---|---|
| committer | Karthikeyan Mani <kmani@codeaurora.org> | 2017-11-28 23:37:30 -0800 |
| commit | eefe13156cdfd73e93e62da7d092928f6d146ac4 (patch) | |
| tree | 8843316e986e5771ecd12a31753feb94a2264c53 | |
| parent | 4e0e2d6a6eba112d5b5aa8cf850f7057141e665b (diff) | |
ALSA: pcm: use lock to protect substream runtime resource
Use a spinlock to protect runtime resource in substream
against race conditions which may lead to use-after-free.
CRs-fixed: 2112713
Change-Id: I37dee68cad5eae05b21cfade3dabc0c2b79be6b8
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
| -rw-r--r-- | sound/core/pcm.c | 4 | ||||
| -rw-r--r-- | sound/core/pcm_timer.c | 11 |
2 files changed, 13 insertions, 2 deletions
diff --git a/sound/core/pcm.c b/sound/core/pcm.c index a2c2f06060df..4fc68b126169 100644 --- a/sound/core/pcm.c +++ b/sound/core/pcm.c @@ -742,6 +742,7 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count) } substream->group = &substream->self_group; spin_lock_init(&substream->self_group.lock); + spin_lock_init(&substream->runtime_lock); mutex_init(&substream->self_group.mutex); INIT_LIST_HEAD(&substream->self_group.substreams); list_add_tail(&substream->link_list, &substream->self_group.substreams); @@ -1020,9 +1021,11 @@ int snd_pcm_attach_substream(struct snd_pcm *pcm, int stream, void snd_pcm_detach_substream(struct snd_pcm_substream *substream) { struct snd_pcm_runtime *runtime; + unsigned long flags = 0; if (PCM_RUNTIME_CHECK(substream)) return; + spin_lock_irqsave(&substream->runtime_lock, flags); runtime = substream->runtime; if (runtime->private_free != NULL) runtime->private_free(runtime); @@ -1036,6 +1039,7 @@ void snd_pcm_detach_substream(struct snd_pcm_substream *substream) put_pid(substream->pid); substream->pid = NULL; substream->pstr->substream_opened--; + spin_unlock_irqrestore(&substream->runtime_lock, flags); } static ssize_t show_pcm_class(struct device *dev, diff --git a/sound/core/pcm_timer.c b/sound/core/pcm_timer.c index 20ecd8f18080..11ea73f019ba 100644 --- a/sound/core/pcm_timer.c +++ b/sound/core/pcm_timer.c @@ -65,9 +65,16 @@ void snd_pcm_timer_resolution_change(struct snd_pcm_substream *substream) static unsigned long snd_pcm_timer_resolution(struct snd_timer * timer) { struct snd_pcm_substream *substream; - + unsigned long ret = 0, flags = 0; + substream = timer->private_data; - return substream->runtime ? substream->runtime->timer_resolution : 0; + spin_lock_irqsave(&substream->runtime_lock, flags); + if (substream->runtime) + ret = substream->runtime->timer_resolution; + else + ret = 0; + spin_unlock_irqrestore(&substream->runtime_lock, flags); + return ret; } static int snd_pcm_timer_start(struct snd_timer * timer) |