mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-01-25 14:19:55 +07:00
06ab30034e
A kernel WARNING in snd_rawmidi_transmit_ack() is triggered by syzkaller fuzzer: WARNING: CPU: 1 PID: 20739 at sound/core/rawmidi.c:1136 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff84f80bd5>] snd_rawmidi_transmit_ack+0x275/0x400 sound/core/rawmidi.c:1136 [<ffffffff84fdb3c1>] snd_virmidi_output_trigger+0x4b1/0x5a0 sound/core/seq/seq_virmidi.c:163 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [<ffffffff84f87ed9>] snd_rawmidi_kernel_write1+0x549/0x780 sound/core/rawmidi.c:1223 [<ffffffff84f89fd3>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1273 [<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528 [<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Also a similar warning is found but in another path: Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82be2c0d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff81355139>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [<ffffffff81355369>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [<ffffffff8527e69a>] rawmidi_transmit_ack+0x24a/0x3b0 sound/core/rawmidi.c:1133 [<ffffffff8527e851>] snd_rawmidi_transmit_ack+0x51/0x80 sound/core/rawmidi.c:1163 [<ffffffff852d9046>] snd_virmidi_output_trigger+0x2b6/0x570 sound/core/seq/seq_virmidi.c:185 [< inline >] snd_rawmidi_output_trigger sound/core/rawmidi.c:150 [<ffffffff85285a0b>] snd_rawmidi_kernel_write1+0x4bb/0x760 sound/core/rawmidi.c:1252 [<ffffffff85287b73>] snd_rawmidi_write+0x543/0xb30 sound/core/rawmidi.c:1302 [<ffffffff817ba5f3>] __vfs_write+0x113/0x480 fs/read_write.c:528 [<ffffffff817bc087>] vfs_write+0x167/0x4a0 fs/read_write.c:577 [< inline >] SYSC_write fs/read_write.c:624 [<ffffffff817bf371>] SyS_write+0x111/0x220 fs/read_write.c:616 [<ffffffff86660276>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 In the former case, the reason is that virmidi has an open code calling snd_rawmidi_transmit_ack() with the value calculated outside the spinlock. We may use snd_rawmidi_transmit() in a loop just for consuming the input data, but even there, there is a race between snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack(). Similarly in the latter case, it calls snd_rawmidi_transmit_peek() and snd_rawmidi_tranmit_ack() separately without protection, so they are racy as well. The patch tries to address these issues by the following ways: - Introduce the unlocked versions of snd_rawmidi_transmit_peek() and snd_rawmidi_transmit_ack() to be called inside the explicit lock. - Rewrite snd_rawmidi_transmit() to be race-free (the former case). - Make the split calls (the latter case) protected in the rawmidi spin lock. BugLink: http://lkml.kernel.org/r/CACT4Y+YPq1+cYLkadwjWa5XjzF1_Vki1eHnVn-Lm0hzhSpu5PA@mail.gmail.com BugLink: http://lkml.kernel.org/r/CACT4Y+acG4iyphdOZx47Nyq_VHGbpJQK-6xNpiqUjaZYqsXOGw@mail.gmail.com Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
194 lines
6.2 KiB
C
194 lines
6.2 KiB
C
#ifndef __SOUND_RAWMIDI_H
|
|
#define __SOUND_RAWMIDI_H
|
|
|
|
/*
|
|
* Abstract layer for MIDI v1.0 stream
|
|
* Copyright (c) by Jaroslav Kysela <perex@perex.cz>
|
|
*
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*
|
|
*/
|
|
|
|
#include <sound/asound.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/wait.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/workqueue.h>
|
|
#include <linux/device.h>
|
|
|
|
#if defined(CONFIG_SND_SEQUENCER) || defined(CONFIG_SND_SEQUENCER_MODULE)
|
|
#include <sound/seq_device.h>
|
|
#endif
|
|
|
|
/*
|
|
* Raw MIDI interface
|
|
*/
|
|
|
|
#define SNDRV_RAWMIDI_DEVICES 8
|
|
|
|
#define SNDRV_RAWMIDI_LFLG_OUTPUT (1<<0)
|
|
#define SNDRV_RAWMIDI_LFLG_INPUT (1<<1)
|
|
#define SNDRV_RAWMIDI_LFLG_OPEN (3<<0)
|
|
#define SNDRV_RAWMIDI_LFLG_APPEND (1<<2)
|
|
|
|
struct snd_rawmidi;
|
|
struct snd_rawmidi_substream;
|
|
struct snd_seq_port_info;
|
|
struct pid;
|
|
|
|
struct snd_rawmidi_ops {
|
|
int (*open) (struct snd_rawmidi_substream * substream);
|
|
int (*close) (struct snd_rawmidi_substream * substream);
|
|
void (*trigger) (struct snd_rawmidi_substream * substream, int up);
|
|
void (*drain) (struct snd_rawmidi_substream * substream);
|
|
};
|
|
|
|
struct snd_rawmidi_global_ops {
|
|
int (*dev_register) (struct snd_rawmidi * rmidi);
|
|
int (*dev_unregister) (struct snd_rawmidi * rmidi);
|
|
void (*get_port_info)(struct snd_rawmidi *rmidi, int number,
|
|
struct snd_seq_port_info *info);
|
|
};
|
|
|
|
struct snd_rawmidi_runtime {
|
|
struct snd_rawmidi_substream *substream;
|
|
unsigned int drain: 1, /* drain stage */
|
|
oss: 1; /* OSS compatible mode */
|
|
/* midi stream buffer */
|
|
unsigned char *buffer; /* buffer for MIDI data */
|
|
size_t buffer_size; /* size of buffer */
|
|
size_t appl_ptr; /* application pointer */
|
|
size_t hw_ptr; /* hardware pointer */
|
|
size_t avail_min; /* min avail for wakeup */
|
|
size_t avail; /* max used buffer for wakeup */
|
|
size_t xruns; /* over/underruns counter */
|
|
/* misc */
|
|
spinlock_t lock;
|
|
wait_queue_head_t sleep;
|
|
/* event handler (new bytes, input only) */
|
|
void (*event)(struct snd_rawmidi_substream *substream);
|
|
/* defers calls to event [input] or ops->trigger [output] */
|
|
struct work_struct event_work;
|
|
/* private data */
|
|
void *private_data;
|
|
void (*private_free)(struct snd_rawmidi_substream *substream);
|
|
};
|
|
|
|
struct snd_rawmidi_substream {
|
|
struct list_head list; /* list of all substream for given stream */
|
|
int stream; /* direction */
|
|
int number; /* substream number */
|
|
unsigned int opened: 1, /* open flag */
|
|
append: 1, /* append flag (merge more streams) */
|
|
active_sensing: 1; /* send active sensing when close */
|
|
int use_count; /* use counter (for output) */
|
|
size_t bytes;
|
|
struct snd_rawmidi *rmidi;
|
|
struct snd_rawmidi_str *pstr;
|
|
char name[32];
|
|
struct snd_rawmidi_runtime *runtime;
|
|
struct pid *pid;
|
|
/* hardware layer */
|
|
struct snd_rawmidi_ops *ops;
|
|
};
|
|
|
|
struct snd_rawmidi_file {
|
|
struct snd_rawmidi *rmidi;
|
|
struct snd_rawmidi_substream *input;
|
|
struct snd_rawmidi_substream *output;
|
|
};
|
|
|
|
struct snd_rawmidi_str {
|
|
unsigned int substream_count;
|
|
unsigned int substream_opened;
|
|
struct list_head substreams;
|
|
};
|
|
|
|
struct snd_rawmidi {
|
|
struct snd_card *card;
|
|
struct list_head list;
|
|
unsigned int device; /* device number */
|
|
unsigned int info_flags; /* SNDRV_RAWMIDI_INFO_XXXX */
|
|
char id[64];
|
|
char name[80];
|
|
|
|
#ifdef CONFIG_SND_OSSEMUL
|
|
int ossreg;
|
|
#endif
|
|
|
|
const struct snd_rawmidi_global_ops *ops;
|
|
|
|
struct snd_rawmidi_str streams[2];
|
|
|
|
void *private_data;
|
|
void (*private_free) (struct snd_rawmidi *rmidi);
|
|
|
|
struct mutex open_mutex;
|
|
wait_queue_head_t open_wait;
|
|
|
|
struct device dev;
|
|
|
|
struct snd_info_entry *proc_entry;
|
|
|
|
#if defined(CONFIG_SND_SEQUENCER) || defined(CONFIG_SND_SEQUENCER_MODULE)
|
|
struct snd_seq_device *seq_dev;
|
|
#endif
|
|
};
|
|
|
|
/* main rawmidi functions */
|
|
|
|
int snd_rawmidi_new(struct snd_card *card, char *id, int device,
|
|
int output_count, int input_count,
|
|
struct snd_rawmidi **rmidi);
|
|
void snd_rawmidi_set_ops(struct snd_rawmidi *rmidi, int stream,
|
|
struct snd_rawmidi_ops *ops);
|
|
|
|
/* callbacks */
|
|
|
|
int snd_rawmidi_receive(struct snd_rawmidi_substream *substream,
|
|
const unsigned char *buffer, int count);
|
|
int snd_rawmidi_transmit_empty(struct snd_rawmidi_substream *substream);
|
|
int snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
|
|
unsigned char *buffer, int count);
|
|
int snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream, int count);
|
|
int snd_rawmidi_transmit(struct snd_rawmidi_substream *substream,
|
|
unsigned char *buffer, int count);
|
|
int __snd_rawmidi_transmit_peek(struct snd_rawmidi_substream *substream,
|
|
unsigned char *buffer, int count);
|
|
int __snd_rawmidi_transmit_ack(struct snd_rawmidi_substream *substream,
|
|
int count);
|
|
|
|
/* main midi functions */
|
|
|
|
int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info);
|
|
int snd_rawmidi_kernel_open(struct snd_card *card, int device, int subdevice,
|
|
int mode, struct snd_rawmidi_file *rfile);
|
|
int snd_rawmidi_kernel_release(struct snd_rawmidi_file *rfile);
|
|
int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
|
|
struct snd_rawmidi_params *params);
|
|
int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
|
|
struct snd_rawmidi_params *params);
|
|
int snd_rawmidi_drop_output(struct snd_rawmidi_substream *substream);
|
|
int snd_rawmidi_drain_output(struct snd_rawmidi_substream *substream);
|
|
int snd_rawmidi_drain_input(struct snd_rawmidi_substream *substream);
|
|
long snd_rawmidi_kernel_read(struct snd_rawmidi_substream *substream,
|
|
unsigned char *buf, long count);
|
|
long snd_rawmidi_kernel_write(struct snd_rawmidi_substream *substream,
|
|
const unsigned char *buf, long count);
|
|
|
|
#endif /* __SOUND_RAWMIDI_H */
|