ALSA: pcm - fix race condition in wait_for_avail()

commit 763437a9e7737535b2fc72175ad4974048769be6 upstream. wait_for_avail() in pcm_lib.c has a race in it (observed in practice by an Intel validation group). The function is supposed to return once space in the buffer has become available, or if some timeout happens. The entity that creates space (irq handler of sound driver and some such) will do a wake up on a waitqueue that this function registers for. However there are two races in the existing code 1) If space became available between the caller noticing there was no space and this function actually sleeping, the wakeup is missed and the timeout condition will happen instead 2) If a wakeup happened but not sufficient space became available, the code will loop again and wait for more space. However, if the second wake comes in prior to hitting the schedule_timeout_interruptible(), it will be missed, and potentially you'll wait out until the timeout happens. The fix consists of using more careful setting of the current state (so that if a wakeup happens in the main loop window, the schedule_timeout() falls through) and by checking for available space prior to going into the schedule_timeout() loop, but after being on the waitqueue and having the state set to interruptible. [tiwai: the following changes have been added to Arjan's original patch: - merged akpm's fix for waitqueue adding order into a single patch - reduction of duplicated code of avail check ] Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Arjan van de Ven <arjan@infradead.org> 2011-09-15 02:49:25 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-10-03 14:40:31 -0400
commit: 3345c36f951a36962493b1f59f23e47b5a94d8d2 (patch)
tree: 764f7279f6bcc103f96ae37b4bf884509fa0f344 /sound/core
parent: d5b1a08d0d0a73c716766275eb0c5648e143ca85 (diff)
1 files changed, 24 insertions, 9 deletions
diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index f1341308bed..33884426a64 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1758,6 +1758,10 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
        snd_pcm_uframes_t avail = 0;
        long wait_time, tout;
+        init_waitqueue_entry(&wait, current);
+        set_current_state(TASK_INTERRUPTIBLE);
+        add_wait_queue(&runtime->tsleep, &wait);
        if (runtime->no_period_wakeup)
                wait_time = MAX_SCHEDULE_TIMEOUT;
        else {
@@ -1768,16 +1772,32 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
                }
                wait_time = msecs_to_jiffies(wait_time * 1000);
        }
-        init_waitqueue_entry(&wait, current);
-        add_wait_queue(&runtime->tsleep, &wait);
        for (;;) {
                if (signal_pending(current)) {
                        err = -ERESTARTSYS;
                        break;
                }
+                /*
+                 * We need to check if space became available already
+                 * (and thus the wakeup happened already) first to close
+                 * the race of space already having become available.
+                 * This check must happen after been added to the waitqueue
+                 * and having current state be INTERRUPTIBLE.
+                 */
+                if (is_playback)
+                        avail = snd_pcm_playback_avail(runtime);
+                else
+                        avail = snd_pcm_capture_avail(runtime);
+                if (avail >= runtime->twake)
+                        break;
                snd_pcm_stream_unlock_irq(substream);
-                tout = schedule_timeout_interruptible(wait_time);
+                tout = schedule_timeout(wait_time);
                snd_pcm_stream_lock_irq(substream);
+                set_current_state(TASK_INTERRUPTIBLE);
                switch (runtime->status->state) {
                case SNDRV_PCM_STATE_SUSPENDED:
                        err = -ESTRPIPE;
@@ -1803,14 +1823,9 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
                        err = -EIO;
                        break;
                }
-                if (is_playback)
-                        avail = snd_pcm_playback_avail(runtime);
-                else
-                        avail = snd_pcm_capture_avail(runtime);
-                if (avail >= runtime->twake)
-                        break;
        }
 _endloop:
+        set_current_state(TASK_RUNNING);
        remove_wait_queue(&runtime->tsleep, &wait);
        *availp = avail;
        return err;
author	Arjan van de Ven <arjan@infradead.org>	2011-09-15 02:49:25 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-10-03 14:40:31 -0400
commit	3345c36f951a36962493b1f59f23e47b5a94d8d2 (patch)
tree	764f7279f6bcc103f96ae37b4bf884509fa0f344 /sound/core
parent	d5b1a08d0d0a73c716766275eb0c5648e143ca85 (diff)

diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index f1341308bed..33884426a64 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c
@@ -1758,6 +1758,10 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
1758	snd_pcm_uframes_t avail = 0;	1758	snd_pcm_uframes_t avail = 0;
1759	long wait_time, tout;	1759	long wait_time, tout;
1760		1760
		1761	init_waitqueue_entry(&wait, current);
		1762	set_current_state(TASK_INTERRUPTIBLE);
		1763	add_wait_queue(&runtime->tsleep, &wait);
		1764
1761	if (runtime->no_period_wakeup)	1765	if (runtime->no_period_wakeup)
1762	wait_time = MAX_SCHEDULE_TIMEOUT;	1766	wait_time = MAX_SCHEDULE_TIMEOUT;
1763	else {	1767	else {
@@ -1768,16 +1772,32 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
1768	}	1772	}
1769	wait_time = msecs_to_jiffies(wait_time * 1000);	1773	wait_time = msecs_to_jiffies(wait_time * 1000);
1770	}	1774	}
1771	init_waitqueue_entry(&wait, current);	1775
1772	add_wait_queue(&runtime->tsleep, &wait);
1773	for (;;) {	1776	for (;;) {
1774	if (signal_pending(current)) {	1777	if (signal_pending(current)) {
1775	err = -ERESTARTSYS;	1778	err = -ERESTARTSYS;
1776	break;	1779	break;
1777	}	1780	}
		1781
		1782	/*
		1783	* We need to check if space became available already
		1784	* (and thus the wakeup happened already) first to close
		1785	* the race of space already having become available.
		1786	* This check must happen after been added to the waitqueue
		1787	* and having current state be INTERRUPTIBLE.
		1788	*/
		1789	if (is_playback)
		1790	avail = snd_pcm_playback_avail(runtime);
		1791	else
		1792	avail = snd_pcm_capture_avail(runtime);
		1793	if (avail >= runtime->twake)
		1794	break;
1778	snd_pcm_stream_unlock_irq(substream);	1795	snd_pcm_stream_unlock_irq(substream);
1779	tout = schedule_timeout_interruptible(wait_time);	1796
		1797	tout = schedule_timeout(wait_time);
		1798
1780	snd_pcm_stream_lock_irq(substream);	1799	snd_pcm_stream_lock_irq(substream);
		1800	set_current_state(TASK_INTERRUPTIBLE);
1781	switch (runtime->status->state) {	1801	switch (runtime->status->state) {
1782	case SNDRV_PCM_STATE_SUSPENDED:	1802	case SNDRV_PCM_STATE_SUSPENDED:
1783	err = -ESTRPIPE;	1803	err = -ESTRPIPE;
@@ -1803,14 +1823,9 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
1803	err = -EIO;	1823	err = -EIO;
1804	break;	1824	break;
1805	}	1825	}
1806	if (is_playback)
1807	avail = snd_pcm_playback_avail(runtime);
1808	else
1809	avail = snd_pcm_capture_avail(runtime);
1810	if (avail >= runtime->twake)
1811	break;
1812	}	1826	}
1813	_endloop:	1827	_endloop:
		1828	set_current_state(TASK_RUNNING);
1814	remove_wait_queue(&runtime->tsleep, &wait);	1829	remove_wait_queue(&runtime->tsleep, &wait);
1815	*availp = avail;	1830	*availp = avail;
1816	return err;	1831	return err;