ALSA: pcm - fix race condition in wait_for_avail()

wait_for_avail() in pcm_lib.c has a race in it (observed in practice by an Intel validation group). The function is supposed to return once space in the buffer has become available, or if some timeout happens. The entity that creates space (irq handler of sound driver and some such) will do a wake up on a waitqueue that this function registers for. However there are two races in the existing code 1) If space became available between the caller noticing there was no space and this function actually sleeping, the wakeup is missed and the timeout condition will happen instead 2) If a wakeup happened but not sufficient space became available, the code will loop again and wait for more space. However, if the second wake comes in prior to hitting the schedule_timeout_interruptible(), it will be missed, and potentially you'll wait out until the timeout happens. The fix consists of using more careful setting of the current state (so that if a wakeup happens in the main loop window, the schedule_timeout() falls through) and by checking for available space prior to going into the schedule_timeout() loop, but after being on the waitqueue and having the state set to interruptible. [tiwai: the following changes have been added to Arjan's original patch: - merged akpm's fix for waitqueue adding order into a single patch - reduction of duplicated code of avail check ] Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
author: Arjan van de Ven <arjan@infradead.org> 2011-09-15 02:49:25 -0400
committer: Takashi Iwai <tiwai@suse.de> 2011-09-15 03:03:16 -0400
commit: 763437a9e7737535b2fc72175ad4974048769be6 (patch)
tree: 53a1fdf8c411fda8678f3ffc73826d82b83c3e62 /sound
parent: 4038a12e7443b5fed3e526c475c38c115d9600f6 (diff)
1 files changed, 24 insertions, 9 deletions
diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index 86d0caf91b35..62e90b862a0d 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1761,6 +1761,10 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
        snd_pcm_uframes_t avail = 0;
        long wait_time, tout;
+        init_waitqueue_entry(&wait, current);
+        set_current_state(TASK_INTERRUPTIBLE);
+        add_wait_queue(&runtime->tsleep, &wait);
        if (runtime->no_period_wakeup)
                wait_time = MAX_SCHEDULE_TIMEOUT;
        else {
@@ -1771,16 +1775,32 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
                }
                wait_time = msecs_to_jiffies(wait_time * 1000);
        }
-        init_waitqueue_entry(&wait, current);
-        add_wait_queue(&runtime->tsleep, &wait);
        for (;;) {
                if (signal_pending(current)) {
                        err = -ERESTARTSYS;
                        break;
                }
+                /*
+                 * We need to check if space became available already
+                 * (and thus the wakeup happened already) first to close
+                 * the race of space already having become available.
+                 * This check must happen after been added to the waitqueue
+                 * and having current state be INTERRUPTIBLE.
+                 */
+                if (is_playback)
+                        avail = snd_pcm_playback_avail(runtime);
+                else
+                        avail = snd_pcm_capture_avail(runtime);
+                if (avail >= runtime->twake)
+                        break;
                snd_pcm_stream_unlock_irq(substream);
-                tout = schedule_timeout_interruptible(wait_time);
+                tout = schedule_timeout(wait_time);
                snd_pcm_stream_lock_irq(substream);
+                set_current_state(TASK_INTERRUPTIBLE);
                switch (runtime->status->state) {
                case SNDRV_PCM_STATE_SUSPENDED:
                        err = -ESTRPIPE;
@@ -1806,14 +1826,9 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
                        err = -EIO;
                        break;
                }
-                if (is_playback)
-                        avail = snd_pcm_playback_avail(runtime);
-                else
-                        avail = snd_pcm_capture_avail(runtime);
-                if (avail >= runtime->twake)
-                        break;
        }
 _endloop:
+        set_current_state(TASK_RUNNING);
        remove_wait_queue(&runtime->tsleep, &wait);
        *availp = avail;
        return err;
author	Arjan van de Ven <arjan@infradead.org>	2011-09-15 02:49:25 -0400
committer	Takashi Iwai <tiwai@suse.de>	2011-09-15 03:03:16 -0400
commit	763437a9e7737535b2fc72175ad4974048769be6 (patch)
tree	53a1fdf8c411fda8678f3ffc73826d82b83c3e62 /sound
parent	4038a12e7443b5fed3e526c475c38c115d9600f6 (diff)

diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c index 86d0caf91b35..62e90b862a0d 100644 --- a/sound/core/pcm_lib.c +++ b/sound/core/pcm_lib.c
@@ -1761,6 +1761,10 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
1761	snd_pcm_uframes_t avail = 0;	1761	snd_pcm_uframes_t avail = 0;
1762	long wait_time, tout;	1762	long wait_time, tout;
1763		1763
		1764	init_waitqueue_entry(&wait, current);
		1765	set_current_state(TASK_INTERRUPTIBLE);
		1766	add_wait_queue(&runtime->tsleep, &wait);
		1767
1764	if (runtime->no_period_wakeup)	1768	if (runtime->no_period_wakeup)
1765	wait_time = MAX_SCHEDULE_TIMEOUT;	1769	wait_time = MAX_SCHEDULE_TIMEOUT;
1766	else {	1770	else {
@@ -1771,16 +1775,32 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
1771	}	1775	}
1772	wait_time = msecs_to_jiffies(wait_time * 1000);	1776	wait_time = msecs_to_jiffies(wait_time * 1000);
1773	}	1777	}
1774	init_waitqueue_entry(&wait, current);	1778
1775	add_wait_queue(&runtime->tsleep, &wait);
1776	for (;;) {	1779	for (;;) {
1777	if (signal_pending(current)) {	1780	if (signal_pending(current)) {
1778	err = -ERESTARTSYS;	1781	err = -ERESTARTSYS;
1779	break;	1782	break;
1780	}	1783	}
		1784
		1785	/*
		1786	* We need to check if space became available already
		1787	* (and thus the wakeup happened already) first to close
		1788	* the race of space already having become available.
		1789	* This check must happen after been added to the waitqueue
		1790	* and having current state be INTERRUPTIBLE.
		1791	*/
		1792	if (is_playback)
		1793	avail = snd_pcm_playback_avail(runtime);
		1794	else
		1795	avail = snd_pcm_capture_avail(runtime);
		1796	if (avail >= runtime->twake)
		1797	break;
1781	snd_pcm_stream_unlock_irq(substream);	1798	snd_pcm_stream_unlock_irq(substream);
1782	tout = schedule_timeout_interruptible(wait_time);	1799
		1800	tout = schedule_timeout(wait_time);
		1801
1783	snd_pcm_stream_lock_irq(substream);	1802	snd_pcm_stream_lock_irq(substream);
		1803	set_current_state(TASK_INTERRUPTIBLE);
1784	switch (runtime->status->state) {	1804	switch (runtime->status->state) {
1785	case SNDRV_PCM_STATE_SUSPENDED:	1805	case SNDRV_PCM_STATE_SUSPENDED:
1786	err = -ESTRPIPE;	1806	err = -ESTRPIPE;
@@ -1806,14 +1826,9 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
1806	err = -EIO;	1826	err = -EIO;
1807	break;	1827	break;
1808	}	1828	}
1809	if (is_playback)
1810	avail = snd_pcm_playback_avail(runtime);
1811	else
1812	avail = snd_pcm_capture_avail(runtime);
1813	if (avail >= runtime->twake)
1814	break;
1815	}	1829	}
1816	_endloop:	1830	_endloop:
		1831	set_current_state(TASK_RUNNING);
1817	remove_wait_queue(&runtime->tsleep, &wait);	1832	remove_wait_queue(&runtime->tsleep, &wait);
1818	*availp = avail;	1833	*availp = avail;
1819	return err;	1834	return err;