diff options
| author | Alexey Khoroshilov <khoroshilov@ispras.ru> | 2015-04-17 19:53:25 -0400 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2015-04-18 03:05:55 -0400 |
| commit | bc26d4d06e337ade069f33d3f4377593b24e6e36 (patch) | |
| tree | f575da72a0288b57034db2c091cc67bfed7c0982 /sound | |
| parent | 43c499dc2778b96e21ed14e1a71e7b117a0b406f (diff) | |
sound/oss: fix deadlock in sequencer_ioctl(SNDCTL_SEQ_OUTOFBAND)
A deadlock can be initiated by userspace via ioctl(SNDCTL_SEQ_OUTOFBAND)
on /dev/sequencer with TMR_ECHO midi event.
In this case the control flow is:
sound_ioctl()
-> case SND_DEV_SEQ:
case SND_DEV_SEQ2:
sequencer_ioctl()
-> case SNDCTL_SEQ_OUTOFBAND:
spin_lock_irqsave(&lock,flags);
play_event();
-> case EV_TIMING:
seq_timing_event()
-> case TMR_ECHO:
seq_copy_to_input()
-> spin_lock_irqsave(&lock,flags);
It seems that spin_lock_irqsave() around play_event() is not necessary,
because the only other call location in seq_startplay() makes the call
without acquiring spinlock.
So, the patch just removes spinlocks around play_event().
By the way, it removes unreachable code in seq_timing_event(),
since (seq_mode == SEQ_2) case is handled in the beginning.
Compile tested only.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
| -rw-r--r-- | sound/oss/sequencer.c | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/sound/oss/sequencer.c b/sound/oss/sequencer.c index c0eea1dfe90f..f19da4b47c1d 100644 --- a/sound/oss/sequencer.c +++ b/sound/oss/sequencer.c | |||
| @@ -681,13 +681,8 @@ static int seq_timing_event(unsigned char *event_rec) | |||
| 681 | break; | 681 | break; |
| 682 | 682 | ||
| 683 | case TMR_ECHO: | 683 | case TMR_ECHO: |
| 684 | if (seq_mode == SEQ_2) | 684 | parm = (parm << 8 | SEQ_ECHO); |
| 685 | seq_copy_to_input(event_rec, 8); | 685 | seq_copy_to_input((unsigned char *) &parm, 4); |
| 686 | else | ||
| 687 | { | ||
| 688 | parm = (parm << 8 | SEQ_ECHO); | ||
| 689 | seq_copy_to_input((unsigned char *) &parm, 4); | ||
| 690 | } | ||
| 691 | break; | 686 | break; |
| 692 | 687 | ||
| 693 | default:; | 688 | default:; |
| @@ -1324,7 +1319,6 @@ int sequencer_ioctl(int dev, struct file *file, unsigned int cmd, void __user *a | |||
| 1324 | int mode = translate_mode(file); | 1319 | int mode = translate_mode(file); |
| 1325 | struct synth_info inf; | 1320 | struct synth_info inf; |
| 1326 | struct seq_event_rec event_rec; | 1321 | struct seq_event_rec event_rec; |
| 1327 | unsigned long flags; | ||
| 1328 | int __user *p = arg; | 1322 | int __user *p = arg; |
| 1329 | 1323 | ||
| 1330 | orig_dev = dev = dev >> 4; | 1324 | orig_dev = dev = dev >> 4; |
| @@ -1479,9 +1473,7 @@ int sequencer_ioctl(int dev, struct file *file, unsigned int cmd, void __user *a | |||
| 1479 | case SNDCTL_SEQ_OUTOFBAND: | 1473 | case SNDCTL_SEQ_OUTOFBAND: |
| 1480 | if (copy_from_user(&event_rec, arg, sizeof(event_rec))) | 1474 | if (copy_from_user(&event_rec, arg, sizeof(event_rec))) |
| 1481 | return -EFAULT; | 1475 | return -EFAULT; |
| 1482 | spin_lock_irqsave(&lock,flags); | ||
| 1483 | play_event(event_rec.arr); | 1476 | play_event(event_rec.arr); |
| 1484 | spin_unlock_irqrestore(&lock,flags); | ||
| 1485 | return 0; | 1477 | return 0; |
| 1486 | 1478 | ||
| 1487 | case SNDCTL_MIDI_INFO: | 1479 | case SNDCTL_MIDI_INFO: |