• Alexey Khoroshilov's avatar
    sound/oss: fix deadlock in sequencer_ioctl(SNDCTL_SEQ_OUTOFBAND) · 498a61ea
    Alexey Khoroshilov authored
    [ Upstream commit bc26d4d0 ]
    
    A deadlock can be initiated by userspace via ioctl(SNDCTL_SEQ_OUTOFBAND)
    on /dev/sequencer with TMR_ECHO midi event.
    
    In this case the control flow is:
    sound_ioctl()
    -> case SND_DEV_SEQ:
       case SND_DEV_SEQ2:
         sequencer_ioctl()
         -> case SNDCTL_SEQ_OUTOFBAND:
              spin_lock_irqsave(&lock,flags);
              play_event();
              -> case EV_TIMING:
                   seq_timing_event()
                   -> case TMR_ECHO:
                        seq_copy_to_input()
                        -> spin_lock_irqsave(&lock,flags);
    
    It seems that spin_lock_irqsave() around play_event() is not necessary,
    because the only other call location in seq_startplay() makes the call
    without acquiring spinlock.
    
    So, the patch just removes spinlocks around play_event().
    By the way, it removes unreachable code in seq_timing_event(),
    since (seq_mode == SEQ_2) case is handled in the beginning.
    
    Compile tested only.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
    498a61ea
sequencer.c 33.4 KB