• Takashi Iwai's avatar
    ALSA: dummy: Implement timer backend switching more safely · ea9f9b4e
    Takashi Iwai authored
    commit ddce57a6 upstream.
    
    Currently the selected timer backend is referred at any moment from
    the running PCM callbacks.  When the backend is switched, it's
    possible to lead to inconsistency from the running backend.  This was
    pointed by syzkaller fuzzer, and the commit [7ee96216: ALSA:
    dummy: Disable switching timer backend via sysfs] disabled the dynamic
    switching for avoiding the crash.
    
    This patch improves the handling of timer backend switching.  It keeps
    the reference to the selected backend during the whole operation of an
    opened stream so that it won't be changed by other streams.
    
    Together with this change, the hrtimer parameter is reenabled as
    writable now.
    
    NOTE: this patch also turned out to fix the still remaining race.
    Namely, ops was still replaced dynamically at dummy_pcm_open:
    
      static int dummy_pcm_open(struct snd_pcm_substream *substream)
      {
      ....
              dummy->timer_ops = &dummy_systimer_ops;
              if (hrtimer)
                      dummy->timer_ops = &dummy_hrtimer_ops;
    
    Since dummy->timer_ops is common among all streams, and when the
    replacement happens during accesses of other streams, it may lead to a
    crash.  This was actually triggered by syzkaller fuzzer and KASAN.
    
    This patch rewrites the code not to use the ops shared by all streams
    any longer, too.
    
    BugLink: http://lkml.kernel.org/r/CACT4Y+aZ+xisrpuM6cOXbL21DuM0yVxPYXf4cD4Md9uw0C3dBQ@mail.gmail.comReported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    ea9f9b4e
dummy.c 32.1 KB