ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign()

BugLink: https://bugs.launchpad.net/bugs/1954834
commit 1465d06a6d8580e73ae65f8590392df58c5ed2fd upstream.

The fields 'opened', 'running', 'assigned_key' are all protected by a
spinlock, but the spinlock is not taken when looking for a
stream. This can result in a possible race between assign() and
release().

Fix by taking the spinlock before walking through the bus stream list.

Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20210924192417.169243-2-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Scott Bruce <smbruce@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
index 682ed39f79b015a3982b6e149ff3bf1c0d3632b6..b299b8b7f871a3ba7eb00cb003a71f329871f1c8 100644 (file)
--- a/sound/hda/hdac_stream.c
+++ b/sound/hda/hdac_stream.c
@@ -289,6 +289,7 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus,
        int key = (substream->pcm->device << 16) | (substream->number << 2) |
                (substream->stream + 1);
 
+       spin_lock_irq(&bus->reg_lock);
        list_for_each_entry(azx_dev, &bus->stream_list, list) {
                if (azx_dev->direction != substream->stream)
                        continue;
@@ -302,13 +303,12 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus,
                        res = azx_dev;
        }
        if (res) {
-               spin_lock_irq(&bus->reg_lock);
                res->opened = 1;
                res->running = 0;
                res->assigned_key = key;
                res->substream = substream;
-               spin_unlock_irq(&bus->reg_lock);
        }
+       spin_unlock_irq(&bus->reg_lock);
        return res;
 }
 EXPORT_SYMBOL_GPL(snd_hdac_stream_assign);