2004-01-05 17:29:02

by Christian Borntraeger

Subject: 2.6: spinlock bug in sound/oss/dmabuf.c

Hi all,

I think I found a bug in sound/oss/dmabuf.c

DMAbuf_getrdbuffer holds a spinlock and possibly calls dma_reset_input. The
dma_reset_input tries to hold that spinlock again:

int DMAbuf_getrdbuffer(int dev, char **buf, int *len, int dontblock)
{
struct audio_operations *adev = audio_devs[dev];
unsigned long flags;
int err = 0, n = 0;
struct dma_buffparms *dmap = adev->dmap_in;
[...]
spin_lock_irqsave(&dmap->lock,flags);
if (!timeout) {
/* FIXME: include device name */
err = -EIO;
printk(KERN_WARNING "Sound: DMA (input) timed out..
dma_reset_input(dev);
[...]


static void dma_reset_input(int dev)
{
struct audio_operations *adev = audio_devs[dev];
unsigned long flags;
struct dma_buffparms *dmap = adev->dmap_in;

spin_lock_irqsave(&dmap->lock,flags);


Any opinions?

cheers

Christian

2004-01-06 04:03:55

by Andrew Morton

Subject: Re: 2.6: spinlock bug in sound/oss/dmabuf.c

Christian Borntraeger <[email protected]> wrote:
>
> I think I found a bug in sound/oss/dmabuf.c
>
> DMAbuf_getrdbuffer holds a spinlock and possibly calls dma_reset_input. The
> dma_reset_input tries to hold that spinlock again:

yup, thanks.

diff -puN sound/oss/dmabuf.c~oss-dmabuf-deadlock-fix sound/oss/dmabuf.c
--- 25/sound/oss/dmabuf.c~oss-dmabuf-deadlock-fix 2004-01-05 20:02:05.000000000 -0800
+++ 25-akpm/sound/oss/dmabuf.c 2004-01-05 20:02:19.000000000 -0800
@@ -587,7 +587,6 @@ int DMAbuf_getrdbuffer(int dev, char **b
spin_unlock_irqrestore(&dmap->lock,flags);
timeout = interruptible_sleep_on_timeout(&adev->in_sleeper,
timeout);
- spin_lock_irqsave(&dmap->lock,flags);
if (!timeout) {
/* FIXME: include device name */
err = -EIO;
@@ -595,6 +594,7 @@ int DMAbuf_getrdbuffer(int dev, char **b
dma_reset_input(dev);
} else
err = -EINTR;
+ spin_lock_irqsave(&dmap->lock,flags);
}
spin_unlock_irqrestore(&dmap->lock,flags);


_