Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2073771ybl;
        Sat, 11 Jan 2020 08:32:47 -0800 (PST)
X-Google-Smtp-Source: APXvYqwyG7X/AJ8gK0DZUCLpF8mX+K4Y5osxGejRHgo7sS7fJLcc+99N4sHIOWwYOUvglvNoFE99
X-Received: by 2002:a9d:65da:: with SMTP id z26mr7317754oth.197.1578760367075;
        Sat, 11 Jan 2020 08:32:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578760367; cv=none;
        d=google.com; s=arc-20160816;
        b=rAnSxEyc6diVTXlfeK8z/pLOGbEkNi+8fedfTn/ACrt7fT6n7xrIGlfFCZlO3gvvyK
         ROMM1mzpPrab3udrhWCfAah0oj1Hj7fKfIT5JobOt8wjxetx1pYwg98bC6G89oOH9dP7
         BmmrRx3zkRwHSm+FvgNMEhSQe2C15z8Pi30zdpUUPQoCxO+QLc8KmQe3QbJGalYp1qmc
         BEm1OYZlYXk9hyeYHY/d5cmGY6PuF1KB9hMBwbasYfQRup1DGw3gC0A5018ARylRUF8Y
         wO8sa+/WSkDzw63IfYqBwLECjnrrTSDtgOvAoIO5iCR6bl0hMEmP7ahZ8sHdl+i+slmy
         vhSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=f1vRmHhrV08XFgVnUDwocso32DPdXB96AAdJZ+4F8qM=;
        b=pAc2Rc2GZCzKJ8DD/t3kuSm/un6u6PUpFbJDDTshwHyguBRNcp10lmxptsaU84vdbI
         qVYizJCw0MIEDmp+jFktxPcMAV78BKVxA88nkWV8GGurIUcX1bluGG8zI9NKa8JiTk+g
         5nKWpuQ6S2bB03ryOuWg6kc364FQukxdqGuxAoLEUBgZFGbYIsJL5N/Hs4s23J6PIoKo
         5DpauXf8fA8l98bV4fx8i5rka006oBaH3tH8GeObPafuzcHwpiBenkuQ9rOnhWRbm2DF
         ajw4d2rddD+2i1JWQxETUqdMi2rJ9/dYKheFjT8onQzs15YDwFMSYFCCT5wVg0gnwsZe
         hc3Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ppTqZL0k;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z1si3953872otm.242.2020.01.11.08.32.35;
        Sat, 11 Jan 2020 08:32:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ppTqZL0k;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730337AbgAKQbm (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Sat, 11 Jan 2020 11:31:42 -0500
Received: from mail-pf1-f195.google.com ([209.85.210.195]:45048 "EHLO
        mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729957AbgAKQbl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 11 Jan 2020 11:31:41 -0500
Received: by mail-pf1-f195.google.com with SMTP id 195so2669700pfw.11
        for <linux-kernel@vger.kernel.org>; Sat, 11 Jan 2020 08:31:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=f1vRmHhrV08XFgVnUDwocso32DPdXB96AAdJZ+4F8qM=;
        b=ppTqZL0kzWaBSg6qpBFaHk1o9lIXhnNlrcYC+nmG75Ay95+W/DGgXe+6spz5sj3n+R
         CcwFdOpG/Bd0mZrgYn+M+cj95xnecldiD943L5eyPwx3Oq60xqdhJO8Xyu9khyN0dLNQ
         ZJR4mvMJljAKDVZo+zTcGhhsourgZBxuByW0gJwV14P3k6kUOkmyie4IYbw8qR2czVXU
         VFbUNcnZKQ+3r0fgDO/x9IekbuiwP9tFtqQUfS47CzErUCPL1t0dcpG7M/o0s+nvhP90
         01HyYpaHxnvh/h2RBBuc8l34v2t9KFNOrPXk5FvunhaLJrI0JwVfP3OXUXhIZdf8LLie
         BQwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=f1vRmHhrV08XFgVnUDwocso32DPdXB96AAdJZ+4F8qM=;
        b=a1ZFs4Tsv5f2M52foVQezW03fW2TgGaY+tDPK8bA1qFd1+HmhJNJ57edWNjfEOrjC2
         6C5+bRRMHMI5fYmhVnMV0mN41N8u2c6cKFSG2HL6M7AKewRYIBVMA8iVnr7QD0m236gy
         89wgsveiEITJXmLjogqrsBtf8XtOJUIbBkIvptH12tm8AVstvXUCYmVxF7WGPsq/NuSi
         VbFySW0f+EzCm0jBM1S2KvUC+TfB2d3gjKquBVn80mGlJHny3ySr6GRbNZdRTN9BMiwK
         TSmTkettWsEEiPTLB6nrpblitS5MHZ/xbCH4lq1iJsQEjgh/dPiOW0KKoo2HUI+7grf4
         ZrQA==
X-Gm-Message-State: APjAAAXd4vVwVTJMXJbYEAcuX9XWkNYsHDu5qmuJNXslR60gKqDErClI
        aWCQnIRxma87ry7WbSXVNpY=
X-Received: by 2002:a63:6ac1:: with SMTP id f184mr11698153pgc.133.1578760301054;
        Sat, 11 Jan 2020 08:31:41 -0800 (PST)
Received: from oslab.tsinghua.edu.cn ([166.111.139.172])
        by smtp.gmail.com with ESMTPSA id b65sm7347072pgc.18.2020.01.11.08.31.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 11 Jan 2020 08:31:40 -0800 (PST)
From:   Jia-Ju Bai <baijiaju1990@gmail.com>
To:     perex@perex.cz, tiwai@suse.com, rfontana@redhat.com,
        tglx@linutronix.de, allison@lohutok.net
Cc:     alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
        Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] ALSA: cmipci: Fix possible a data race in snd_cmipci_interrupt()
Date:   Sun, 12 Jan 2020 00:30:27 +0800
Message-Id: <20200111163027.27135-1-baijiaju1990@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The functions snd_cmipci_interrupt() and snd_cmipci_capture_trigger()
may be concurrently executed.

The function snd_cmipci_capture_trigger() calls
snd_cmipci_pcm_trigger(). In snd_cmipci_pcm_trigger(), the variable
rec->running is written with holding a spinlock cm->reg_lock. But in
snd_cmipci_interrupt(), the identical variable cm->channel[0].running
or cm->channel[1].running is read without holding this spinlock. Thus,
a possible data race may occur.

To fix this data race, in snd_cmipci_interrupt(), the variables
cm->channel[0].running and cm->channel[1].running are read with holding 
the spinlock cm->reg_lock.

This data race is found by the runtime testing of our tool DILP-2.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 sound/pci/cmipci.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sound/pci/cmipci.c b/sound/pci/cmipci.c
index dd9d62e2b633..f791152ec48f 100644
--- a/sound/pci/cmipci.c
+++ b/sound/pci/cmipci.c
@@ -1430,7 +1430,7 @@ static int snd_cmipci_capture_spdif_hw_free(struct snd_pcm_substream *subs)
 static irqreturn_t snd_cmipci_interrupt(int irq, void *dev_id)
 {
 	struct cmipci *cm = dev_id;
-	unsigned int status, mask = 0;
+	unsigned int run_flag0, run_flag1, status, mask = 0;
 	
 	/* fastpath out, to ease interrupt sharing */
 	status = snd_cmipci_read(cm, CM_REG_INT_STATUS);
@@ -1445,15 +1445,17 @@ static irqreturn_t snd_cmipci_interrupt(int irq, void *dev_id)
 		mask |= CM_CH1_INT_EN;
 	snd_cmipci_clear_bit(cm, CM_REG_INT_HLDCLR, mask);
 	snd_cmipci_set_bit(cm, CM_REG_INT_HLDCLR, mask);
+	run_flag0 = cm->channel[0].running;
+	run_flag1 = cm->channel[1].running;
 	spin_unlock(&cm->reg_lock);
 
 	if (cm->rmidi && (status & CM_UARTINT))
 		snd_mpu401_uart_interrupt(irq, cm->rmidi->private_data);
 
 	if (cm->pcm) {
-		if ((status & CM_CHINT0) && cm->channel[0].running)
+		if ((status & CM_CHINT0) && run_flag0)
 			snd_pcm_period_elapsed(cm->channel[0].substream);
-		if ((status & CM_CHINT1) && cm->channel[1].running)
+		if ((status & CM_CHINT1) && run_flag1)
 			snd_pcm_period_elapsed(cm->channel[1].substream);
 	}
 	return IRQ_HANDLED;
-- 
2.17.1