Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp15760369rwd; Mon, 26 Jun 2023 00:32:10 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7dv6nlHXBk+XD0Be5To4Aq51Z/HW5UefHIzR6jHUkB3kBAgTbts2ofZb8KMXLde9YfB+Pk X-Received: by 2002:a54:4503:0:b0:3a1:b5e6:9d17 with SMTP id l3-20020a544503000000b003a1b5e69d17mr4290143oil.59.1687764730579; Mon, 26 Jun 2023 00:32:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687764730; cv=none; d=google.com; s=arc-20160816; b=kcIkktvrAz3/v/aFFlHCxK0/xnAlmP1ZYaTnkQ+uH/VeogG2ao6a7B3alLxesRhgpn q3DSsEEWLcVtPjuzy+D0s3R2KY3BpkorzEaQFWmiYkTKuHMP/tJ5zGy7fRsgOEu8mPNx e0fraGt8G8Fdef6Pf3hGe6e16sW2bbGyPBljspLoWI2nHYSNbC/nM9P92ds+WPkfirGp qEOVe18OiyE3xxFKahzeHqgjv2+Dr7rUNeAAUUZdKchYb3UBiEqXpux6vINwlPJbhbz/ UDDHbmHLHYqFvLFitkByhWSf4/AIrQDtjykew1i4I4LFeGiVzM2+5L1iM1v5nt0sgzrS pySw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:subject:cc:to:from:message-id :date:dkim-signature:dkim-signature; bh=RWp9iBLJZSk2uRxV2vG2dj40DxJ+Lusxw9MuXwf/nTY=; fh=oG6tSGEvkhM7xTHXU0ryd4jOyFNG473KUPk1N+B8nLU=; b=Dc/z19Fb6GZtpGDNnClVI9lJBHZsOyPWu3iTf4oud5+1Co8LgEPLghvJ7a8So3fh5v 7b9iXbPh9nS5OctdO7lYQ4O9qz9SZW3QxUIMwFILLYLKVTm9VWoHa01b2gL/P5rzGaue 3oiP6fpsvZ5py/HwOnPtAaRXUEpYCF3izRQzPPyq7c3CEHDfyIdr2w28ImmzXjfMEEPs 0YhHDq06qvRFnVPOthSzqTjcbqGsdf4fssgEyU+XUG6PiCNdSBdZTNx4YD54JnvuPh8q swI/KGZFVdKQChIptXHpchPinmPSbEmJFtjbLJQ+OUyViVp5yYmMHkvfAIL2yTM1H/jq rssA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=nicTZfve; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=y9fpu42H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id rj6-20020a17090b3e8600b00260f28b14e4si7801188pjb.4.2023.06.26.00.31.38; Mon, 26 Jun 2023 00:32:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=nicTZfve; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=y9fpu42H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229778AbjFZHJE (ORCPT + 99 others); Mon, 26 Jun 2023 03:09:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229779AbjFZHI7 (ORCPT ); Mon, 26 Jun 2023 03:08:59 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40D2A1B1 for ; Mon, 26 Jun 2023 00:08:57 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id ACF81218B8; Mon, 26 Jun 2023 07:08:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1687763335; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RWp9iBLJZSk2uRxV2vG2dj40DxJ+Lusxw9MuXwf/nTY=; b=nicTZfvexsoypP1428uP5XWujBsWDzihiVQ/qMRMXsLqfjRByx4/Ci2eUp+BeQVenUDbjL nVajufgf/xWNyQpa0H2e3wmWdV3c4h9kG2fgJZoF0/9yqY6vwcGXArkil2Icyr+dLIM7G8 qxl3AKK0FGuStBR4kuqyRgxphOSjk0M= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1687763335; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RWp9iBLJZSk2uRxV2vG2dj40DxJ+Lusxw9MuXwf/nTY=; b=y9fpu42HTeFcOVOYOuTrVliWYQVOKTGXynQ75YvERbOcyHeCDjQpHhqZEZZTg+1ji8O7pO y65rW++qYLWNlxBQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 7ED4113483; Mon, 26 Jun 2023 07:08:55 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id Z4r2HYc5mWQANAAAMHmgww (envelope-from ); Mon, 26 Jun 2023 07:08:55 +0000 Date: Mon, 26 Jun 2023 09:08:54 +0200 Message-ID: <877crqwvi1.wl-tiwai@suse.de> From: Takashi Iwai To: Tuo Li Cc: perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org, Linux Kernel , baijiaju1990@outlook.com Subject: Re: [BUG] ALSA: core: pcm_memory: a possible data race in do_alloc_pages() In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 26 Jun 2023 05:42:29 +0200, Tuo Li wrote: > > > Hello, > > Our static analysis tool finds a possible data race in ALSA in Linux 6.4.0. > > In some functions, the field snd_card.total_pcm_alloc_bytes is accessed > with holding the lock snd_card.memory_mutex. Here is an example: > > ? do_free_pages() --> Line 57 > ? ? mutex_lock(&card->memory_mutex); --> Line 61 (Lock card->memory_mutex) > ? ? card->total_pcm_alloc_bytes -= dmab->bytes; ?--> Line 63 (Access??card-> > total_pcm_alloc_bytes) > > However, in the function do_alloc_pages(): > > ? if (max_alloc_per_card && > ? ? card->total_pcm_alloc_bytes + size > max_alloc_per_card) --> Line 41 > > the variable card->total_pcm_alloc_bytes is accessed without holding > the lock card->memory_mutex, and thus a data race can occur. > > In my opinion, this data race may be harmful, because the value of > card->total_pcm_alloc_bytes may be changed by another thread after > the if check. Therefore, its value may be too large after Line 51 and can > cause memory bugs such as buffer overflow: > > ? card->total_pcm_alloc_bytes += dmab->bytes; ?--> Line 51 > > I am not quite sure whether this possible data race is real and how to > fix it if it is real. > > Any feedback would be appreciated, thanks! > > Reported-by: BassCheck It's a bit racy indeed, but the effect is almost negligible. The size check there is merely a sanity check, and allocating more bytes doesn't mean to conflict against anything practically. That said, it's a better-to-be-addressed bug, but nothing too serious. thanks, Takashi