[alsa-devel] [PATCH] pcm: Fix shm initialization race-condition

Takashi Iwai tiwai at suse.de
Mon Aug 22 17:11:09 CEST 2016 

On Mon, 22 Aug 2016 17:02:41 +0200,
Ismael Luceno wrote:
> 
> On 22/Ago/2016 11:26, Takashi Iwai wrote:
> > On Sun, 14 Aug 2016 02:28:52 +0200,
> > Ismael Luceno wrote:
> > > 
> > > Easily seen when two threads try at the same time, one of them will fail.
> > > 
> > > The bug was identified by using apulse with Skype.
> > > 
> > > Fixes: dec428c35221 ("pcm: fix 'unable to create IPC shm instance' caused by fork from a thread")
> > > Fixes: https://github.com/i-rinat/apulse/issues/38
> > > Signed-off-by: Ismael Luceno <ismael at iodev.co.uk>
> > > ---
> > >  src/pcm/pcm_direct.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/src/pcm/pcm_direct.c b/src/pcm/pcm_direct.c
> > > index c3925cc20fd3..b5215ba35406 100644
> > > --- a/src/pcm/pcm_direct.c
> > > +++ b/src/pcm/pcm_direct.c
> > > @@ -101,6 +101,8 @@ retryget:
> > >  		if ((dmix->shmid = shmget(dmix->ipc_key, sizeof(snd_pcm_direct_share_t),
> > >  					     IPC_CREAT | IPC_EXCL | dmix->ipc_perm)) != -1)
> > >  			first_instance = 1;
> > > +		if (dmix->shmid < 0 && errno == EEXIST)
> > > +			goto retryget;
> > 
> > Hrm, but this would result in an endless loop if the shm was already
> > taken persistently.
> 
> If so, shouldn't the first call to shmget succeed?
> 
> To me it seems very unlikely that both calls continuosly fail.

Well, you are inserting a loop at the code below:

retryget:
        dmix->shmid = shmget(dmix->ipc_key, sizeof(snd_pcm_direct_share_t),
                             dmix->ipc_perm);
        if (dmix->shmid < 0) {
                if (errno == ENOENT)
                if ((dmix->shmid = shmget(dmix->ipc_key, sizeof(snd_pcm_direct_share_t),
                                             IPC_CREAT | IPC_EXCL | dmix->ipc_perm)) != -1)
                        first_instance = 1;
==>		if (dmix->shmid < 0 && errno == EEXIST)
==>			goto retryget;
        }


It's in the if block when the first shmget() fails.  If there was
already a shm with the given id that had been assigned by another (not
necessarily by alsa-lib but by whatever program), the first shmget
returns an error with EEXIST.  Then it goes back again in a loop; and
it can be endless if another program doesn't release the shm.

> > Also, which call does give a negative shmid, actually?  It's from the
> > first shmget() or the second shmget()?
> 
> What happens is that both threads go down that path but, of course,
> only one succeeds in the second shmget call.

This should have been protected by a sempahore beforehand.
And if it's about threads, the application itself has to take care of
the race.  alsa-lib is no thread-safe, after all.

So, did you see the issue with multiple processes, or is it about the
multi-threads?


Takashi

More information about the Alsa-devel mailing list