On 03 Dec 2020 07:33:03 +0900, Kuninori Morimoto wrote:
Hi Gyeongtaek
Thank you for your patch
If stop by underrun and DPCM BE disconnection is run simultaneously, data abort can be occurred by the sequence below.
/* In core X, running dpcm_be_dai_trigger() */ for_each_dpcm_be(fe, stream, dpcm) { /* In core Y, running dpcm_be_disconnect() */ spin_lock_irqsave(&fe->card->dpcm_lock, flags); list_del(&dpcm->list_be); list_del(&dpcm->list_fe); spin_unlock_irqrestore(&fe->card->dpcm_lock, flags); kfree(dpcm); /* In core X, running dpcm_be_dai_trigger() */ struct snd_soc_pcm_runtime *be = dpcm->be; <== Accessing freed memory
It is easy to read/understand if this code has alignment.
To prevent this situation, dpcm_lock should be acquired during iteration of dpcm list in dpcm_do_trigger().
Signed-off-by: Gyeongtaek Lee gt82.lee@samsung.com Cc: stable@vger.kernel.org
Is this bugfix patch for some recent commit ? If so, having Fixes: tag is helpful.
Thank you for your help !!
Thank you for your review. I'll resend the patch v2 after fixing the patch as your review comment.
Thanks again. Gyeongtaek Lee
Best regards
Kuninori Morimoto