On 10/20/2015 01:17 PM, Takashi Iwai wrote:
On Tue, 20 Oct 2015 11:46:31 +0200, Lars-Peter Clausen wrote:
Use the new dmaengine_synchronize() function to make sure that all complete callbacks have finished running before the runtime data, which is accessed in the completed callback, is freed.
This fixes a long standing use-after-free race condition that has been observed on some systems.
What if a substream is restarted immediately after the stop?
What can happen is that you get a complete callback and the associated snd_pcm_period_elapsed() too early, before the period has actually elapsed, but I don't think that this is a problem if the DMA driver properly implements residue reporting.
This fails if we rely on period counting, but that is broken anyway and already prone to other race conditions.
I've tested this series with xrun injection and some modifications to the DMA driver to always trigger the race condition when the stream is stopped. And I've not seen any issues after the transfer re-started. (There is a dead-lock condition though but that does not seem to be related to this series)