On Wed, 2021-02-17 16:29, Takashi Iwai wrote:

On Wed, 17 Feb 2021 05:31:49 +0100, Gyeongtaek Lee wrote:

...

If stop by underrun and DPCM BE disconnection is run simultaneously, data abort can be occurred by the sequence below.

CPU0 CPU1 dpcm_be_dai_trigger(): dpcm_be_disconnect():

for_each_dpcm_be(fe, stream, dpcm) {

			spin_lock_irqsave(&fe->card->dpcm_lock, flags);
			list_del(&dpcm->list_be);
			list_del(&dpcm->list_fe);
			spin_unlock_irqrestore(&fe->card->dpcm_lock, flags);
			kfree(dpcm);

struct snd_soc_pcm_runtime *be = dpcm->be; <-- Accessing freed memory

To prevent this situation, dpcm_lock should be acquired during iteration of dpcm list in dpcm_be_dai_trigger().

I don't think we can apply spin lock there blindly. There is non-atomic PCM that must not take a spin lock there, too.

Hi, Takashi

I fixed the patch to hold dpcm_lock during accessing dpcm related data only, not on the trigger callback of driver.

Thank you. Gyeongtaek Lee

thanks,

Takashi

Gyeongtaek Lee (1): ASoC: dpcm: acquire dpcm_lock in dpcm_do_trigger()

include/sound/soc-dpcm.h | 5 ++++ sound/soc/soc-pcm.c | 59 +++++++++++++++++++++++++++++++++------- 2 files changed, 54 insertions(+), 10 deletions(-)

base-commit: fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8