[PATCH] ASoC: soc-pcm: fix fe and be race when accessing substream->runtime

Eugeniu Rosca erosca at de.adit-jv.com
Mon Sep 26 18:35:54 CEST 2022


From: xiao jin <jin.xiao at intel.com>

After start of fe and be, fe might go to close without triggering
STOP, and substream->runtime is freed. However, be is still at
START state and its substream->runtime still points to the
freed runtime.

Later on, FE is opened/started again, and triggers STOP.
snd_pcm_do_stop => dpcm_fe_dai_trigger
                => dpcm_fe_dai_do_trigger
                => dpcm_be_dai_trigger
                => dpcm_do_trigger
                => soc_pcm_trigger
                => skl_platform_pcm_trigger
skl_platform_pcm_trigger accesses the freed old runtime data and
kernel panic.

The patch fixes it by assigning be_substream->runtime in
dpcm_be_dai_startup when be's state is START.

Signed-off-by: xiao jin <jin.xiao at intel.com>
Signed-off-by: Zhang Yanmin <yanmin.zhang at intel.com>
Signed-off-by: Eugeniu Rosca <erosca at de.adit-jv.com>
---
 sound/soc/soc-pcm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 4f60c0a83311..6ca1d02065ce 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1608,6 +1608,8 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream)
 		if (be->dpcm[stream].users++ != 0)
 			continue;
 
+		be_substream->runtime = be->dpcm[stream].runtime;
+
 		if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_NEW) &&
 		    (be->dpcm[stream].state != SND_SOC_DPCM_STATE_CLOSE))
 			continue;
@@ -1615,7 +1617,6 @@ int dpcm_be_dai_startup(struct snd_soc_pcm_runtime *fe, int stream)
 		dev_dbg(be->dev, "ASoC: open %s BE %s\n",
 			stream ? "capture" : "playback", be->dai_link->name);
 
-		be_substream->runtime = be->dpcm[stream].runtime;
 		err = __soc_pcm_open(be, be_substream);
 		if (err < 0) {
 			be->dpcm[stream].users--;
-- 
2.37.2



More information about the Alsa-devel mailing list