| From: Takashi Iwai <tiwai@suse.de> |
| Date: Sat, 7 Apr 2018 11:48:58 +0200 |
| Subject: ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation |
| |
| commit e15dc99dbb9cf99f6432e8e3c0b3a8f7a3403a86 upstream. |
| |
| The commit 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS |
| ioctls and read/write") split the PCM preparation code to a locked |
| version, and it added a sanity check of runtime->oss.prepare flag |
| along with the change. This leaded to an endless loop when the stream |
| gets XRUN: namely, snd_pcm_oss_write3() and co call |
| snd_pcm_oss_prepare() without setting runtime->oss.prepare flag and |
| the loop continues until the PCM state reaches to another one. |
| |
| As the function is supposed to execute the preparation |
| unconditionally, drop the invalid state check there. |
| |
| The bug was triggered by syzkaller. |
| |
| Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write") |
| Reported-by: syzbot+150189c103427d31a053@syzkaller.appspotmail.com |
| Reported-by: syzbot+7e3f31a52646f939c052@syzkaller.appspotmail.com |
| Reported-by: syzbot+4f2016cf5185da7759dc@syzkaller.appspotmail.com |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| sound/core/oss/pcm_oss.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| --- a/sound/core/oss/pcm_oss.c |
| +++ b/sound/core/oss/pcm_oss.c |
| @@ -1140,13 +1140,14 @@ static int snd_pcm_oss_get_active_substr |
| } |
| |
| /* call with params_lock held */ |
| +/* NOTE: this always call PREPARE unconditionally no matter whether |
| + * runtime->oss.prepare is set or not |
| + */ |
| static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) |
| { |
| int err; |
| struct snd_pcm_runtime *runtime = substream->runtime; |
| |
| - if (!runtime->oss.prepare) |
| - return 0; |
| err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_PREPARE, NULL); |
| if (err < 0) { |
| pcm_dbg(substream->pcm, |
