e190161f96
When the trigger=off is passed for a PCM OSS stream, it sets the start_threshold of the given substream to the boundary size, so that it won't be automatically started. This can be problematic for a capture stream, unfortunately, as detected by syzkaller. The scenario is like the following: - In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read() loop, we have a check whether the stream was already started or the stream can be auto-started. - The function at this check returns 0 with trigger=off since we explicitly disable the auto-start. - The loop continues and repeats calling __snd_pcm_lib_xfer() tightly, which may lead to an RCU stall. This patch fixes the bug by simply allowing the wait for non-started stream in the case of OSS capture. For native usages, it's supposed to be done by the caller side (which is user-space), hence it returns zero like before. (In theory, __snd_pcm_lib_xfer() could wait even for the native API usage cases, too; but I'd like to stay in a safer side for not breaking the existing stuff for now.) Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| ac97 | ||
| aoa | ||
| arm | ||
| atmel | ||
| core | ||
| drivers | ||
| firewire | ||
| hda | ||
| i2c | ||
| isa | ||
| mips | ||
| oss | ||
| parisc | ||
| pci | ||
| pcmcia | ||
| ppc | ||
| sh | ||
| soc | ||
| sparc | ||
| spi | ||
| synth | ||
| usb | ||
| x86 | ||
| xen | ||
| Kconfig | ||
| Makefile | ||
| ac97_bus.c | ||
| last.c | ||
| sound_core.c | ||