[thirdparty/kernel/stable-queue.git] / pending-4.4 / alsa-hda-register-irq-handler-after-the-chip-initial.patch

From b7e320f31f2c6e97951ae4af91f75ab75c8f88f8 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 30 Apr 2019 12:18:28 +0200
Subject: ALSA: hda - Register irq handler after the chip initialization

[ Upstream commit f495222e28275222ab6fd93813bd3d462e16d340 ]

Currently the IRQ handler in HD-audio controller driver is registered
before the chip initialization.  That is, we have some window opened
between the azx_acquire_irq() call and the CORB/RIRB setup.  If an
interrupt is triggered in this small window, the IRQ handler may
access to the uninitialized RIRB buffer, which leads to a NULL
dereference Oops.

This is usually no big problem since most of Intel chips do register
the IRQ via MSI, and we've already fixed the order of the IRQ
enablement and the CORB/RIRB setup in the former commit b61749a89f82
("sound: enable interrupt after dma buffer initialization"), hence the
IRQ won't be triggered in that room.  However, some platforms use a
shared IRQ, and this may allow the IRQ trigger by another source.

Another possibility is the kdump environment: a stale interrupt might
be present in there, the IRQ handler can be falsely triggered as well.

For covering this small race, let's move the azx_acquire_irq() call
after hda_intel_init_chip() call.  Although this is a bit radical
change, it can cover more widely than checking the CORB/RIRB setup
locally in the callee side.

Reported-by: Liwei Song <liwei.song@windriver.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/hda/hda_intel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 74c9600876d6..ef8955abd918 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1707,9 +1707,6 @@ static int azx_first_init(struct azx *chip)
 			chip->msi = 0;
 	}
 
-	if (azx_acquire_irq(chip, 0) < 0)
-		return -EBUSY;
-
 	pci_set_master(pci);
 	synchronize_irq(bus->irq);
 
@@ -1820,6 +1817,9 @@ static int azx_first_init(struct azx *chip)
 		return -ENODEV;
 	}
 
+	if (azx_acquire_irq(chip, 0) < 0)
+		return -EBUSY;
+
 	strcpy(card->driver, "HDA-Intel");
 	strlcpy(card->shortname, driver_short_names[chip->driver_type],
 		sizeof(card->shortname));
-- 
2.20.1
Commit	Line	Data
cd033818 SL	1	From b7e320f31f2c6e97951ae4af91f75ab75c8f88f8 Mon Sep 17 00:00:00 2001
	2	From: Takashi Iwai <tiwai@suse.de>
	3	Date: Tue, 30 Apr 2019 12:18:28 +0200
	4	Subject: ALSA: hda - Register irq handler after the chip initialization
	5
	6	[ Upstream commit f495222e28275222ab6fd93813bd3d462e16d340 ]
	7
	8	Currently the IRQ handler in HD-audio controller driver is registered
	9	before the chip initialization. That is, we have some window opened
	10	between the azx_acquire_irq() call and the CORB/RIRB setup. If an
	11	interrupt is triggered in this small window, the IRQ handler may
	12	access to the uninitialized RIRB buffer, which leads to a NULL
	13	dereference Oops.
	14
	15	This is usually no big problem since most of Intel chips do register
	16	the IRQ via MSI, and we've already fixed the order of the IRQ
	17	enablement and the CORB/RIRB setup in the former commit b61749a89f82
	18	("sound: enable interrupt after dma buffer initialization"), hence the
	19	IRQ won't be triggered in that room. However, some platforms use a
	20	shared IRQ, and this may allow the IRQ trigger by another source.
	21
	22	Another possibility is the kdump environment: a stale interrupt might
	23	be present in there, the IRQ handler can be falsely triggered as well.
	24
	25	For covering this small race, let's move the azx_acquire_irq() call
	26	after hda_intel_init_chip() call. Although this is a bit radical
	27	change, it can cover more widely than checking the CORB/RIRB setup
	28	locally in the callee side.
	29
	30	Reported-by: Liwei Song <liwei.song@windriver.com>
	31	Signed-off-by: Takashi Iwai <tiwai@suse.de>
	32	Signed-off-by: Sasha Levin <sashal@kernel.org>
	33	---
	34	sound/pci/hda/hda_intel.c \| 6 +++---
	35	1 file changed, 3 insertions(+), 3 deletions(-)
	36
	37	diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
	38	index 74c9600876d6..ef8955abd918 100644
	39	--- a/sound/pci/hda/hda_intel.c
	40	+++ b/sound/pci/hda/hda_intel.c
	41	@@ -1707,9 +1707,6 @@ static int azx_first_init(struct azx *chip)
	42	chip->msi = 0;
	43	}
	44
	45	- if (azx_acquire_irq(chip, 0) < 0)
	46	- return -EBUSY;
	47	-
	48	pci_set_master(pci);
	49	synchronize_irq(bus->irq);
	50
	51	@@ -1820,6 +1817,9 @@ static int azx_first_init(struct azx *chip)
	52	return -ENODEV;
	53	}
	54
	55	+ if (azx_acquire_irq(chip, 0) < 0)
	56	+ return -EBUSY;
	57	+
	58	strcpy(card->driver, "HDA-Intel");
	59	strlcpy(card->shortname, driver_short_names[chip->driver_type],
	60	sizeof(card->shortname));
	61	--
	62	2.20.1
	63