ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger

Currently the runtime.oss.trigger field may be accessed concurrently
without protection, which may lead to the data race.  And, in this
case, it may lead to more severe problem because it's a bit field; as
writing the data, it may overwrite other bit fields as well, which
confuses the operation completely, as spotted by fuzzing.

Fix it by covering runtime.oss.trigger bit fled also with the existing
params_lock mutex in both snd_pcm_oss_get_trigger() and
snd_pcm_oss_poll().

Reported-and-tested-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index a140a0d9abb808288cb7b773a2f553a71df9f38b..33fd34f0d615d9a27897b718820bbf105876b9e1 100644 (file)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -2155,10 +2155,16 @@ static int snd_pcm_oss_get_trigger(struct snd_pcm_oss_file *pcm_oss_file)
 
        psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
        csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
-       if (psubstream && psubstream->runtime && psubstream->runtime->oss.trigger)
-               result |= PCM_ENABLE_OUTPUT;
-       if (csubstream && csubstream->runtime && csubstream->runtime->oss.trigger)
-               result |= PCM_ENABLE_INPUT;
+       if (psubstream && psubstream->runtime) {
+               guard(mutex)(&psubstream->runtime->oss.params_lock);
+               if (psubstream->runtime->oss.trigger)
+                       result |= PCM_ENABLE_OUTPUT;
+       }
+       if (csubstream && csubstream->runtime) {
+               guard(mutex)(&csubstream->runtime->oss.params_lock);
+               if (csubstream->runtime->oss.trigger)
+                       result |= PCM_ENABLE_INPUT;
+       }
        return result;
 }
 
@@ -2832,6 +2838,17 @@ static int snd_pcm_oss_capture_ready(struct snd_pcm_substream *substream)
                                                runtime->oss.period_frames;
 }
 
+static bool need_input_retrigger(struct snd_pcm_runtime *runtime)
+{
+       bool ret;
+
+       guard(mutex)(&runtime->oss.params_lock);
+       ret = runtime->oss.trigger;
+       if (ret)
+               runtime->oss.trigger = 0;
+       return ret;
+}
+
 static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait)
 {
        struct snd_pcm_oss_file *pcm_oss_file;
@@ -2864,11 +2881,11 @@ static __poll_t snd_pcm_oss_poll(struct file *file, poll_table * wait)
                            snd_pcm_oss_capture_ready(csubstream))
                                mask |= EPOLLIN | EPOLLRDNORM;
                }
-               if (ostate != SNDRV_PCM_STATE_RUNNING && runtime->oss.trigger) {
+               if (ostate != SNDRV_PCM_STATE_RUNNING &&
+                   need_input_retrigger(runtime)) {
                        struct snd_pcm_oss_file ofile;
                        memset(&ofile, 0, sizeof(ofile));
                        ofile.streams[SNDRV_PCM_STREAM_CAPTURE] = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
-                       runtime->oss.trigger = 0;
                        snd_pcm_oss_set_trigger(&ofile, PCM_ENABLE_INPUT);
                }
        }