Patch "ALSA: timer: Harden slave timer list handling" has been added to the 4.3-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    ALSA: timer: Harden slave timer list handling

to the 4.3-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     alsa-timer-harden-slave-timer-list-handling.patch
and it can be found in the queue-4.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Thu, 14 Jan 2016 16:30:58 +0100
Subject: ALSA: timer: Harden slave timer list handling

From: Takashi Iwai <tiwai@suse.de>

commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream.

A slave timer instance might be still accessible in a racy way while
operating the master instance as it lacks of locking.  Since the
master operation is mostly protected with timer->lock, we should cope
with it while changing the slave instance, too.  Also, some linked
lists (active_list and ack_list) of slave instances aren't unlinked
immediately at stopping or closing, and this may lead to unexpected
accesses.

This patch tries to address these issues.  It adds spin lock of
timer->lock (either from master or slave, which is equivalent) in a
few places.  For avoiding a deadlock, we ensure that the global
slave_active_lock is always locked at first before each timer lock.

Also, ack and active_list of slave instances are properly unlinked at
snd_timer_stop() and snd_timer_close().

Last but not least, remove the superfluous call of _snd_timer_stop()
at removing slave links.  This is a noop, and calling it may confuse
readers wrt locking.  Further cleanup will follow in a later patch.

Actually we've got reports of use-after-free by syzkaller fuzzer, and
this hopefully fixes these issues.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/timer.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -215,11 +215,13 @@ static void snd_timer_check_master(struc
 		    slave->slave_id == master->slave_id) {
 			list_move_tail(&slave->open_list, &master->slave_list_head);
 			spin_lock_irq(&slave_active_lock);
+			spin_lock(&master->timer->lock);
 			slave->master = master;
 			slave->timer = master->timer;
 			if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
 				list_add_tail(&slave->active_list,
 					      &master->slave_active_head);
+			spin_unlock(&master->timer->lock);
 			spin_unlock_irq(&slave_active_lock);
 		}
 	}
@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_ins
 		    timer->hw.close)
 			timer->hw.close(timer);
 		/* remove slave links */
+		spin_lock_irq(&slave_active_lock);
+		spin_lock(&timer->lock);
 		list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
 					 open_list) {
-			spin_lock_irq(&slave_active_lock);
-			_snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
 			list_move_tail(&slave->open_list, &snd_timer_slave_list);
 			slave->master = NULL;
 			slave->timer = NULL;
-			spin_unlock_irq(&slave_active_lock);
+			list_del_init(&slave->ack_list);
+			list_del_init(&slave->active_list);
 		}
+		spin_unlock(&timer->lock);
+		spin_unlock_irq(&slave_active_lock);
 		mutex_unlock(&register_mutex);
 	}
  out:
@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct
 
 	spin_lock_irqsave(&slave_active_lock, flags);
 	timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
-	if (timeri->master)
+	if (timeri->master && timeri->timer) {
+		spin_lock(&timeri->timer->lock);
 		list_add_tail(&timeri->active_list,
 			      &timeri->master->slave_active_head);
+		spin_unlock(&timeri->timer->lock);
+	}
 	spin_unlock_irqrestore(&slave_active_lock, flags);
 	return 1; /* delayed start */
 }
@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_ti
 		if (!keep_flag) {
 			spin_lock_irqsave(&slave_active_lock, flags);
 			timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+			list_del_init(&timeri->ack_list);
+			list_del_init(&timeri->active_list);
 			spin_unlock_irqrestore(&slave_active_lock, flags);
 		}
 		goto __end;


Patches currently in stable-queue which might be from tiwai@suse.de are

queue-4.3/alsa-hrtimer-fix-stall-by-hrtimer_cancel.patch
queue-4.3/alsa-hda-fix-white-noise-on-dell-latitude-e5550.patch
queue-4.3/alsa-hda-fix-the-headset-mic-detection-problem-for-a-dell-laptop.patch
queue-4.3/alsa-timer-harden-slave-timer-list-handling.patch
queue-4.3/alsa-hda-fix-headphone-mic-input-on-a-few-dell-alc293-machines.patch
queue-4.3/alsa-timer-fix-double-unlink-of-active_list.patch
queue-4.3/alsa-hda-add-fixup-for-acer-aspire-one-cloudbook-14.patch
queue-4.3/alsa-control-avoid-kernel-warnings-from-tlv-ioctl-with-numid-0.patch
queue-4.3/alsa-hda-flush-the-pending-probe-work-at-remove.patch
queue-4.3/alsa-hda-fixup-inverted-internal-mic-for-lenovo-e50-80.patch
queue-4.3/alsa-usb-audio-add-sample-rate-inquiry-quirk-for-audioquest-dragonfly.patch
queue-4.3/alsa-hda-realtek-dell-xps-one-alc3260-speaker-no-sound-after-resume-back.patch
queue-4.3/alsa-hda-apply-hp-headphone-fixups-more-generically.patch
queue-4.3/alsa-hda-set-codec-to-d3-at-reboot-shutdown-on-thinkpads.patch
queue-4.3/alsa-hda-realtek-fix-silent-headphone-output-on-macpro-4-1-v2.patch
queue-4.3/alsa-rme96-fix-unexpected-volume-reset-after-rate-changes.patch
queue-4.3/alsa-fireworks-bebob-oxfw-dice-enable-to-make-as-built-in.patch
queue-4.3/alsa-hda-set-skl-hda-controller-power-at-freeze-and-thaw.patch
queue-4.3/alsa-hda-add-inverted-dmic-for-packard-bell-dots.patch
queue-4.3/alsa-usb-add-native-dsd-support-for-oppo-ha-1.patch
queue-4.3/alsa-hda-add-intel-lewisburg-device-ids-audio.patch
queue-4.3/alsa-hda-add-keycode-map-for-alc-input-device.patch
queue-4.3/alsa-hda-add-a-fixup-for-thinkpad-x1-carbon-2nd.patch
queue-4.3/alsa-seq-fix-race-at-timer-setup-and-close.patch
queue-4.3/alsa-hda-skip-eld-notification-during-system-suspend.patch
queue-4.3/alsa-pcm-fix-snd_pcm_hw_params-struct-copy-in-compat-mode.patch
queue-4.3/alsa-hda-add-mic-mute-hotkey-quirk-for-lenovo-thinkcentre-aio.patch
queue-4.3/alsa-seq-fix-snd_seq_call_port_info_ioctl-in-compat-mode.patch
queue-4.3/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch
queue-4.3/alsa-hda-fix-noise-on-dell-latitude-e6440.patch
queue-4.3/alsa-seq-fix-missing-null-check-at-remove_events-ioctl.patch
queue-4.3/alsa-hda-ca0132-quirk-for-alienware-17-2015.patch
queue-4.3/alsa-usb-audio-fix-mixer-ctl-regression-of-native-instrument-devices.patch
queue-4.3/alsa-usb-audio-add-a-more-accurate-volume-quirk-for-audioquest-dragonfly.patch
queue-4.3/alsa-hda-fix-headphone-noise-after-dell-xps-13-resume-back-from-s3.patch
queue-4.3/alsa-hda-fix-noise-problems-on-thinkpad-t440s.patch
queue-4.3/alsa-hda-fix-lost-4k-bdl-boundary-workaround.patch
queue-4.3/alsa-timer-handle-disconnection-more-safely.patch
queue-4.3/alsa-hda-fix-bass-pin-fixup-for-asus-n550jx.patch
queue-4.3/alsa-timer-fix-race-among-timer-ioctls.patch
queue-4.3/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch
queue-4.3/alsa-hda-fixing-speaker-noise-on-the-two-latest-thinkpad-models.patch
queue-4.3/alsa-hda-add-fixup-for-dell-latitidue-e6540.patch
queue-4.3/alsa-usb-audio-avoid-calling-usb_autopm_put_interface-at-disconnect.patch
queue-4.3/alsa-hda-apply-click-noise-workaround-for-thinkpads-generically.patch
queue-4.3/alsa-hda-fix-noise-on-gigabyte-z170x-mobo.patch