[PATCH 3.18 05/32] ALSA: rawmidi: Avoid racy info ioctl via ctl device

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.18 05/32] ALSA: rawmidi: Avoid racy info ioctl via ctl device
Date: Mon,  1 Jan 2018 15:22:12 +0100	[thread overview]
Message-ID: <20180101140013.812385392@linuxfoundation.org> (raw)
In-Reply-To: <20180101140012.582300879@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit c1cfd9025cc394fd137a01159d74335c5ac978ce upstream.

The rawmidi also allows to obtaining the information via ioctl of ctl
API.  It means that user can issue an ioctl to the rawmidi device even
when it's being removed as long as the control device is present.
Although the code has some protection via the global register_mutex,
its range is limited to the search of the corresponding rawmidi
object, and the mutex is already unlocked at accessing the rawmidi
object.  This may lead to a use-after-free.

For avoiding it, this patch widens the application of register_mutex
to the whole snd_rawmidi_info_select() function.  We have another
mutex per rawmidi object, but this operation isn't very hot path, so
it shouldn't matter from the performance POV.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/rawmidi.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -589,15 +589,14 @@ static int snd_rawmidi_info_user(struct
 	return 0;
 }
 
-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+static int __snd_rawmidi_info_select(struct snd_card *card,
+				     struct snd_rawmidi_info *info)
 {
 	struct snd_rawmidi *rmidi;
 	struct snd_rawmidi_str *pstr;
 	struct snd_rawmidi_substream *substream;
 
-	mutex_lock(&register_mutex);
 	rmidi = snd_rawmidi_search(card, info->device);
-	mutex_unlock(&register_mutex);
 	if (!rmidi)
 		return -ENXIO;
 	if (info->stream < 0 || info->stream > 1)
@@ -613,6 +612,16 @@ int snd_rawmidi_info_select(struct snd_c
 	}
 	return -ENXIO;
 }
+
+int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+{
+	int ret;
+
+	mutex_lock(&register_mutex);
+	ret = __snd_rawmidi_info_select(card, info);
+	mutex_unlock(&register_mutex);
+	return ret;
+}
 EXPORT_SYMBOL(snd_rawmidi_info_select);
 
 static int snd_rawmidi_info_select_user(struct snd_card *card,

next prev parent reply	other threads:[~2018-01-01 14:23 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-01 14:22 [PATCH 3.18 00/32] 3.18.91-stable review Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 01/32] ACPI: APEI / ERST: Fix missing error handling in erst_reader() Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 02/32] crypto: mcryptd - protect the per-CPU queue with a lock Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 03/32] mfd: twl4030-audio: Fix sibling-node lookup Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 04/32] mfd: twl6040: Fix child-node lookup Greg Kroah-Hartman
2018-01-01 14:22 ` Greg Kroah-Hartman [this message]
2018-01-01 14:22 ` [PATCH 3.18 06/32] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 07/32] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 08/32] parisc: Hide Diva-built-in serial aux and graphics card Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 09/32] KVM: X86: Fix load RFLAGS w/o the fixed bit Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 10/32] powerpc/perf: Dereference BHRB entries safely Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 11/32] net: mvneta: clear interface link status on port disable Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 12/32] tracing: Remove extra zeroing out of the ring buffer page Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 13/32] tracing: Fix possible double free on failure of allocating trace buffer Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 14/32] tracing: Fix crash when it fails to alloc ring buffer Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 15/32] ring-buffer: Mask out the info bits when returning buffer page length Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 16/32] ASoC: twl4030: fix child-node lookup Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 17/32] kbuild: add -fno-stack-check to kernel build options Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 18/32] ipv4: igmp: guard against silly MTU values Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 19/32] ipv6: mcast: better catch silly mtu values Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 20/32] net: igmp: Use correct source address on IGMPv3 reports Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 21/32] netlink: Add netns check on taps Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 22/32] net: qmi_wwan: add Sierra EM7565 1199:9091 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 23/32] tcp md5sig: Use skbs saddr when replying to an incoming segment Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 24/32] tg3: Fix rx hang on MTU change with 5717/5719 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 25/32] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 26/32] sctp: Replace use of sockets_allocated with specified macro Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 27/32] net: ipv4: fix for a race condition in raw_sendmsg Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 28/32] USB: serial: option: add support for Telit ME910 PID 0x1101 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 29/32] usb: Add device quirk for Logitech HD Pro Webcam C925e Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 30/32] usb: add RESET_RESUME for ELSA MicroLink 56K Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 31/32] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 Greg Kroah-Hartman
2018-01-01 14:22 ` [PATCH 3.18 32/32] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) Greg Kroah-Hartman
2018-01-01 18:07 ` [PATCH 3.18 00/32] 3.18.91-stable review kernelci.org bot
2018-01-02 16:46 ` Guenter Roeck
2018-01-02 22:22 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180101140013.812385392@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox