From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x225C/LrPk3Ce0EU2IZNKGo7+cTU0cmy91Gyr+h4BZj9b4KN0JiCBh/PYBbzl9j2fbjvInmVs ARC-Seal: i=1; a=rsa-sha256; t=1516610899; cv=none; d=google.com; s=arc-20160816; b=ygUZJnpFUEbP6yqHeq/YryyhzbZA9d2uIYcSm55ctR7o0SbwdLP7Jg3q9XF4Hz35Yy nPHXavoXpyLecQZUd0aPVP0Ee61Xgoekhjnz3H2MqIpONquSjPT8+oY+7M3vFGyGA9VG tAktcI0nRieOILWaxRa8sgZe9C3AYhWJppyYGcdz5wk635azv9HTxu36EOOcsKu1hqMb mC8fzEnqXY3fhyODgePXjImsakZQeYrswhKqH5K9kIFKWhOdNFy3PNd4c5bEh7vBsMzR s8X8L5g3h7Utx/xNJIouQLS3+HNlddyCEAf2A3FGXoesE5PCMN1gCXbviHqmYHmYtfSY cCGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=U5xj0y+P3s4f8QnlLwEE0bCaGicp+xIyVz/qVCbiW7c=; b=C3bI/rsxrNDTWZXtd76/JqzjYX1u7IeXJb+J+G12xvkR7JHBG3pfav+S8Mz9HBirpI w/JCAglHbCrvliQ2wk8VK2hmR1LCigJEQwqRCxWkKjbribrAxwm07izby/2NajzXwFwB Q5CN4BHKO2FFcaOlr/72Qkc477ysPqfM8U83dYTCGqNtz4as37/tlE34wqLEbIstd5Ic 1A0Rs3aV1Q7VM2Dwh5JnD7x7lQpjQLWVHcD8VCksDvlS41EtU0fFDofALos+8ZXh9eb8 o1t5k1jsSj20fsWM6933F4CtinK3PSks9mkQTspdHegi/6f8jysJF24k8N4QDfZPqgY4 b9vw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luo Quan , Kees Cook , Takashi Iwai Subject: [PATCH 4.9 04/47] ALSA: seq: Make ioctls race-free Date: Mon, 22 Jan 2018 09:45:15 +0100 Message-Id: <20180122083925.927569451@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083925.568134913@linuxfoundation.org> References: <20180122083925.568134913@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590281790627813025?= X-GMAIL-MSGID: =?utf-8?q?1590281790627813025?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_clientmgr.c | 3 +++ sound/core/seq/seq_clientmgr.h | 1 + 2 files changed, 4 insertions(+) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create rwlock_init(&client->ports_lock); mutex_init(&client->ports_mutex); INIT_LIST_HEAD(&client->ports_list_head); + mutex_init(&client->ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(&clients_lock, flags); @@ -2127,7 +2128,9 @@ static long snd_seq_ioctl(struct file *f return -EFAULT; } + mutex_lock(&client->ioctl_mutex); err = handler->func(client, &buf); + mutex_unlock(&client->ioctl_mutex); if (err >= 0) { /* Some commands includes a bug in 'dir' field. */ if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -61,6 +61,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */