From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, 范龙飞 <long7573@126.com>,
"Nicolai Stange" <nstange@suse.de>,
"Takashi Iwai" <tiwai@suse.de>
Subject: [PATCH 4.9 35/86] ALSA: seq: More protection for concurrent write and ioctl races
Date: Fri, 16 Mar 2018 16:22:58 +0100 [thread overview]
Message-ID: <20180316152319.756408781@linuxfoundation.org> (raw)
In-Reply-To: <20180316152317.167709497@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 7bd80091567789f1c0cb70eb4737aac8bcd2b6b9 upstream.
This patch is an attempt for further hardening against races between
the concurrent write and ioctls. The previous fix d15d662e89fc
("ALSA: seq: Fix racy pool initializations") covered the race of the
pool initialization at writer and the pool resize ioctl by the
client->ioctl_mutex (CVE-2018-1000004). However, basically this mutex
should be applied more widely to the whole write operation for
avoiding the unexpected pool operations by another thread.
The only change outside snd_seq_write() is the additional mutex
argument to helper functions, so that we can unlock / relock the given
mutex temporarily during schedule() call for blocking write.
Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
Reported-by: 范龙飞 <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Reviewed-and-tested-by: Nicolai Stange <nstange@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 18 +++++++++++-------
sound/core/seq/seq_fifo.c | 2 +-
sound/core/seq/seq_memory.c | 14 ++++++++++----
sound/core/seq/seq_memory.h | 3 ++-
4 files changed, 24 insertions(+), 13 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -906,7 +906,8 @@ int snd_seq_dispatch_event(struct snd_se
static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
struct snd_seq_event *event,
struct file *file, int blocking,
- int atomic, int hop)
+ int atomic, int hop,
+ struct mutex *mutexp)
{
struct snd_seq_event_cell *cell;
int err;
@@ -944,7 +945,8 @@ static int snd_seq_client_enqueue_event(
return -ENXIO; /* queue is not allocated */
/* allocate an event cell */
- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file);
+ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic,
+ file, mutexp);
if (err < 0)
return err;
@@ -1013,12 +1015,11 @@ static ssize_t snd_seq_write(struct file
return -ENXIO;
/* allocate the pool now if the pool is not allocated yet */
+ mutex_lock(&client->ioctl_mutex);
if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
- mutex_lock(&client->ioctl_mutex);
err = snd_seq_pool_init(client->pool);
- mutex_unlock(&client->ioctl_mutex);
if (err < 0)
- return -ENOMEM;
+ goto out;
}
/* only process whole events */
@@ -1069,7 +1070,7 @@ static ssize_t snd_seq_write(struct file
/* ok, enqueue it */
err = snd_seq_client_enqueue_event(client, &event, file,
!(file->f_flags & O_NONBLOCK),
- 0, 0);
+ 0, 0, &client->ioctl_mutex);
if (err < 0)
break;
@@ -1080,6 +1081,8 @@ static ssize_t snd_seq_write(struct file
written += len;
}
+ out:
+ mutex_unlock(&client->ioctl_mutex);
return written ? written : err;
}
@@ -2262,7 +2265,8 @@ static int kernel_client_enqueue(int cli
if (! cptr->accept_output)
result = -EPERM;
else /* send it */
- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop);
+ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking,
+ atomic, hop, NULL);
snd_seq_client_unlock(cptr);
return result;
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq
return -EINVAL;
snd_use_lock_use(&f->use_lock);
- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */
+ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */
if (err < 0) {
if ((err == -ENOMEM) || (err == -EAGAIN))
atomic_inc(&f->overflow);
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_ev
*/
static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
struct snd_seq_event_cell **cellp,
- int nonblock, struct file *file)
+ int nonblock, struct file *file,
+ struct mutex *mutexp)
{
struct snd_seq_event_cell *cell;
unsigned long flags;
@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd
set_current_state(TASK_INTERRUPTIBLE);
add_wait_queue(&pool->output_sleep, &wait);
spin_unlock_irq(&pool->lock);
+ if (mutexp)
+ mutex_unlock(mutexp);
schedule();
+ if (mutexp)
+ mutex_lock(mutexp);
spin_lock_irq(&pool->lock);
remove_wait_queue(&pool->output_sleep, &wait);
/* interrupted? */
@@ -288,7 +293,7 @@ __error:
*/
int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
struct snd_seq_event_cell **cellp, int nonblock,
- struct file *file)
+ struct file *file, struct mutex *mutexp)
{
int ncells, err;
unsigned int extlen;
@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_poo
if (ncells >= pool->total_elements)
return -ENOMEM;
- err = snd_seq_cell_alloc(pool, &cell, nonblock, file);
+ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp);
if (err < 0)
return err;
@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_poo
int size = sizeof(struct snd_seq_event);
if (len < size)
size = len;
- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file);
+ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file,
+ mutexp);
if (err < 0)
goto __error;
if (cell->event.data.ext.ptr == NULL)
--- a/sound/core/seq/seq_memory.h
+++ b/sound/core/seq/seq_memory.h
@@ -66,7 +66,8 @@ struct snd_seq_pool {
void snd_seq_cell_free(struct snd_seq_event_cell *cell);
int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
- struct snd_seq_event_cell **cellp, int nonblock, struct file *file);
+ struct snd_seq_event_cell **cellp, int nonblock,
+ struct file *file, struct mutex *mutexp);
/* return number of unused (free) cells */
static inline int snd_seq_unused_cells(struct snd_seq_pool *pool)
next prev parent reply other threads:[~2018-03-16 15:22 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 15:22 [PATCH 4.9 00/86] 4.9.88-stable review Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 01/86] RDMA/ucma: Limit possible option size Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 02/86] RDMA/ucma: Check that user doesnt overflow QP state Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 03/86] RDMA/mlx5: Fix integer overflow while resizing CQ Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 04/86] drm/i915: Try EDID bitbanging on HDMI after failed read Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 05/86] scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 06/86] drm/i915: Always call to intel_display_set_init_power() in resume_early Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 07/86] workqueue: Allow retrieval of current tasks work struct Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 08/86] drm: Allow determining if current task is output poll worker Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 09/86] drm/nouveau: Fix deadlock on runtime suspend Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 10/86] drm/radeon: " Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 11/86] drm/amdgpu: " Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 12/86] drm/amdgpu: Notify sbios device ready before send request Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 13/86] drm/radeon: fix KV harvesting Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 14/86] drm/amdgpu: " Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 15/86] drm/amdgpu:Correct max uvd handles Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 16/86] drm/amdgpu:Always save uvd vcpu_bo in VM Mode Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 17/86] MIPS: BMIPS: Do not mask IPIs during suspend Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 18/86] MIPS: ath25: Check for kzalloc allocation failure Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 19/86] MIPS: OCTEON: irq: Check for null return on kzalloc allocation Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 20/86] Input: matrix_keypad - fix race when disabling interrupts Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 21/86] loop: Fix lost writes caused by missing flag Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 22/86] virtio_ring: fix num_free handling in error case Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 23/86] KVM: s390: fix memory overwrites when not using SCA entries Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 24/86] kbuild: Handle builtin dtb file names containing hyphens Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 25/86] IB/mlx5: Fix incorrect size of klms in the memory region Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 26/86] bcache: fix crashes in duplicate cache device register Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 27/86] bcache: dont attach backing with duplicate UUID Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 28/86] x86/MCE: Serialize sysfs changes Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 29/86] perf tools: Fix trigger class trigger_on() Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 30/86] x86/spectre_v2: Dont check microcode versions when running under hypervisors Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 31/86] ALSA: hda/realtek: Limit mic boost on T480 Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 32/86] ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 33/86] ALSA: hda/realtek - Make dock sound work on ThinkPad L570 Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 4.9 34/86] ALSA: seq: Dont allow resizing pool in use Greg Kroah-Hartman
2018-03-16 15:22 ` Greg Kroah-Hartman [this message]
2018-03-16 15:22 ` [PATCH 4.9 36/86] ALSA: hda: add dock and led support for HP EliteBook 820 G3 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 37/86] ALSA: hda: add dock and led support for HP ProBook 640 G2 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 38/86] nospec: Kill array_index_nospec_mask_check() Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 39/86] nospec: Include <asm/barrier.h> dependency Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 40/86] Revert "x86/retpoline: Simplify vmexit_fill_RSB()" Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 41/86] x86/speculation: Use IBRS if available before calling into firmware Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 42/86] x86/retpoline: Support retpoline builds with Clang Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 43/86] x86/speculation, objtool: Annotate indirect calls/jumps for objtool Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 44/86] x86/boot, objtool: Annotate indirect jump in secondary_startup_64() Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 45/86] x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 46/86] x86/paravirt, objtool: Annotate indirect calls Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 47/86] watchdog: hpwdt: SMBIOS check Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 48/86] watchdog: hpwdt: Check source of NMI Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 49/86] watchdog: hpwdt: fix unused variable warning Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 50/86] watchdog: hpwdt: Remove legacy NMI sourcing Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 51/86] ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 52/86] Input: tca8418_keypad - remove double read of key event register Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 53/86] [media] tc358743: fix register i2c_rd/wr function fix Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 54/86] netfilter: add back stackpointer size checks Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 55/86] netfilter: x_tables: fix missing timer initialization in xt_LED Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 56/86] netfilter: nat: cope with negative port range Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 57/86] netfilter: IDLETIMER: be syzkaller friendly Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 58/86] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 59/86] netfilter: bridge: ebt_among: add missing match size checks Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 60/86] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 61/86] netfilter: x_tables: pass xt_counters struct instead of packet counter Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 62/86] netfilter: x_tables: pass xt_counters struct to counter allocator Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 63/86] netfilter: x_tables: pack percpu counter allocations Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 64/86] ext4: inplace xattr block update fails to deduplicate blocks Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 65/86] ubi: Fix race condition between ubi volume creation and udev Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 66/86] scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 67/86] NFS: Fix an incorrect type in struct nfs_direct_req Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 68/86] NFS: Fix unstable write completion Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 69/86] x86/module: Detect and skip invalid relocations Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 70/86] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 71/86] ASoC: sgtl5000: Fix suspend/resume Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 72/86] ASoC: rt5651: Fix regcache sync errors on resume Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 73/86] serial: sh-sci: prevent lockup on full TTY buffers Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 74/86] tty/serial: atmel: add new version check for usart Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 75/86] uas: fix comparison for error code Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 76/86] staging: comedi: fix comedi_nsamples_left Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 77/86] staging: android: ashmem: Fix lockdep issue during llseek Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 78/86] USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 79/86] usbip: vudc: fix null pointer dereference on udc->lock Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 80/86] usb: quirks: add control message delay for 1b1c:1b20 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 81/86] usb: usbmon: Read text within supplied buffer size Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 82/86] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 83/86] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 84/86] serial: core: mark port as initialized in autoconfig Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 85/86] earlycon: add reg-offset to physical address before mapping Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 4.9 86/86] PCI: dwc: Fix enumeration end when reaching root subordinate Greg Kroah-Hartman
2018-03-16 23:20 ` [PATCH 4.9 00/86] 4.9.88-stable review kernelci.org bot
2018-03-17 10:18 ` Naresh Kamboju
2018-03-18 10:27 ` Greg Kroah-Hartman
2018-03-20 23:49 ` Ben Hutchings
2018-03-21 13:32 ` Greg Kroah-Hartman
2018-03-21 17:50 ` Naresh Kamboju
2018-03-22 8:19 ` Greg Kroah-Hartman
2018-03-22 17:47 ` Naresh Kamboju
2018-03-17 14:41 ` Guenter Roeck
2018-03-18 10:27 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180316152319.756408781@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=long7573@126.com \
--cc=nstange@suse.de \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox