[PATCH AUTOSEL 6.1 15/15] ALSA: seq: oss: Fix racy open/close of MIDI devices

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>,
	"Gong, Sishuai" <sishuai@purdue.edu>,
	Sasha Levin <sashal@kernel.org>,
	perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 6.1 15/15] ALSA: seq: oss: Fix racy open/close of MIDI devices
Date: Mon, 26 Jun 2023 17:50:31 -0400	[thread overview]
Message-ID: <20230626215031.179159-15-sashal@kernel.org> (raw)
In-Reply-To: <20230626215031.179159-1-sashal@kernel.org>

From: Takashi Iwai <tiwai@suse.de>

[ Upstream commit 297224fc0922e7385573a30c29ffdabb67f27b7d ]

Although snd_seq_oss_midi_open() and snd_seq_oss_midi_close() can be
called concurrently from different code paths, we have no proper data
protection against races.  Introduce open_mutex to each seq_oss_midi
object for avoiding the races.

Reported-by: "Gong, Sishuai" <sishuai@purdue.edu>
Closes: https://lore.kernel.org/r/7DC9AF71-F481-4ABA-955F-76C535661E33@purdue.edu
Link: https://lore.kernel.org/r/20230612125533.27461-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/seq/oss/seq_oss_midi.c | 35 +++++++++++++++++++------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c
index 07efb38f58ac1..f2940b29595f0 100644
--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -37,6 +37,7 @@ struct seq_oss_midi {
 	struct snd_midi_event *coder;	/* MIDI event coder */
 	struct seq_oss_devinfo *devinfo;	/* assigned OSSseq device */
 	snd_use_lock_t use_lock;
+	struct mutex open_mutex;
 };
 
 
@@ -172,6 +173,7 @@ snd_seq_oss_midi_check_new_port(struct snd_seq_port_info *pinfo)
 	mdev->flags = pinfo->capability;
 	mdev->opened = 0;
 	snd_use_lock_init(&mdev->use_lock);
+	mutex_init(&mdev->open_mutex);
 
 	/* copy and truncate the name of synth device */
 	strscpy(mdev->name, pinfo->name, sizeof(mdev->name));
@@ -322,15 +324,17 @@ snd_seq_oss_midi_open(struct seq_oss_devinfo *dp, int dev, int fmode)
 	int perm;
 	struct seq_oss_midi *mdev;
 	struct snd_seq_port_subscribe subs;
+	int err;
 
 	mdev = get_mididev(dp, dev);
 	if (!mdev)
 		return -ENODEV;
 
+	mutex_lock(&mdev->open_mutex);
 	/* already used? */
 	if (mdev->opened && mdev->devinfo != dp) {
-		snd_use_lock_free(&mdev->use_lock);
-		return -EBUSY;
+		err = -EBUSY;
+		goto unlock;
 	}
 
 	perm = 0;
@@ -340,14 +344,14 @@ snd_seq_oss_midi_open(struct seq_oss_devinfo *dp, int dev, int fmode)
 		perm |= PERM_READ;
 	perm &= mdev->flags;
 	if (perm == 0) {
-		snd_use_lock_free(&mdev->use_lock);
-		return -ENXIO;
+		err = -ENXIO;
+		goto unlock;
 	}
 
 	/* already opened? */
 	if ((mdev->opened & perm) == perm) {
-		snd_use_lock_free(&mdev->use_lock);
-		return 0;
+		err = 0;
+		goto unlock;
 	}
 
 	perm &= ~mdev->opened;
@@ -372,13 +376,17 @@ snd_seq_oss_midi_open(struct seq_oss_devinfo *dp, int dev, int fmode)
 	}
 
 	if (! mdev->opened) {
-		snd_use_lock_free(&mdev->use_lock);
-		return -ENXIO;
+		err = -ENXIO;
+		goto unlock;
 	}
 
 	mdev->devinfo = dp;
+	err = 0;
+
+ unlock:
+	mutex_unlock(&mdev->open_mutex);
 	snd_use_lock_free(&mdev->use_lock);
-	return 0;
+	return err;
 }
 
 /*
@@ -393,10 +401,9 @@ snd_seq_oss_midi_close(struct seq_oss_devinfo *dp, int dev)
 	mdev = get_mididev(dp, dev);
 	if (!mdev)
 		return -ENODEV;
-	if (! mdev->opened || mdev->devinfo != dp) {
-		snd_use_lock_free(&mdev->use_lock);
-		return 0;
-	}
+	mutex_lock(&mdev->open_mutex);
+	if (!mdev->opened || mdev->devinfo != dp)
+		goto unlock;
 
 	memset(&subs, 0, sizeof(subs));
 	if (mdev->opened & PERM_WRITE) {
@@ -415,6 +422,8 @@ snd_seq_oss_midi_close(struct seq_oss_devinfo *dp, int dev)
 	mdev->opened = 0;
 	mdev->devinfo = NULL;
 
+ unlock:
+	mutex_unlock(&mdev->open_mutex);
 	snd_use_lock_free(&mdev->use_lock);
 	return 0;
 }
-- 
2.39.2

next prev parent reply	other threads:[~2023-06-26 21:54 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-26 21:50 [PATCH AUTOSEL 6.1 01/15] wifi: cfg80211: remove links only on AP Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 02/15] wifi: mac80211: Use active_links instead of valid_links in Tx Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 03/15] netlabel: fix shift wrapping bug in netlbl_catmap_setlong() Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 04/15] bnx2x: fix page fault following EEH recovery Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 05/15] smb/client: print "Unknown" instead of bogus link speed value Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 06/15] cifs: fix sockaddr comparison in iface_cmp Sasha Levin
2023-07-11 20:49   ` Pavel Machek
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 07/15] cifs: fix max_credits implementation Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 08/15] sctp: handle invalid error codes without calling BUG() Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 09/15] cifs: add a warning when the in-flight count goes negative Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 10/15] scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 11/15] scsi: storvsc: Always set no_report_opcodes Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 12/15] scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 13/15] LoongArch: Let pmd_present() return true when splitting pmd Sasha Levin
2023-06-26 21:50 ` [PATCH AUTOSEL 6.1 14/15] LoongArch: Fix the write_fcsr() macro Sasha Levin
2023-06-26 21:50 ` Sasha Levin [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-08-29 13:32 [PATCH AUTOSEL 6.1 01/15] wifi: cfg80211: remove links only on AP Sasha Levin
2023-08-29 13:32 ` [PATCH AUTOSEL 6.1 15/15] ALSA: seq: oss: Fix racy open/close of MIDI devices Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:07efb38f58ac dfblob:f2940b29595f )
 OR (
bs:"[PATCH AUTOSEL 6.1 15/15] ALSA: seq: oss: Fix racy open/close of MIDI devices" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230626215031.179159-15-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=alsa-devel@alsa-project.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=sishuai@purdue.edu \
    --cc=stable@vger.kernel.org \
    --cc=tiwai@suse.com \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox