From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.10 50/52] ALSA: control: Dont access controls outside of protected regions
Date: Tue, 24 Jun 2014 11:51:05 -0400 [thread overview]
Message-ID: <20140624154716.461030124@linuxfoundation.org> (raw)
In-Reply-To: <20140624154713.428945460@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit fd9f26e4eca5d08a27d12c0933fceef76ed9663d upstream.
A control that is visible on the card->controls list can be freed at any time.
This means we must not access any of its memory while not holding the
controls_rw_lock. Otherwise we risk a use after free access.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/control.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -331,6 +331,7 @@ int snd_ctl_add(struct snd_card *card, s
{
struct snd_ctl_elem_id id;
unsigned int idx;
+ unsigned int count;
int err = -EINVAL;
if (! kcontrol)
@@ -359,8 +360,9 @@ int snd_ctl_add(struct snd_card *card, s
card->controls_count += kcontrol->count;
kcontrol->id.numid = card->last_numid + 1;
card->last_numid += kcontrol->count;
+ count = kcontrol->count;
up_write(&card->controls_rwsem);
- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
return 0;
@@ -389,6 +391,7 @@ int snd_ctl_replace(struct snd_card *car
bool add_on_replace)
{
struct snd_ctl_elem_id id;
+ unsigned int count;
unsigned int idx;
struct snd_kcontrol *old;
int ret;
@@ -424,8 +427,9 @@ add:
card->controls_count += kcontrol->count;
kcontrol->id.numid = card->last_numid + 1;
card->last_numid += kcontrol->count;
+ count = kcontrol->count;
up_write(&card->controls_rwsem);
- for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
return 0;
@@ -898,9 +902,9 @@ static int snd_ctl_elem_write(struct snd
result = kctl->put(kctl, control);
}
if (result > 0) {
+ struct snd_ctl_elem_id id = control->id;
up_read(&card->controls_rwsem);
- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE,
- &control->id);
+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id);
return 0;
}
}
@@ -1334,8 +1338,9 @@ static int snd_ctl_tlv_ioctl(struct snd_
}
err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv);
if (err > 0) {
+ struct snd_ctl_elem_id id = kctl->id;
up_read(&card->controls_rwsem);
- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id);
+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id);
return 0;
}
} else {
next prev parent reply other threads:[~2014-06-24 15:51 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 15:50 [PATCH 3.10 00/52] 3.10.45-stable review Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 01/52] rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 02/52] iscsi-target: Reject mutual authentication with reflected CHAP_C Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 03/52] ima: introduce ima_kernel_read() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 04/52] evm: prohibit userspace writing security.evm HMAC value Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 05/52] netlink: Rename netlink_capable netlink_allowed Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 06/52] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 07/52] net: Add variants of capable for use on on sockets Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 08/52] net: Add variants of capable for use on netlink messages Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 09/52] net: Use netlink_ns_capable to verify the permisions of " Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 10/52] netlink: Only check file credentials for implicit destinations Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 11/52] netlink: rate-limit leftover bytes warning and print process name Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 12/52] net: tunnels - enable module autoloading Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 13/52] net: fix inet_getid() and ipv6_select_ident() bugs Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 14/52] team: fix mtu setting Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 15/52] tcp: fix cwnd undo on DSACK in F-RTO Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 16/52] net: filter: fix typo in sparc BPF JIT Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 17/52] net: filter: fix sparc32 typo Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 19/52] net: force a list_del() in unregister_netdevice_many() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 20/52] ipip, sit: fix ipv4_{update_pmtu,redirect} calls Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 21/52] ipv4: fix a race in ip4_datagram_release_cb() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 22/52] sctp: Fix sk_ack_backlog wrap-around problem Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 23/52] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 24/52] vxlan: use dev->needed_headroom instead of dev->hard_header_len Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 25/52] net/mlx4_core: pass pci_device_id.driver_data to __mlx4_init_one during reset Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 26/52] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() Greg Kroah-Hartman
2014-06-25 6:02 ` Or Gerlitz
2014-06-25 6:11 ` Wei Yang
2014-06-25 6:13 ` David Miller
2014-06-25 6:02 ` Or Gerlitz
2014-06-25 6:22 ` Or Gerlitz
2014-06-24 15:50 ` [PATCH 3.10 27/52] KVM: lapic: sync highest ISR to hardware apic on EOI Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 28/52] ARM: at91: fix at91_sysirq_mask_rtc for sam9x5 SoCs Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 29/52] MIPS: KVM: Allocate at least 16KB for exception handlers Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 30/52] USB: cdc-acm: fix write and suspend race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 31/52] USB: cdc-acm: fix write and resume race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 32/52] USB: cdc-acm: fix broken runtime suspend Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 33/52] USB: cdc-acm: fix runtime PM for control messages Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 34/52] USB: cdc-acm: fix shutdown and suspend race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 35/52] USB: cdc-acm: fix I/O after failed open Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 36/52] USB: cdc-acm: fix runtime PM imbalance at shutdown Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 37/52] Drivers: hv: balloon: Ensure pressure reports are posted regularly Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 38/52] ASoC: max98090: Fix reset at resume time Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 39/52] iio:adc:max1363 incorrect resolutions for max11604, max11605, max11610 and max11611 Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 40/52] staging: iio: tsl2x7x_core: fix proximity treshold Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 41/52] iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 42/52] iio: Fix endianness issue in ak8975_read_axis() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 43/52] lzo: properly check for overruns Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.10 44/52] nohz: Fix another inconsistency between CONFIG_NO_HZ=n and nohz=off Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.10 45/52] ALSA: compress: Cancel the optimization of compiler and fix the size of struct for all platform Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.10 46/52] ALSA: hda/realtek - Add support of ALC891 codec Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.10 48/52] ALSA: control: Protect user controls against concurrent access Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.10 49/52] ALSA: control: Fix replacing user controls Greg Kroah-Hartman
2014-06-24 15:51 ` Greg Kroah-Hartman [this message]
2014-06-24 15:51 ` [PATCH 3.10 51/52] ALSA: control: Handle numid overflow Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.10 52/52] ALSA: control: Make sure that id->index does not overflow Greg Kroah-Hartman
2014-06-24 19:48 ` [PATCH 3.10 00/52] 3.10.45-stable review Shuah Khan
2014-06-24 23:27 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140624154716.461030124@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).