From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexander Potapenko <glider@google.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.18 35/45] ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
Date: Mon, 12 Jun 2017 17:26:45 +0200 [thread overview]
Message-ID: <20170612152555.266643877@linuxfoundation.org> (raw)
In-Reply-To: <20170612152553.118037974@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit ba3021b2c79b2fa9114f92790a99deb27a65b728 upstream.
snd_timer_user_tselect() reallocates the queue buffer dynamically, but
it forgot to reset its indices. Since the read may happen
concurrently with ioctl and snd_timer_user_tselect() allocates the
buffer via kmalloc(), this may lead to the leak of uninitialized
kernel-space data, as spotted via KMSAN:
BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10
CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086
copy_to_user ./arch/x86/include/asm/uaccess.h:725
snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004
do_loop_readv_writev fs/read_write.c:716
__do_readv_writev+0x94c/0x1380 fs/read_write.c:864
do_readv_writev fs/read_write.c:894
vfs_readv fs/read_write.c:908
do_readv+0x52a/0x5d0 fs/read_write.c:934
SYSC_readv+0xb6/0xd0 fs/read_write.c:1021
SyS_readv+0x87/0xb0 fs/read_write.c:1018
This patch adds the missing reset of queue indices. Together with the
previous fix for the ioctl/read race, we cover the whole problem.
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1620,6 +1620,7 @@ static int snd_timer_user_tselect(struct
if (err < 0)
goto __err;
+ tu->qhead = tu->qtail = tu->qused = 0;
kfree(tu->queue);
tu->queue = NULL;
kfree(tu->tqueue);
next prev parent reply other threads:[~2017-06-12 15:26 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-12 15:26 [PATCH 3.18 00/45] 3.18.57-stable review Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 01/45] bnx2x: Fix Multi-Cos Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 02/45] ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 03/45] cxgb4: avoid enabling napi twice to the same queue Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 04/45] tcp: disallow cwnd undo when switching congestion control Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 05/45] ipv6: Fix leak in ipv6_gso_segment() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 06/45] net: ping: do not abuse udp_poll() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 07/45] net: ethoc: enable NAPI before poll may be scheduled Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 08/45] serial: ifx6x60: fix use-after-free on module unload Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 09/45] KEYS: fix dereferencing NULL payload with nonzero length Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 10/45] KEYS: fix freeing uninitialized memory in key_update() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 11/45] crypto: gcm - wait for crypto op not signal safe Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 12/45] nfsd4: fix null dereference on replay Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 15/45] arm: KVM: Allow unaligned accesses at HYP Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 16/45] dmaengine: ep93xx: Always start from BASE0 Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 17/45] ext4: fix SEEK_HOLE Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 18/45] ext4: keep existing extra fields when inode expands Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 19/45] usb: gadget: f_mass_storage: Serialize wake and sleep execution Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 20/45] usb: chipidea: udc: fix NULL pointer dereference if udc_start failed Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 21/45] usb: chipidea: debug: check before accessing ci_role Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 22/45] staging/lustre/lov: remove set_fs() call from lov_getstripe() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 23/45] iio: proximity: as3935: fix AS3935_INT mask Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 24/45] drivers: char: random: add get_random_long() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 25/45] random: properly align get_random_int_hash Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 26/45] stackprotector: Increase the per-task stack canarys random range from 32 bits to 64 bits on 64-bit platforms Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 27/45] btrfs: use correct types for page indices in btrfs_page_exists_in_range Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 28/45] btrfs: fix memory leak in update_space_info failure path Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 29/45] scsi: qla2xxx: dont disable a not previously enabled PCI device Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 30/45] powerpc/eeh: Avoid use after free in eeh_handle_special_event() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 31/45] powerpc/numa: Fix percpu allocations to be NUMA aware Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 32/45] perf/core: Drop kernel samples even though :u is specified Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 33/45] drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 34/45] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() Greg Kroah-Hartman
2017-06-12 15:26 ` Greg Kroah-Hartman [this message]
2017-06-12 15:26 ` [PATCH 3.18 36/45] ASoC: Fix use-after-free at card unregistration Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 37/45] drivers: char: mem: Fix wraparound check to allow mappings up to the end Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 38/45] serial: sh-sci: Fix panic when serial console and DMA are enabled Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 39/45] arm64: hw_breakpoint: fix watchpoint matching for tagged pointers Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 40/45] arm64: entry: improve data abort handling of " Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 41/45] RDMA/qib,hfi1: Fix MR reference count leak on write with immediate Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 42/45] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 43/45] usercopy: Adjust tests to deal with SMAP/PAN Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 44/45] arm64: ensure extension of smp_store_release value Greg Kroah-Hartman
2017-06-12 15:26 ` [PATCH 3.18 45/45] mlx5: stop including <asm-generic/kmap_types.h> Greg Kroah-Hartman
2017-06-12 21:52 ` [PATCH 3.18 00/45] 3.18.57-stable review Guenter Roeck
2017-06-13 0:49 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170612152555.266643877@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).