From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.9 07/21] ALSA: rawmidi: Avoid racy info ioctl via ctl device
Date: Wed, 27 Dec 2017 17:46:23 +0100 [thread overview]
Message-ID: <20171227164600.446557381@linuxfoundation.org> (raw)
In-Reply-To: <20171227164559.973657621@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit c1cfd9025cc394fd137a01159d74335c5ac978ce upstream.
The rawmidi also allows to obtaining the information via ioctl of ctl
API. It means that user can issue an ioctl to the rawmidi device even
when it's being removed as long as the control device is present.
Although the code has some protection via the global register_mutex,
its range is limited to the search of the corresponding rawmidi
object, and the mutex is already unlocked at accessing the rawmidi
object. This may lead to a use-after-free.
For avoiding it, this patch widens the application of register_mutex
to the whole snd_rawmidi_info_select() function. We have another
mutex per rawmidi object, but this operation isn't very hot path, so
it shouldn't matter from the performance POV.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/rawmidi.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -579,15 +579,14 @@ static int snd_rawmidi_info_user(struct
return 0;
}
-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+static int __snd_rawmidi_info_select(struct snd_card *card,
+ struct snd_rawmidi_info *info)
{
struct snd_rawmidi *rmidi;
struct snd_rawmidi_str *pstr;
struct snd_rawmidi_substream *substream;
- mutex_lock(®ister_mutex);
rmidi = snd_rawmidi_search(card, info->device);
- mutex_unlock(®ister_mutex);
if (!rmidi)
return -ENXIO;
if (info->stream < 0 || info->stream > 1)
@@ -603,6 +602,16 @@ int snd_rawmidi_info_select(struct snd_c
}
return -ENXIO;
}
+
+int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+{
+ int ret;
+
+ mutex_lock(®ister_mutex);
+ ret = __snd_rawmidi_info_select(card, info);
+ mutex_unlock(®ister_mutex);
+ return ret;
+}
EXPORT_SYMBOL(snd_rawmidi_info_select);
static int snd_rawmidi_info_select_user(struct snd_card *card,
next prev parent reply other threads:[~2017-12-27 16:47 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-27 16:46 [PATCH 4.9 00/21] 4.9.73-stable review Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 01/21] ACPI: APEI / ERST: Fix missing error handling in erst_reader() Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 02/21] acpi, nfit: fix health event notification Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 03/21] crypto: mcryptd - protect the per-CPU queue with a lock Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 04/21] mfd: cros ec: spi: Dont send first message too soon Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 05/21] mfd: twl4030-audio: Fix sibling-node lookup Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 06/21] mfd: twl6040: Fix child-node lookup Greg Kroah-Hartman
2017-12-27 16:46 ` Greg Kroah-Hartman [this message]
2017-12-27 16:46 ` [PATCH 4.9 08/21] ALSA: usb-audio: Add native DSD support for Esoteric D-05X Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 09/21] ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 10/21] PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 11/21] parisc: Hide Diva-built-in serial aux and graphics card Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 12/21] spi: xilinx: Detect stall with Unknown commands Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 13/21] pinctrl: cherryview: Mask all interrupts on Intel_Strago based systems Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 15/21] kvm: x86: fix RSM when PCID is non-zero Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 16/21] clk: sunxi: sun9i-mmc: Implement reset callback for reset controls Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 17/21] powerpc/perf: Dereference BHRB entries safely Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 18/21] libnvdimm, pfn: fix start_pad handling for aligned namespaces Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 19/21] net: mvneta: clear interface link status on port disable Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 20/21] net: mvneta: use proper rxq_number in loop on rx queues Greg Kroah-Hartman
2017-12-27 16:46 ` [PATCH 4.9 21/21] net: mvneta: eliminate wrong call to handle rx descriptor error Greg Kroah-Hartman
2017-12-28 15:42 ` [PATCH 4.9 00/21] 4.9.73-stable review Guenter Roeck
2017-12-28 16:33 ` Naresh Kamboju
2017-12-29 9:18 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171227164600.446557381@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).