From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.de>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.19 11/15] ALSA: pcm: Fix races among concurrent prealloc proc writes
Date: Fri, 13 May 2022 16:23:33 +0200 [thread overview]
Message-ID: <20220513142228.230689107@linuxfoundation.org> (raw)
In-Reply-To: <20220513142227.897535454@linuxfoundation.org>
From: Takashi Iwai <tiwai@suse.de>
commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream.
We have no protection against concurrent PCM buffer preallocation
changes via proc files, and it may potentially lead to UAF or some
weird problem. This patch applies the PCM open_mutex to the proc
write operation for avoiding the racy proc writes and the PCM stream
open (and further operations).
Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[OP: backport to 4.19: adjusted context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/pcm_memory.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/sound/core/pcm_memory.c
+++ b/sound/core/pcm_memory.c
@@ -160,19 +160,20 @@ static void snd_pcm_lib_preallocate_proc
size_t size;
struct snd_dma_buffer new_dmab;
+ mutex_lock(&substream->pcm->open_mutex);
if (substream->runtime) {
buffer->error = -EBUSY;
- return;
+ goto unlock;
}
if (!snd_info_get_line(buffer, line, sizeof(line))) {
snd_info_get_str(str, line, sizeof(str));
size = simple_strtoul(str, NULL, 10) * 1024;
if ((size != 0 && size < 8192) || size > substream->dma_max) {
buffer->error = -EINVAL;
- return;
+ goto unlock;
}
if (substream->dma_buffer.bytes == size)
- return;
+ goto unlock;
memset(&new_dmab, 0, sizeof(new_dmab));
new_dmab.dev = substream->dma_buffer.dev;
if (size > 0) {
@@ -180,7 +181,7 @@ static void snd_pcm_lib_preallocate_proc
substream->dma_buffer.dev.dev,
size, &new_dmab) < 0) {
buffer->error = -ENOMEM;
- return;
+ goto unlock;
}
substream->buffer_bytes_max = size;
} else {
@@ -192,6 +193,8 @@ static void snd_pcm_lib_preallocate_proc
} else {
buffer->error = -EINVAL;
}
+ unlock:
+ mutex_unlock(&substream->pcm->open_mutex);
}
static inline void preallocate_info_init(struct snd_pcm_substream *substream)
next prev parent reply other threads:[~2022-05-13 14:27 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-13 14:23 [PATCH 4.19 00/15] 4.19.243-rc1 review Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 01/15] MIPS: Use address-of operator on section symbols Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 02/15] block: drbd: drbd_nl: Make conversion to enum drbd_ret_code explicit Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 03/15] drm/amd/display/dc/gpio/gpio_service: Pass around correct dce_{version, environment} types Greg Kroah-Hartman
2022-05-13 14:23 ` Greg Kroah-Hartman
2022-05-13 14:23 ` Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 04/15] nfp: bpf: silence bitwise vs. logical OR warning Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 05/15] can: grcan: grcan_probe(): fix broken system id check for errata workaround needs Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 06/15] can: grcan: only use the NAPI poll budget for RX Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 07/15] Bluetooth: Fix the creation of hdev->name Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 08/15] ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 09/15] ALSA: pcm: Fix races among concurrent read/write and buffer changes Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 10/15] ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls Greg Kroah-Hartman
2022-05-13 14:23 ` Greg Kroah-Hartman [this message]
2022-05-13 14:23 ` [PATCH 4.19 12/15] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 13/15] mm: hugetlb: fix missing cache flush in copy_huge_page_from_user() Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 14/15] mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic() Greg Kroah-Hartman
2022-05-13 14:23 ` [PATCH 4.19 15/15] VFS: Fix memory leak caused by concurrently mounting fs with subtype Greg Kroah-Hartman
2022-05-13 16:40 ` [PATCH 4.19 00/15] 4.19.243-rc1 review Jon Hunter
2022-05-13 18:45 ` Pavel Machek
2022-05-13 20:39 ` Shuah Khan
2022-05-14 6:19 ` Samuel Zou
2022-05-14 14:28 ` Sudip Mukherjee
2022-05-14 14:53 ` Guenter Roeck
2022-05-14 15:06 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220513142228.230689107@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ovidiu.panait@windriver.com \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.