From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.9 30/50] ALSA: control: Fix race between adding and removing a user element
Date: Tue, 4 Dec 2018 11:50:25 +0100 [thread overview]
Message-ID: <20181204103716.022225236@linuxfoundation.org> (raw)
In-Reply-To: <20181204103714.485546262@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit e1a7bfe3807974e66f971f2589d4e0197ec0fced upstream.
The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element. This was
caught by syzkaller, hitting a KASAN use-after-free error.
This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.
This required a slight code refactoring, too. The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it. The former is called from the
function for adding a user control element inside the controls_rwsem.
One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem. But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.
Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/control.c | 80 ++++++++++++++++++++++++++++-----------------------
1 file changed, 45 insertions(+), 35 deletions(-)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -346,6 +346,40 @@ static int snd_ctl_find_hole(struct snd_
return 0;
}
+/* add a new kcontrol object; call with card->controls_rwsem locked */
+static int __snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
+{
+ struct snd_ctl_elem_id id;
+ unsigned int idx;
+ unsigned int count;
+
+ id = kcontrol->id;
+ if (id.index > UINT_MAX - kcontrol->count)
+ return -EINVAL;
+
+ if (snd_ctl_find_id(card, &id)) {
+ dev_err(card->dev,
+ "control %i:%i:%i:%s:%i is already present\n",
+ id.iface, id.device, id.subdevice, id.name, id.index);
+ return -EBUSY;
+ }
+
+ if (snd_ctl_find_hole(card, kcontrol->count) < 0)
+ return -ENOMEM;
+
+ list_add_tail(&kcontrol->list, &card->controls);
+ card->controls_count += kcontrol->count;
+ kcontrol->id.numid = card->last_numid + 1;
+ card->last_numid += kcontrol->count;
+
+ id = kcontrol->id;
+ count = kcontrol->count;
+ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
+ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
+
+ return 0;
+}
+
/**
* snd_ctl_add - add the control instance to the card
* @card: the card instance
@@ -362,45 +396,18 @@ static int snd_ctl_find_hole(struct snd_
*/
int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
{
- struct snd_ctl_elem_id id;
- unsigned int idx;
- unsigned int count;
int err = -EINVAL;
if (! kcontrol)
return err;
if (snd_BUG_ON(!card || !kcontrol->info))
goto error;
- id = kcontrol->id;
- if (id.index > UINT_MAX - kcontrol->count)
- goto error;
down_write(&card->controls_rwsem);
- if (snd_ctl_find_id(card, &id)) {
- up_write(&card->controls_rwsem);
- dev_err(card->dev, "control %i:%i:%i:%s:%i is already present\n",
- id.iface,
- id.device,
- id.subdevice,
- id.name,
- id.index);
- err = -EBUSY;
- goto error;
- }
- if (snd_ctl_find_hole(card, kcontrol->count) < 0) {
- up_write(&card->controls_rwsem);
- err = -ENOMEM;
- goto error;
- }
- list_add_tail(&kcontrol->list, &card->controls);
- card->controls_count += kcontrol->count;
- kcontrol->id.numid = card->last_numid + 1;
- card->last_numid += kcontrol->count;
- id = kcontrol->id;
- count = kcontrol->count;
+ err = __snd_ctl_add(card, kcontrol);
up_write(&card->controls_rwsem);
- for (idx = 0; idx < count; idx++, id.index++, id.numid++)
- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
+ if (err < 0)
+ goto error;
return 0;
error:
@@ -1354,9 +1361,12 @@ static int snd_ctl_elem_add(struct snd_c
kctl->tlv.c = snd_ctl_elem_user_tlv;
/* This function manage to free the instance on failure. */
- err = snd_ctl_add(card, kctl);
- if (err < 0)
- return err;
+ down_write(&card->controls_rwsem);
+ err = __snd_ctl_add(card, kctl);
+ if (err < 0) {
+ snd_ctl_free_one(kctl);
+ goto unlock;
+ }
offset = snd_ctl_get_ioff(kctl, &info->id);
snd_ctl_build_ioff(&info->id, kctl, offset);
/*
@@ -1367,10 +1377,10 @@ static int snd_ctl_elem_add(struct snd_c
* which locks the element.
*/
- down_write(&card->controls_rwsem);
card->user_ctl_count++;
- up_write(&card->controls_rwsem);
+ unlock:
+ up_write(&card->controls_rwsem);
return 0;
}
next prev parent reply other threads:[~2018-12-04 11:08 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-04 10:49 [PATCH 4.9 00/50] 4.9.143-stable review Greg Kroah-Hartman
2018-12-04 10:49 ` [PATCH 4.9 01/50] mm/huge_memory: rename freeze_page() to unmap_page() Greg Kroah-Hartman
2018-12-04 10:49 ` [PATCH 4.9 02/50] mm/huge_memory.c: reorder operations in __split_huge_page_tail() Greg Kroah-Hartman
2018-12-04 10:49 ` [PATCH 4.9 03/50] mm/huge_memory: splitting set mapping+index before unfreeze Greg Kroah-Hartman
2018-12-04 10:49 ` [PATCH 4.9 04/50] mm/huge_memory: fix lockdep complaint on 32-bit i_size_read() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 05/50] mm/khugepaged: collapse_shmem() stop if punched or truncated Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 06/50] shmem: shmem_charge: verify max_block is not exceeded before inode update Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 07/50] shmem: introduce shmem_inode_acct_block Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 08/50] mm/khugepaged: fix crashes due to misaccounted holes Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 09/50] mm/khugepaged: collapse_shmem() remember to clear holes Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 10/50] mm/khugepaged: minor reorderings in collapse_shmem() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 11/50] mm/khugepaged: collapse_shmem() without freezing new_page Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 12/50] mm/khugepaged: collapse_shmem() do not crash on Compound Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 13/50] media: em28xx: Fix use-after-free when disconnecting Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 14/50] Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 15/50] net: skb_scrub_packet(): Scrub offload_fwd_mark Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 16/50] rapidio/rionet: do not free skb before reading its length Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 17/50] s390/qeth: fix length check in SNMP processing Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 18/50] usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2 Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 19/50] kvm: mmu: Fix race in emulated page table writes Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 20/50] kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 21/50] KVM: X86: Fix scan ioapic use-before-initialization Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 22/50] xtensa: enable coprocessors that are being flushed Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 23/50] xtensa: fix coprocessor context offset definitions Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 24/50] Btrfs: ensure path name is null terminated at btrfs_control_ioctl Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 25/50] perf/x86/intel: Move branch tracing setup to the Intel-specific source file Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 26/50] perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 27/50] fs: fix lost error code in dio_complete Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 28/50] ALSA: wss: Fix invalid snd_free_pages() at error path Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 29/50] ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write Greg Kroah-Hartman
2018-12-04 10:50 ` Greg Kroah-Hartman [this message]
2018-12-04 10:50 ` [PATCH 4.9 31/50] ALSA: sparc: Fix invalid snd_free_pages() at error path Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 32/50] ext2: fix potential use after free Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 33/50] dmaengine: at_hdmac: fix memory leak in at_dma_xlate() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 34/50] dmaengine: at_hdmac: fix module unloading Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 35/50] btrfs: release metadata before running delayed refs Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 36/50] USB: usb-storage: Add new IDs to ums-realtek Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 37/50] usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 38/50] Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid" Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 39/50] iio:st_magn: Fix enable device after trigger Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 40/50] mm: use swp_offset as key in shmem_replace_page() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 41/50] Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 42/50] misc: mic/scif: fix copy-paste error in scif_create_remote_lookup Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 43/50] efi/libstub: arm: support building with clang Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 44/50] ARM: 8766/1: drop no-thumb-interwork in EABI mode Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 45/50] ARM: 8767/1: add support for building ARM kernel with clang Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 46/50] bus: arm-cci: remove unnecessary unreachable() Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 47/50] ARM: trusted_foundations: do not use naked function Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 48/50] workqueue: avoid clang warning Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 49/50] efi/libstub: Make file I/O chunking x86-specific Greg Kroah-Hartman
2018-12-04 10:50 ` [PATCH 4.9 50/50] kbuild: Set KBUILD_CFLAGS before incl. arch Makefile Greg Kroah-Hartman
2018-12-04 15:52 ` [PATCH 4.9 00/50] 4.9.143-stable review kernelci.org bot
2018-12-04 21:40 ` Guenter Roeck
2018-12-05 5:12 ` Naresh Kamboju
2018-12-05 9:30 ` Jon Hunter
2018-12-05 23:54 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181204103716.022225236@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).