Received: by 10.223.176.46 with SMTP id f43csp2672261wra; Mon, 22 Jan 2018 01:18:34 -0800 (PST) X-Google-Smtp-Source: AH8x2254VZxg7r/dbq5OSD6o9ax+5Up6AOOzj4BZ072UH5LrTIvw5rAykvScu+JzerSXWp1j8Qpu X-Received: by 2002:a17:902:7201:: with SMTP id ba1-v6mr3000650plb.125.1516612714281; Mon, 22 Jan 2018 01:18:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516612714; cv=none; d=google.com; s=arc-20160816; b=kCOzC36gVk0YYOzqBxNBz2ECqGUgnu3NVm4rEpEJrFPwVlJ/l0Afu5vRxnQf1nY67w r2Zcyqy3jOe4MI8in7Z7L8GbkoowZNgYV9SLMLZvxDJGvhgHRwfWQMSl+CmOOnuIXAXW 20EzykOIiR8rEoU8BcRzOslKbswhfdqZay7o6SsRkwgJF1DJ7KCNLN3B7FkKygRgPxAQ MuytwDEexi4T6F4eMhNVplyEoIXo3vC2sUGBg/9levG/t0peqrzusUp44seYPH+sczkE B38aCdjJqy3a8hA3D5Tpw9K01/aqeuGN2FN0eGpiv1offoxng5LNt2qt35xArKYiZpSM m/rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=jU7sgTRdgJLHUILCbS7tswvzX3dnClwf/3o8Qu3vHVg=; b=RhJriozKnBD0zAkqaKGQ8Nxjqy0zWk4izqp6mM6zoYHrb2jY4IlgAZyVncS02tNml9 96kcmkEaelgp0B2MyqlT9Nh1IylLZxR5d7wJ6RATPR3NdK4RmEZxp9+Xn6s0G79z0nxt L8U6QBSuI3yTIIUQN5YIypMfP0LJyLnRmiEERt0zAKsY5bI9tUeibZbBkpSBN5JPV6zJ 9i3Wq5OR9OLgfglMKPJurIqh8WjCvk95+74IaUiLqFdnmM8feMhT29GjDUKtaqUvpUtj 2b91mdbHpM+g/6upFk97J9fwFbpuwfDdQrkdPN0Rc84FoMfnHk7WrciMjOOYSe0HOFYX ZO+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g5-v6si3208935plp.615.2018.01.22.01.18.20; Mon, 22 Jan 2018 01:18:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752735AbeAVIuw (ORCPT + 99 others); Mon, 22 Jan 2018 03:50:52 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:33050 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752392AbeAVIut (ORCPT ); Mon, 22 Jan 2018 03:50:49 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id BBC04E5C; Mon, 22 Jan 2018 08:50:48 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luo Quan , Kees Cook , Takashi Iwai Subject: [PATCH 4.14 18/89] ALSA: seq: Make ioctls race-free Date: Mon, 22 Jan 2018 09:44:58 +0100 Message-Id: <20180122083956.527692250@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083954.683903493@linuxfoundation.org> References: <20180122083954.683903493@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_clientmgr.c | 3 +++ sound/core/seq/seq_clientmgr.h | 1 + 2 files changed, 4 insertions(+) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create rwlock_init(&client->ports_lock); mutex_init(&client->ports_mutex); INIT_LIST_HEAD(&client->ports_list_head); + mutex_init(&client->ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(&clients_lock, flags); @@ -2126,7 +2127,9 @@ static long snd_seq_ioctl(struct file *f return -EFAULT; } + mutex_lock(&client->ioctl_mutex); err = handler->func(client, &buf); + mutex_unlock(&client->ioctl_mutex); if (err >= 0) { /* Some commands includes a bug in 'dir' field. */ if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -61,6 +61,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */