Received: by 10.223.176.46 with SMTP id f43csp2689742wra; Mon, 22 Jan 2018 01:39:27 -0800 (PST) X-Google-Smtp-Source: AH8x225W3nRKgb6h4x4rSXVW8OvOAkpz1ek+MHi6kXQMB7wQQgQ7wyAxi/10b8cd36QDbTCb4JWN X-Received: by 10.99.145.66 with SMTP id l63mr6629083pge.273.1516613967663; Mon, 22 Jan 2018 01:39:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516613967; cv=none; d=google.com; s=arc-20160816; b=C2IoByRBDCoFIfehfK0qQ3xcG2gjruUGI0HvIaBcfCI6tdlPHBdGZ4c7vtb/pneTNm 8EUajxlSEm08JoB9W4NBMoKyGmZWSpMBi81Ku58ODHre0VOzDZ6qq5B8vsKeeUWLbFls KevZ9vWI9P3Okbce0gtswElN/UMPU30KmGOjAKj2Esl7MuEAZWRP+XZdRYSkT1LogqSM tCaOOHYaTH6LmY8aCy2bwXo2/0SH2WLIRlyCy133zPwLmiXtn/+vQYh7I0wPc3QjHBbH eFh9QebbTce4oL6eJ4qL6l04ZMz/h5togFiu5VpABEIVzrrpVPORgDA3wTEzErqKlPDC bYwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=U5xj0y+P3s4f8QnlLwEE0bCaGicp+xIyVz/qVCbiW7c=; b=Cod3PN3RS9WGMIe0PYJObxYBVtUxGrIct88CymSzB7NlZB9YhRNbftpLf9ldxipEtb l3nKtsA3sGodv10aaEGZX5C9ug/wUrc50oxHF6uP7iNyN4KkaLX3/awbXrNGud8yP2QP 0iSYy6fqE8LgIttma54v8xMjvysX4eThkMTf/0YPM+RnpItr9vUwnLUKfJcnbs0RkQTP mtKjkjI3/Y0rSxN/zHeJgAkS9mEK5SLnBieb4i7qKBbOojJx3cM4sKePaR82mc8mTIlu 0g8x6giz4YzqBIWhk+Y1PeMmmVBzj5cYwJq9LmaRnz2KhK2rX7h9i6sDnYiuRPhx3Zif dL0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y6si13724122pgr.220.2018.01.22.01.39.13; Mon, 22 Jan 2018 01:39:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751932AbeAVIsV (ORCPT + 99 others); Mon, 22 Jan 2018 03:48:21 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:60336 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752220AbeAVIsS (ORCPT ); Mon, 22 Jan 2018 03:48:18 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D0AE1DFB; Mon, 22 Jan 2018 08:48:17 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luo Quan , Kees Cook , Takashi Iwai Subject: [PATCH 4.9 04/47] ALSA: seq: Make ioctls race-free Date: Mon, 22 Jan 2018 09:45:15 +0100 Message-Id: <20180122083925.927569451@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083925.568134913@linuxfoundation.org> References: <20180122083925.568134913@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_clientmgr.c | 3 +++ sound/core/seq/seq_clientmgr.h | 1 + 2 files changed, 4 insertions(+) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create rwlock_init(&client->ports_lock); mutex_init(&client->ports_mutex); INIT_LIST_HEAD(&client->ports_list_head); + mutex_init(&client->ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(&clients_lock, flags); @@ -2127,7 +2128,9 @@ static long snd_seq_ioctl(struct file *f return -EFAULT; } + mutex_lock(&client->ioctl_mutex); err = handler->func(client, &buf); + mutex_unlock(&client->ioctl_mutex); if (err >= 0) { /* Some commands includes a bug in 'dir' field. */ if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -61,6 +61,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */