Received: by 10.223.176.5 with SMTP id f5csp2837117wra; Mon, 5 Feb 2018 10:41:15 -0800 (PST) X-Google-Smtp-Source: AH8x226y+Q2z9Gjkxz8SuynyciYCvD94Hgihwz7wb9yLJSc+gKUgzzIPa41Ai9vLzLZC6uUYQlNP X-Received: by 2002:a17:902:9343:: with SMTP id g3-v6mr45450002plp.319.1517856075159; Mon, 05 Feb 2018 10:41:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517856075; cv=none; d=google.com; s=arc-20160816; b=jNxN43zYBl+9OU/Ed2DKXmpcy4QV8AzzvpS5NpOtgoO0LY0SA8qBqZMW+qfyWtgpDP 3PnWh1KFXruarkZ0oiJwMUrzQiERos50hUoJTdgVAS88hK3kxpuRlbw8G+HHjyejsgR/ MF1Oq+uyHgrPdV1l02SyvudbSjDpzLDJSawyWIE9DsTT39FRWM1jahGh118PFj6DAZL1 +2ocUERh2ARAftlAkGRG4cIMDHEZj1rYUXyJPrsDsiN/AvVPdhlCuhigaUyDqxiMg6Mp PG+R+viVN3Fau0ZOCfRR362OzNUjoJ0LWXxauIyns/A256SItJWvp1PvqG3Kw+aBTYnA 00/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=1rMCqWie0ZtnSd3HzOA+KjQO3mcvZBFeDd8Vmv8ACys=; b=hLlpX/QRo4xcgp5895w8JFmmzQHyUX+EN8x6BR3Fzgv7lKKZoxMkfk/pfQX2kl0FpO cM1tWaWgQTzO3ztqIxOuh7z4CtlbXEL2K359BsKNShvNscYH4TcY7i0g0xdPAE28FziU 0nqvPDeq/BK+KEZa2kEo33Rl/XHT2vn0sAKsXPXJKZtKNJedw9ElddKAh+r6BWdp7KMf 63SXYnf7nFGi24v3kxaIAz0/g2XgLQZvrrlFN9mB8c8N1+LeOoA+8RyGphtW9xhkgJGB wh09Dwv52Quobz7E2d+1Dk0k7BHpxXqHZFWK+OkfqTSnwTijbdqzWK0c1mj66ReTy4C7 xvJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j3-v6si840438plk.506.2018.02.05.10.41.00; Mon, 05 Feb 2018 10:41:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753963AbeBESjF (ORCPT + 99 others); Mon, 5 Feb 2018 13:39:05 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:54332 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753729AbeBES0r (ORCPT ); Mon, 5 Feb 2018 13:26:47 -0500 Received: from localhost (unknown [104.132.1.108]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id C7337E8E; Mon, 5 Feb 2018 18:26:34 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luo Quan , Kees Cook , Takashi Iwai , Ben Hutchings Subject: [PATCH 3.18 06/36] ALSA: seq: Make ioctls race-free Date: Mon, 5 Feb 2018 10:23:34 -0800 Message-Id: <20180205182352.043115245@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180205182351.774761393@linuxfoundation.org> References: <20180205182351.774761393@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai [bwh: Backported to 4.4: ioctl dispatch is done from snd_seq_do_ioctl(); take the mutex and add ret variable there.] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_clientmgr.c | 10 ++++++++-- sound/core/seq/seq_clientmgr.h | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create rwlock_init(&client->ports_lock); mutex_init(&client->ports_mutex); INIT_LIST_HEAD(&client->ports_list_head); + mutex_init(&client->ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(&clients_lock, flags); @@ -2200,6 +2201,7 @@ static int snd_seq_do_ioctl(struct snd_s void __user *arg) { struct seq_ioctl_table *p; + int ret; switch (cmd) { case SNDRV_SEQ_IOCTL_PVERSION: @@ -2213,8 +2215,12 @@ static int snd_seq_do_ioctl(struct snd_s if (! arg) return -EFAULT; for (p = ioctl_tables; p->cmd; p++) { - if (p->cmd == cmd) - return p->func(client, arg); + if (p->cmd == cmd) { + mutex_lock(&client->ioctl_mutex); + ret = p->func(client, arg); + mutex_unlock(&client->ioctl_mutex); + return ret; + } } pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", cmd, _IOC_TYPE(cmd), _IOC_NR(cmd)); --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -59,6 +59,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */