Received: by 10.223.185.116 with SMTP id b49csp817164wrg; Sat, 10 Feb 2018 21:03:03 -0800 (PST) X-Google-Smtp-Source: AH8x2257PvHmZG4sP+Rk7j/WI5KSDWMI3xDnYL41IOwFR40N+PSvwA8Iw8dUszY8g8OCFDVAFzwj X-Received: by 10.98.162.25 with SMTP id m25mr7391137pff.136.1518325383082; Sat, 10 Feb 2018 21:03:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518325383; cv=none; d=google.com; s=arc-20160816; b=LR53VW0cAN0rhIqmOYSh6ssS1SDYQE2dYf7HfzkeZE1sJhKwsHBaCX2PadKvz/xUf7 PM+dFnvuDNeeZW/T/35LDKA/2HE5OJA4VA8bEz9TcZpKR1l5p2neWTANbOp97T9JgKgO VLYzWFsDAdfJ8/XI+GCu5XVD1oRZ2jxVyKrsNZ7sjBLYxfyjgZNDb3VAIW9FZFxWseNx yT2hXMLe/gAcG13Tv0kyeyNK45OFy6Qk4US2CXQZEMtBYnBEPi0jI3AtcHdX4Cdg9+S8 HUVuaLxsHfJsI/ULCrTOfJ3cyyfG3j7opOxB4Lmrvk2+7SU/451qZgY6kq1lqkPisRdo ZKTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=PYYdXhr7+ju1Z8tP74DwCtpkWj1WtxVC4xT8V9hq5Ag=; b=zL0p4kRJPnzckwCH7PEoUNeXCdVwyo092SShababAcJVrkLbIB8burf6wwRIZHoGDp l7nE7ERZx4EyKsv8XtzKGQoat6JrTR2OLHYFDPKy/AlwVx/JmVnA/nhY1VIAspTeP/Xu GgXkcd1cNAJSP5pQUjwBv1j5L2/Xp2MOanxpvTUONkJg2mJWR16109SBP6y0C5PrsmPA E6AQ0bmVpFychlfadn8fc/FoLgHOvWZ/2E0LQhu3CS8S66bXz5R3rYhnHo/7Wd+JFXA3 OqyHFcC/CD1JEcGVgFcAcBW0bC/tt9K19U7pNPKCciuSEXbT+A7eWvSZ46vEriQ7foEt SrXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m16si532984pgn.290.2018.02.10.21.02.49; Sat, 10 Feb 2018 21:03:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753740AbeBKFCQ (ORCPT + 99 others); Sun, 11 Feb 2018 00:02:16 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41443 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752745AbeBKEdq (ORCPT ); Sat, 10 Feb 2018 23:33:46 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ekjKc-0002hJ-Uc; Sun, 11 Feb 2018 04:33:39 +0000 Received: from ben by deadeye with local (Exim 4.90) (envelope-from ) id 1ekjKY-0004Wz-Qg; Sun, 11 Feb 2018 04:33:34 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Takashi Iwai" , "Luo Quan" , "Greg Kroah-Hartman" , "Kees Cook" Date: Sun, 11 Feb 2018 04:20:06 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.2 69/79] ALSA: seq: Make ioctls race-free In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.2.99-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: ioctl dispatch is done from snd_seq_do_ioctl(); take the mutex and add ret variable there.] Signed-off-by: Ben Hutchings --- sound/core/seq/seq_clientmgr.c | 10 ++++++++-- sound/core/seq/seq_clientmgr.h | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create rwlock_init(&client->ports_lock); mutex_init(&client->ports_mutex); INIT_LIST_HEAD(&client->ports_list_head); + mutex_init(&client->ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(&clients_lock, flags); @@ -2188,6 +2189,7 @@ static int snd_seq_do_ioctl(struct snd_s void __user *arg) { struct seq_ioctl_table *p; + int ret; switch (cmd) { case SNDRV_SEQ_IOCTL_PVERSION: @@ -2201,8 +2203,12 @@ static int snd_seq_do_ioctl(struct snd_s if (! arg) return -EFAULT; for (p = ioctl_tables; p->cmd; p++) { - if (p->cmd == cmd) - return p->func(client, arg); + if (p->cmd == cmd) { + mutex_lock(&client->ioctl_mutex); + ret = p->func(client, arg); + mutex_unlock(&client->ioctl_mutex); + return ret; + } } snd_printd("seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", cmd, _IOC_TYPE(cmd), _IOC_NR(cmd)); --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -59,6 +59,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */