Received: by 10.213.65.68 with SMTP id h4csp892990imn; Tue, 27 Mar 2018 10:42:52 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/CNkS0mKOn9dm1Bh0hB+VCDRKN4N615wCa9haTwOoYyG4YNUWCFIzRJ+SePglK+Bp6XiKq X-Received: by 10.98.201.194 with SMTP id l63mr221111pfk.126.1522172572842; Tue, 27 Mar 2018 10:42:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522172572; cv=none; d=google.com; s=arc-20160816; b=RvjUNdOtEn7ELoug3enbu3BpqNjI+gy1l0UqUQmHHnvZlBkcGfc/SdNKsdnsr9TI0q fuK5S4qjkHw5yQsEaKCfS8iad+YvUm7uKzxnl1T51ZE6GkL2cduEqGq/HhGVvUpB8f5U agN+V5I8zCm0z/ETIqYE9CZK76LU9ncI3ZKTYu1n4KeT3zaNjdHNe2EFhLyC5rhPGBq6 GpxTXDwHmwwy58GeZSwiOrRUHjR2G1tchZafGmEFXEzRxMAWnPk+QihNzeKWMx22WSkG RLRHeGuAcncBdX0c3zgWxGpoMV6BPHFRhF8lkg2guAID0xxKBA+Du/EFZCwr59VsPrTd tilQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=tiSASD9YwCKeGyAvcqIQjHQktuU89nhfC7EvnjpGIic=; b=DiHj1rHQ+iRAKzGhOn+6fsz1UncD77HNtTOufbIMbEa9c40ANNxiqytjPqWRFrSex2 MK9byc/jgoZzB4A+5PvQ7VCF1XSw+7WVRwqbDjINWbAjetV+75Wq61EpKMLPw4zxgJr/ 4Ppx9G7hH1of4eCwIOhvnv6U9bq06yT3WII92NA3+uGfRbqxFfpWiTcAdrBclP+9B9+6 BnT6rJvE15HTJWd91UW5XZKZjc4QtfM7evyZlwIy20JnD627s78GoH3/H+5jTJSZaFAE NF6Eb9qjcRicK+O4b5kbOgYfV2henU+cNrm80FRY2QRi6USMObkm9tJivJmhUOXcfKQ6 zfng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l69si1232558pfk.180.2018.03.27.10.42.38; Tue, 27 Mar 2018 10:42:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752658AbeC0Rlh (ORCPT + 99 others); Tue, 27 Mar 2018 13:41:37 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:44098 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754086AbeC0Qdy (ORCPT ); Tue, 27 Mar 2018 12:33:54 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0185011E6; Tue, 27 Mar 2018 16:33:53 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 4.14 011/101] ALSA: aloop: Fix access to not-yet-ready substream via cable Date: Tue, 27 Mar 2018 18:26:43 +0200 Message-Id: <20180327162750.693836162@linuxfoundation.org> X-Mailer: git-send-email 2.16.3 In-Reply-To: <20180327162749.993880276@linuxfoundation.org> References: <20180327162749.993880276@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream. In loopback_open() and loopback_close(), we assign and release the substream object to the corresponding cable in a racy way. It's neither locked nor done in the right position. The open callback assigns the substream before its preparation finishes, hence the other side of the cable may pick it up, which may lead to the invalid memory access. This patch addresses these: move the assignment to the end of the open callback, and wrap with cable->lock for avoiding concurrent accesses. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/drivers/aloop.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -666,7 +666,9 @@ static void free_cable(struct snd_pcm_su return; if (cable->streams[!substream->stream]) { /* other stream is still alive */ + spin_lock_irq(&cable->lock); cable->streams[substream->stream] = NULL; + spin_unlock_irq(&cable->lock); } else { /* free the cable */ loopback->cables[substream->number][dev] = NULL; @@ -706,7 +708,6 @@ static int loopback_open(struct snd_pcm_ loopback->cables[substream->number][dev] = cable; } dpcm->cable = cable; - cable->streams[substream->stream] = dpcm; snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS); @@ -738,6 +739,11 @@ static int loopback_open(struct snd_pcm_ runtime->hw = loopback_pcm_hardware; else runtime->hw = cable->hw; + + spin_lock_irq(&cable->lock); + cable->streams[substream->stream] = dpcm; + spin_unlock_irq(&cable->lock); + unlock: if (err < 0) { free_cable(substream);