Received: by 10.213.65.68 with SMTP id h4csp907375imn; Tue, 27 Mar 2018 10:59:05 -0700 (PDT) X-Google-Smtp-Source: AIpwx49gAAtk4dd3E0inIaRriumUvT099vgNbl5dLk54hVyZyHtmGH+juwnAr8m5bz8ZznUEniru X-Received: by 10.101.98.134 with SMTP id f6mr212602pgv.308.1522173545206; Tue, 27 Mar 2018 10:59:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522173545; cv=none; d=google.com; s=arc-20160816; b=djABUXK/d0khis3voUGmDTalSj9O20UDS1c6iij7ZXkDd1jH4ycBGoGSlPmWJtkdEs OavuRYi8HYG8BHwDEYabBTqkQ+xpX+XNVZ8jLP5N3SQKTJk08KrT48qIV6mP7LZ4KTZS bUCO/fYm7jHCnAIKih1XYx3r7mIrolcnxktWVvPRRj7DXde3OLZDG4BgdIUaQeJIkvAx ksQQlw1rdu+2+7mKURtqsBbsBSG9uv9ZoYZ9BlzfQKnNqZRPpg3OLMsLRnOLMlFvDj5L /V+QVkhYv/CL59EGzsp7Zr0cXh+lYWbR3Y+CDsfVUp3UcyPOxqTZdIGzA+4nG6WtvyQg YIIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=kaC452xOs6uenpIY8TrgcZaqvMNpi0CPrAZEZcTzMEw=; b=qQcF/b+Y7ABTWP4KI49p83SrAQAviD8vq7LCGtDHolEf5HrxGT3NRMKVBEvT8/jBU9 HdIw6cWzKVEPO/ysyIROK+K8YLXPxOX2pWAz40EGciJLfCRDc7UScy0z+Dek9yIhnjlW o0GjVhmXhAiI/afqAp/a8zj1F8N9mhXuA288zeLuX7INwLEyvC1IbV/PMbZHjdgyunzC VKpu0WsQCDbygOJ8PLfKWF2rcRQvWOFkMXDcLbINSStyUyf1QvVgyrUTLswGc23vNPPV 7U0RuJEAq4bAs80nCFNiGwiMT2PObjsaPkiYNCD6oK684TMss6QfCD7AhvMIcE1hezsl pFGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5-v6si1492877plr.243.2018.03.27.10.58.50; Tue, 27 Mar 2018 10:59:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753220AbeC0Qa7 (ORCPT + 99 others); Tue, 27 Mar 2018 12:30:59 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:42736 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752125AbeC0Qa5 (ORCPT ); Tue, 27 Mar 2018 12:30:57 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id BD5F7CF9; Tue, 27 Mar 2018 16:30:56 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 4.9 05/67] ALSA: aloop: Fix access to not-yet-ready substream via cable Date: Tue, 27 Mar 2018 18:26:57 +0200 Message-Id: <20180327162726.967824204@linuxfoundation.org> X-Mailer: git-send-email 2.16.3 In-Reply-To: <20180327162726.702411083@linuxfoundation.org> References: <20180327162726.702411083@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream. In loopback_open() and loopback_close(), we assign and release the substream object to the corresponding cable in a racy way. It's neither locked nor done in the right position. The open callback assigns the substream before its preparation finishes, hence the other side of the cable may pick it up, which may lead to the invalid memory access. This patch addresses these: move the assignment to the end of the open callback, and wrap with cable->lock for avoiding concurrent accesses. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/drivers/aloop.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -666,7 +666,9 @@ static void free_cable(struct snd_pcm_su return; if (cable->streams[!substream->stream]) { /* other stream is still alive */ + spin_lock_irq(&cable->lock); cable->streams[substream->stream] = NULL; + spin_unlock_irq(&cable->lock); } else { /* free the cable */ loopback->cables[substream->number][dev] = NULL; @@ -706,7 +708,6 @@ static int loopback_open(struct snd_pcm_ loopback->cables[substream->number][dev] = cable; } dpcm->cable = cable; - cable->streams[substream->stream] = dpcm; snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS); @@ -738,6 +739,11 @@ static int loopback_open(struct snd_pcm_ runtime->hw = loopback_pcm_hardware; else runtime->hw = cable->hw; + + spin_lock_irq(&cable->lock); + cable->streams[substream->stream] = dpcm; + spin_unlock_irq(&cable->lock); + unlock: if (err < 0) { free_cable(substream);