Received: by 10.213.65.68 with SMTP id h4csp919550imn; Tue, 27 Mar 2018 11:12:04 -0700 (PDT) X-Google-Smtp-Source: AIpwx48Dj19rXlMgkna2jXdDTpmXuw63F5Pp4vM/FMQE5xS5nVhOkux+S6ge0mH29GC94dlPD2ZK X-Received: by 2002:a17:902:12e:: with SMTP id 43-v6mr332288plb.77.1522174324187; Tue, 27 Mar 2018 11:12:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522174324; cv=none; d=google.com; s=arc-20160816; b=YvfAQ4e802XczUTrjTLXduU9MoibXKtgoT1mDlcG5OR9IaZBFS07CBYzPmPZXRXAim bxGlaxJ2Q6qksv64U9bf2JMVwPpj518KKKvESuf7z7FcIz559szd8bEWlbAaJjyGzXrv Lgw5VDuPEUj2KNKgLWrhE21hIFiOI+wZ4jZAkQWrJ2Ii3DXXOpfFQ/MwEGSb+I1EOmgn Iskns+d76+0w3KpHQ0l04PfrMjHiRLMAL3W8IL+WyjYy9/V4SkGIOQ6w7zs4sSKlnBjr R3Gt+oh2urubMb+AAasaIG7I6PZMQaKELWdtxdjt6ghDxYt+f/1/W5Qq8XtzuAeCTCLQ NF4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=We67RUxvKeYtVwUyhXJEXtVWV4ZwTTcbNV23oQU0Q6A=; b=dKqVqGlkxNkVhy8vOdgM0Wvjm0mn6AVdiqoNiFk53xV5cxW27sDnjNjo/IocBnRPv0 fniknyP0PfaqnoptrW0Uo3S1/Psf9+au41u7cPTlhmVR0kDgZmkgtW4lCDA5Cg9phSAE HU1/pMRhodrTbzdTAZY7nrlyRDykXiolWXi+EpIq5CYEqXqzhsVJLg736KEfBzfdMrkK EuU2VL+jciLJPAcH8AccuPiDUhzGsUbDAHiek0GCLbfcL+yZsVm/ttMbU6WwtyWnsLVm Bcn/KYOJSG/YWANnBp3LF6JkwTS/41236oXGM+cchRa39jOLigVhxEnbxqnRsixL6sb8 +T9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t10-v6si1643284plh.231.2018.03.27.11.11.50; Tue, 27 Mar 2018 11:12:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752314AbeC0Q2w (ORCPT + 99 others); Tue, 27 Mar 2018 12:28:52 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:40978 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752252AbeC0Q2t (ORCPT ); Tue, 27 Mar 2018 12:28:49 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 104D61022; Tue, 27 Mar 2018 16:28:48 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai Subject: [PATCH 4.4 05/43] ALSA: aloop: Fix access to not-yet-ready substream via cable Date: Tue, 27 Mar 2018 18:27:09 +0200 Message-Id: <20180327162716.690254924@linuxfoundation.org> X-Mailer: git-send-email 2.16.3 In-Reply-To: <20180327162716.407986916@linuxfoundation.org> References: <20180327162716.407986916@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream. In loopback_open() and loopback_close(), we assign and release the substream object to the corresponding cable in a racy way. It's neither locked nor done in the right position. The open callback assigns the substream before its preparation finishes, hence the other side of the cable may pick it up, which may lead to the invalid memory access. This patch addresses these: move the assignment to the end of the open callback, and wrap with cable->lock for avoiding concurrent accesses. Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/drivers/aloop.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -666,7 +666,9 @@ static void free_cable(struct snd_pcm_su return; if (cable->streams[!substream->stream]) { /* other stream is still alive */ + spin_lock_irq(&cable->lock); cable->streams[substream->stream] = NULL; + spin_unlock_irq(&cable->lock); } else { /* free the cable */ loopback->cables[substream->number][dev] = NULL; @@ -706,7 +708,6 @@ static int loopback_open(struct snd_pcm_ loopback->cables[substream->number][dev] = cable; } dpcm->cable = cable; - cable->streams[substream->stream] = dpcm; snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS); @@ -738,6 +739,11 @@ static int loopback_open(struct snd_pcm_ runtime->hw = loopback_pcm_hardware; else runtime->hw = cable->hw; + + spin_lock_irq(&cable->lock); + cable->streams[substream->stream] = dpcm; + spin_unlock_irq(&cable->lock); + unlock: if (err < 0) { free_cable(substream);