Received: by 10.213.65.68 with SMTP id h4csp769538imn;
        Fri, 6 Apr 2018 08:35:47 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48z8FjmM3jgTdfdf3gZR8CE5APIp/qIZ74hvKhQaVPFx3Ap+wvOheLetp4ynIsJpQhJPmfV
X-Received: by 2002:a17:902:d882:: with SMTP id b2-v6mr18171275plz.197.1523028947487;
        Fri, 06 Apr 2018 08:35:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523028947; cv=none;
        d=google.com; s=arc-20160816;
        b=UT6n05hBk6f58h12+XcsjF2hnneWTwsNVDAHguHyB1KHNEndwM/GzIzI5zlBZdweQq
         ev4YXdlMxkAaNQCXgAFx332e/E/JQxvWOZVkJYIiwu12x+UXhG0ipbI0nJUP5Wf8mpzP
         IdVCfClWqtzK/wuy4m2t+3ATotl7P4JjB0rkl/v12UIRH9RNCo2E3QK0ZCBGgKRLo8mY
         DdSjPZkFc8gFmqVsNpSwvxhULgn1D3DDauUCrvSEc1vl+SOW8J6bWz+9yB9NS4IlhpnS
         u3a51BUBuvU4bD45pYel7xXFRkpVewsu+wfBht+s1VE+jvHxy2a02TnIPgfQnPy65DHy
         Wi2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=xclvzu+614zQuYz/sR+cO0c5oA4M5xlRIy4ph92NZ5w=;
        b=T/bL+JtpoJuxbWWT0yIUy0KLL9anENyMkz8tE19Q774e2Sufwveb/2so1Zxb+kmNIf
         Y3lNR5nhyqBN+kgAgNeDjfFnPI1bUD2xp4OYt4dtM1IYQ4ial+vBrDPNeuwSDLDbQAfF
         fevzgQdUFc06FweUdZG1sTBaE0pfrUziQvntiUBykz7E+cHJieQBc7Oc4Ka5U670iDEA
         Pqley2h5OVNJHlYd5LPAXBxU9bJG7T2AmwhS6hQU0AQEXrAoE7ILA6OaPSvW+JPCkSK9
         uv7uezqq2oLNHLQBCywk5aFDAKD99fdGXT9CGJEUnpHToynrF1eU9NM6jsV/bnr0qreI
         +Q5w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d2-v6si8258262plh.121.2018.04.06.08.35.33;
        Fri, 06 Apr 2018 08:35:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753355AbeDFNZV (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Fri, 6 Apr 2018 09:25:21 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:54002 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753326AbeDFNZP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 09:25:15 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 01E29DC5;
        Fri,  6 Apr 2018 13:25:14 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.18 03/93] ALSA: aloop: Fix access to not-yet-ready substream via cable
Date:   Fri,  6 Apr 2018 15:22:32 +0200
Message-Id: <20180406084225.112487482@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180406084224.918716300@linuxfoundation.org>
References: <20180406084224.918716300@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream.

In loopback_open() and loopback_close(), we assign and release the
substream object to the corresponding cable in a racy way.  It's
neither locked nor done in the right position.  The open callback
assigns the substream before its preparation finishes, hence the other
side of the cable may pick it up, which may lead to the invalid memory
access.

This patch addresses these: move the assignment to the end of the open
callback, and wrap with cable->lock for avoiding concurrent accesses.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/drivers/aloop.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -667,7 +667,9 @@ static void free_cable(struct snd_pcm_su
 		return;
 	if (cable->streams[!substream->stream]) {
 		/* other stream is still alive */
+		spin_lock_irq(&cable->lock);
 		cable->streams[substream->stream] = NULL;
+		spin_unlock_irq(&cable->lock);
 	} else {
 		/* free the cable */
 		loopback->cables[substream->number][dev] = NULL;
@@ -707,7 +709,6 @@ static int loopback_open(struct snd_pcm_
 		loopback->cables[substream->number][dev] = cable;
 	}
 	dpcm->cable = cable;
-	cable->streams[substream->stream] = dpcm;
 
 	snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS);
 
@@ -739,6 +740,11 @@ static int loopback_open(struct snd_pcm_
 		runtime->hw = loopback_pcm_hardware;
 	else
 		runtime->hw = cable->hw;
+
+	spin_lock_irq(&cable->lock);
+	cable->streams[substream->stream] = dpcm;
+	spin_unlock_irq(&cable->lock);
+
  unlock:
 	if (err < 0) {
 		free_cable(substream);