Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4002451imm;
        Mon, 14 May 2018 00:47:15 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoFHXjxbomEDt4i12tUzMtMou7RNTqAG4NhwkBVBvhvSmIotDDs7HYSpqVuWf71mmWx2pYI
X-Received: by 2002:a62:d717:: with SMTP id b23-v6mr9257464pfh.5.1526284035733;
        Mon, 14 May 2018 00:47:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526284035; cv=none;
        d=google.com; s=arc-20160816;
        b=nEc1esSAw+CbOoX5/Zpp7hUYunq9//6hhgOuXYyZTE+21+SjG3ncwBLeT3ndy6MS8+
         awLfkrf+ACwFL0itxyNHMvDQ1DRdzFFK9Yj0FXTNgzh7m3i8/WeojReO5BF76AaQ8G3Y
         7Lt2mYoyKYOTKpWl84V1J9FrlhOXwJown6XOgRkximCxDGEQ1yjzpQNAHtNtUuS6UsFP
         Nwy4TqUW6GQxmRCJqBmTAEApFFRqpgMMoBjPhvDkmpBizLBjWt4cVo4c1Hh4Ycyd6j94
         RnFA9De+nt1HPL19w+eENaoYB0KSLytyCptZLv9kd+gdg0SAbDxnKFCt2rNP8HSL+LHA
         BVjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=t0TzgKFqlEIlfS5hnqAGhXHNJ+bBGReGXy5MOHpE7N0=;
        b=y5/oly/tpytU0BXYeRVA1QmSapKcY986DHIMKIEmGAJkrg3K0N5jfqvky4wsK1cE8H
         FiKGT+Ye501dDwuZZHL/IIXrDq/tzXNwVUZ6Hxqw5njNS5pRwq1LB2UvyzNCvbKENgaH
         GYoSr6HnY1phJdXhXrX2LRcwYrLSGffM57a99U5ITh9XowE2jzCjHzY0ebtT+V55Cg8P
         XI77GZZLdSQQ4F+gMxpRzcWLj2Nluhz3uZumZViTs8fDAmoQygO7c9sjC3UjYcQqKlD8
         RRekmY2ywKtxQkiK/F4T/UCLeFgQQwu7Ps+D1h90bb7gnrSHAp7UBWEdih59RYJr38x7
         Fmig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wtxOrIEs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d4-v6si8743677plr.373.2018.05.14.00.47.01;
        Mon, 14 May 2018 00:47:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wtxOrIEs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752430AbeENGvS (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Mon, 14 May 2018 02:51:18 -0400
Received: from mail.kernel.org ([198.145.29.99]:57908 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752022AbeENGvO (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 May 2018 02:51:14 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id A842421738;
        Mon, 14 May 2018 06:51:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1526280674;
        bh=UAxTa4rIWCPjgr2pNqoqvL01WkCzZQ1R22rezeApY34=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=wtxOrIEsW8GdRhiEzTeUpXo2TGDdKXSHiXBVN8zkQYvz/BThrF5+39opVsMyMq4dc
         Hsq1tIT3zbDtsvNyM8+IWkDpgHoVEU1SL5rFxi8YnNl9QDojUHZLDq/0dycXIbWhVD
         GeLLM3NIwmwqo8qZN9iJKj3fjacflWn8mj3rqbWY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, DaeRyong Jeong <threeearcat@gmail.com>,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.4 15/56] ALSA: aloop: Add missing cable lock to ctl API callbacks
Date:   Mon, 14 May 2018 08:48:20 +0200
Message-Id: <20180514064756.523645687@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514064754.853201981@linuxfoundation.org>
References: <20180514064754.853201981@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.

Some control API callbacks in aloop driver are too lazy to take the
loopback->cable_lock and it results in possible races of cable access
while it's being freed.  It eventually lead to a UAF, as reported by
fuzzer recently.

This patch covers such control API callbacks and add the proper mutex
locks.

Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/drivers/aloop.c |   17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -832,9 +832,11 @@ static int loopback_rate_shift_get(struc
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].rate_shift;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }
 
@@ -866,9 +868,11 @@ static int loopback_notify_get(struct sn
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].notify;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }
 
@@ -880,12 +884,14 @@ static int loopback_notify_put(struct sn
 	int change = 0;
 
 	val = ucontrol->value.integer.value[0] ? 1 : 0;
+	mutex_lock(&loopback->cable_lock);
 	if (val != loopback->setup[kcontrol->id.subdevice]
 				[kcontrol->id.device].notify) {
 		loopback->setup[kcontrol->id.subdevice]
 			[kcontrol->id.device].notify = val;
 		change = 1;
 	}
+	mutex_unlock(&loopback->cable_lock);
 	return change;
 }
 
@@ -893,15 +899,18 @@ static int loopback_active_get(struct sn
 			       struct snd_ctl_elem_value *ucontrol)
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
-	struct loopback_cable *cable = loopback->cables
-			[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+	struct loopback_cable *cable;
+
 	unsigned int val = 0;
 
+	mutex_lock(&loopback->cable_lock);
+	cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
 	if (cable != NULL) {
 		unsigned int running = cable->running ^ cable->pause;
 
 		val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
 	}
+	mutex_unlock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] = val;
 	return 0;
 }
@@ -944,9 +953,11 @@ static int loopback_rate_get(struct snd_
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].rate;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }
 
@@ -966,9 +977,11 @@ static int loopback_channels_get(struct
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].channels;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }