Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4003794imm; Mon, 14 May 2018 00:48:49 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqGbeteTD6FcWn6AQ2lj506BfyElHQJMOODOPeGyHfIAnPq+HkCLnjMLLzowvHEsBczT6WX X-Received: by 2002:aa7:84c7:: with SMTP id x7-v6mr9383743pfn.195.1526284129040; Mon, 14 May 2018 00:48:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526284129; cv=none; d=google.com; s=arc-20160816; b=tYf+x6zERNEosky9ES8/p84uOfG5vyKhfUdQxbOUJ/1bkrBQkBD0pr7TjxvMqxoo2V xKykx6GqTA+aY6QV/v/3GlwFlTnQ+iGwHi/JSG9c+02vpCM6f4ATHJMAgPa4qRqUot6O D+UHFK95PXlcsySk9q2PHODNo+2c45sDCBTtrhH+zm7JkaLE20Y2bevcYm5nlQf14A6W y2WjvbPvjnq1DHA7gg7fwqwkLCx2FV+CYP0+ZNKCM+3trWlWjKFoQuB6P/KWmi1x5QPS 5d5pZOIu8HQUP3ODrqtm41nG2ESL2fPJ6VWjk++/y3dbuWF368NAyDGD0jRPm402THtH oseA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=R/vljVRSEqJBoX9TUyiqQQaOSfgybLGJMgZeOz5eoZ8=; b=zJoyR6t86M3puTJ1pcnVlnxKqpBfI1GLMjpAtUL199+TxNZB6eYJhbqZLOGyxN7jfF 6UMf8uVFOzfPy2owe99+UTRvKsVv+2sh6FwumODwx5c75VHOf09Y1oLy6EQ0BeK8Yhth i8qpufTBu6SA1DfGjbVDAtyxQlwHPapcBgbq9vhsanEvys5Cqe2fjpE0v8hDBm36Ok4H doU6t4vGZ5XVoPME/Hjdd+XV9/PX6yPKokDaxHXzklqXRWEPO/a5QK05KiHJiGDmL19i ZVOKCu7iWvPdCL9AhuGn7OmmX1MrHt05vxmsxo7MbJnpHgHcnuu4TZnoie1jfbiMTYMe NvcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TZfk0a3X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b19-v6si8952544pfh.358.2018.05.14.00.48.35; Mon, 14 May 2018 00:48:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TZfk0a3X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752481AbeENHs1 (ORCPT + 99 others); Mon, 14 May 2018 03:48:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:57824 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752384AbeENGvJ (ORCPT ); Mon, 14 May 2018 02:51:09 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EC39421771; Mon, 14 May 2018 06:51:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526280668; bh=ZFZLs2mjCxf3Hm16Uc/P6BVs9X2X63KI/c11meuXOEk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TZfk0a3XFGT7JdnvPhEkmj9J1FYSxYcZqgx35GI9yetilhQtU714PwGBLcTL6OvaX T/ZPEm0AZ67ES4HWkxAOX2CnWSAgi7kHFBMlyvsmHhI0JCz3XoOdWMGCqpzj6mTCDJ K1wx8gt6Td2gnZJ49Qe583+dzys0D/9eva/j3yyI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, DaeRyong Jeong , Takashi Iwai Subject: [PATCH 4.4 13/56] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Date: Mon, 14 May 2018 08:48:18 +0200 Message-Id: <20180514064756.323603786@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514064754.853201981@linuxfoundation.org> References: <20180514064754.853201981@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8f22e52528cc372b218b5f100457469615c733ce upstream. The sequencer virmidi code has an open race at its output trigger callback: namely, virmidi keeps only one event packet for processing while it doesn't protect for concurrent output trigger calls. snd_virmidi_output_trigger() tries to process the previously unfinished event before starting encoding the given MIDI stream, but this is done without any lock. Meanwhile, if another rawmidi stream starts the output trigger, this proceeds further, and overwrites the event package that is being processed in another thread. This eventually corrupts and may lead to the invalid memory access if the event type is like SYSEX. The fix is just to move the spinlock to cover both the pending event and the new stream. The bug was spotted by a new fuzzer, RaceFuzzer. BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr Reported-by: DaeRyong Jeong Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_virmidi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_virmidi.c +++ b/sound/core/seq/seq_virmidi.c @@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s } return; } + spin_lock_irqsave(&substream->runtime->lock, flags); if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) { if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0) - return; + goto out; vmidi->event.type = SNDRV_SEQ_EVENT_NONE; } - spin_lock_irqsave(&substream->runtime->lock, flags); while (1) { count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf)); if (count <= 0)