Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4004706imm; Mon, 14 May 2018 00:49:56 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpxd48ABOJ+GV+Ay1tI0fl2ihjtCu7/dGhtJSY8FAPs0Th32A9TC/ED8bWj/aPxU12jCeJy X-Received: by 2002:aa7:84c7:: with SMTP id x7-v6mr9387205pfn.195.1526284196458; Mon, 14 May 2018 00:49:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526284196; cv=none; d=google.com; s=arc-20160816; b=w5p+ZEDR1YVaWk+jGuRCQ0F55Sws4IhAMQ835VtoXBh9K3/nBbS/WxM9kqBgtnltB3 4Ub3X4Ecj+OHYXtOM+epW51j+QPiHG6o3g6yZvKawYqx8f4X/gmwfD1URrqU2JtRM4Qy bKi1fLF+gzyKB62M1PYERX+cp3GRmCkWDyh/LNlar5fxVeMYg+vBnKFo9iwSuMUADUFk /L8fDfnen6E4dSQt0dqMvyNy5Z+nr8u4XW2wU4RKx8PbYJXMqXwHrehuwfaO+qWwEfPn MD/5Ec5A1+PwEUmf7M+xCYqY4jHTaHZ/y7w6K4hiIOWUu8nF0bW5GBeczcvKUawz1Cx2 K/uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=Yn/fXH4In//uZIU+AUOD0v7jQv3KMzJ9Xh1QmONrnIc=; b=feI+Gc6u5HGvPNGB7noVX3i0WrJGC21j1owcENyXG2I7cTJxs4uzu2B01cIzQGRcS9 teaKbCxzPAvX2t/3Rycz8oQfdg8qQF8wRF611xVyggbmh3C7aLvnYd24cSOVtgRpa9DT J7/jev5jAXwuFgN8YrW4hhUpuWJfrKv3VBwZqQ27YwuPX6bVVBahCO7Mox5Tka/uzBQj Vz3ukW9gsOoV9OSp7ZTvoPFDL7yVg+WfxdF+Z3wZeWVsGjkP21OcyxbuGfWDf3G4e6Wh IzQRC6HX6wLDGJl6hV+s0+4Zr4penZHH7Wd2w29Pe0D06Eqpd0A8a6gYOh28skCxI9q2 Imrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jWP2TkSx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m67-v6si5857729pgm.413.2018.05.14.00.49.42; Mon, 14 May 2018 00:49:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jWP2TkSx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752390AbeENGvJ (ORCPT + 99 others); Mon, 14 May 2018 02:51:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:57796 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752375AbeENGvG (ORCPT ); Mon, 14 May 2018 02:51:06 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4EF6621748; Mon, 14 May 2018 06:51:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526280665; bh=Hbcbo2sOPVxKpWMvUkyNpQU+JLSoKLMbDdY0IjDA1A0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jWP2TkSxgGKSspiBiSviV/H4BKM7Hqy1+KT0t58e2YQxSOAmrBMaxX1No2at0EaO8 CbHYBB0C2jXfAEryu8anMxQg5LZBjsDVvhJ+CQBWlJBXUxpGhZLOL0YRz/Gm5fRJxA 9GcX+xBLe1qjIlR5TK4nSi1JY1AU85t1K1yPXLIA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.4 12/56] ALSA: pcm: Check PCM state at xfern compat ioctl Date: Mon, 14 May 2018 08:48:17 +0200 Message-Id: <20180514064756.256536571@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514064754.853201981@linuxfoundation.org> References: <20180514064754.853201981@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream. Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go further and hit the sanity check pcm_sanity_check() when the ioctl is called right after open. It may eventually spew a kernel warning, as triggered by syzbot, depending on kconfig. The lack of PCM state check there was just an oversight. Although it's no real crash, the spurious kernel warning is annoying, so let's add the proper check. Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/pcm_compat.c | 2 ++ 1 file changed, 2 insertions(+) --- a/sound/core/pcm_compat.c +++ b/sound/core/pcm_compat.c @@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(st return -ENOTTY; if (substream->stream != dir) return -EINVAL; + if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) + return -EBADFD; if ((ch = substream->runtime->channels) > 128) return -EINVAL;