Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4011442imm; Mon, 14 May 2018 00:57:47 -0700 (PDT) X-Google-Smtp-Source: AB8JxZru83VgersL5sIWZQ0JWhxvfyFgvNACQo7mur3BoJBARsGKjY/3PNm6cKcLLT27furWiRac X-Received: by 2002:a62:104a:: with SMTP id y71-v6mr9256493pfi.188.1526284667045; Mon, 14 May 2018 00:57:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526284667; cv=none; d=google.com; s=arc-20160816; b=a9MasXJF2QuwdmFXZLjRJdIxCuXLZ1KBwiTdcreVOO0ctM+odc1Aso6+emT8x4iGbr yXInaJ0lvl5d3xfFbysSPZ7s0soGw/G94xNfLIZLd9PaC3Y9v+yd5AbI/rc9yhe8WACQ A5BOjk8y8+m3Jsig/uhIICRPGZfemr119mxOBAmWbf1XAIaguJomgwyfyhB2L8JJ1dvx 6SCR8wA8LBRBP1X7daaDIJAtGhbrR09s0YaCuARce6o0USZ0XhwZP6sgklkrU5R3gMzA L5fcQIwFAwMHmgbcFmcVJhsBzqyANDsdEztPy0l7J9wd2Brw15Vm1kp4PKL98O9VgRao MIgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=3aJCnW+IloPaJ6Xt17iWJXr9SjtYrE2lWjuFkkeNPq8=; b=rmzxHeMDPmw6cx4mmsZKLbhLdX5NYupLCDbNLP7CPHz6inFSbh+WKKdPrQ6Lc1BbMe uXkw9tEO0qAEtfUc6E++oznc1rtXBHfE8/SBh/Vjfq6qaD0iOE5SgLXHfMw77BSfGOBC 9VW5DpY8nN2A9Zc9/Vm7PkDuvPT7un34fi3eM+Htc7W6reWoBPLIGd2jUeYyn8wAlngt o5ULJQvYcQuHFsoo9S8QltRPvozVPPN4SpsqqG3VIkLkmUk0oc+FntK+Zjn5+O5y5HDP 7XYOg4z/h+byb1LO/gkeB+dRHPxI8hlFEFP2h9c+CRpGGEg8FSEHxrhHC0XclRMspSXE aHBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vEdIMXES; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a36-v6si3797326pla.575.2018.05.14.00.57.33; Mon, 14 May 2018 00:57:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vEdIMXES; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752137AbeENGuG (ORCPT + 99 others); Mon, 14 May 2018 02:50:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:56786 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751533AbeENGuE (ORCPT ); Mon, 14 May 2018 02:50:04 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 949FF21736; Mon, 14 May 2018 06:50:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526280603; bh=2ATYFSy0QUIDsbkTAGoJmNZRfAtNu0DWt9g2+4dGAas=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vEdIMXESyjNMfo3hHcHuDjNxJ5lzAh0+kNPD7f3rAqrSXvFfgBNIOLM6AjaJlXqLM jfYK+SVHoC5ZusfW+npcl3U8jPcte7FoZ2d3tGBHyw3wdNivbilWrF/9R1cbJVKLiD HfrkajpBA8l43fgZ2EguMVblJMDKm2Ys6GGj2yHw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 3.18 04/23] ALSA: pcm: Check PCM state at xfern compat ioctl Date: Mon, 14 May 2018 08:48:33 +0200 Message-Id: <20180514064704.234842443@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514064704.046463679@linuxfoundation.org> References: <20180514064704.046463679@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream. Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go further and hit the sanity check pcm_sanity_check() when the ioctl is called right after open. It may eventually spew a kernel warning, as triggered by syzbot, depending on kconfig. The lack of PCM state check there was just an oversight. Although it's no real crash, the spurious kernel warning is annoying, so let's add the proper check. Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/pcm_compat.c | 2 ++ 1 file changed, 2 insertions(+) --- a/sound/core/pcm_compat.c +++ b/sound/core/pcm_compat.c @@ -333,6 +333,8 @@ static int snd_pcm_ioctl_xfern_compat(st return -ENOTTY; if (substream->stream != dir) return -EINVAL; + if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN) + return -EBADFD; if ((ch = substream->runtime->channels) > 128) return -EINVAL;