Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4011494imm;
        Mon, 14 May 2018 00:57:51 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZofuEOBik6lKrQauRHFlLruFSAdRUAVilZMH96mRRQy8NlK/CLU/cQatcTRsFTFdJzp6PbP
X-Received: by 2002:a17:902:b189:: with SMTP id s9-v6mr8834009plr.352.1526284671825;
        Mon, 14 May 2018 00:57:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526284671; cv=none;
        d=google.com; s=arc-20160816;
        b=GRa23OODKjbNgb3lqlHLLB9gFQC1T7Jkb77J1xDihmRmfFN2kgvw51VSRHFC60ABKb
         SlWvjjikXDEg+7wnbgyMl69Lw5gfXD0QBk4CAc9/4e3/ml9FPyHULpzT4Zm5UKkaWFix
         LYFdluIjsE0P3+EaqDYGHMnOoBDGmiQYIzOuYNy2diXSy2WOZ2yyBKgFPLv5hbqrAd/x
         KhgxYFLf0pprAnyO9ZS8SCHy/fxleC/HqJu5NlElMKYZbGoZo3tbLsJr5r5KuzovvXgc
         BgOHkVezhdauEv0QXUbyRGygrljMGa/hRMOQZHxW0h7unNLH4Bl3/gHhYmoanNhZn0j2
         P6Yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=xtWtOhR0eUDV43i04v7MfcgfR0TkyI7MZVWaablVXoY=;
        b=bvOhLvilEBjphnOF2P4ytWwPOOeUZPLLl1ukptOdGe00Pfp0mMa5Y+S2cayHXf81ec
         xwWo6uOb0Cyx+Q5xSYGwLU+4cGHKFJba+DxRNSiE6ieluIZb2lcHxsQRMeGZJq0l+JpA
         pobmkpYadgwNjmEUwQ9UHMtEbnAXqsNmYZQtUdXufj2h/b37iTAD7VXsRyb2li0UMVuv
         NR3ZATgorqQ3bxPv2yD+MPYSig1JJiVvu4DbxKtU5Fuqh1GV2yO+6a5qdm4yU0vn32u2
         7KoUfsTII08Abi8d703Mdz92xcQ+28O0ptaE2S4CYdDiuGm+dGaaHFzH3LA1JWZJlDpQ
         XFOA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=sNdrfFKo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o78-v6si9078127pfa.54.2018.05.14.00.57.37;
        Mon, 14 May 2018 00:57:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=sNdrfFKo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752172AbeENGuO (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Mon, 14 May 2018 02:50:14 -0400
Received: from mail.kernel.org ([198.145.29.99]:56924 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752138AbeENGuM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 May 2018 02:50:12 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 472EB21723;
        Mon, 14 May 2018 06:50:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1526280611;
        bh=iRdy6+ehFuNy5El/TJHyvm74cmiuy+Q+7wshjmUpe90=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=sNdrfFKo/hT446bD/O+t2Xr8HNfyoKH2NFY7W6r/vefufip1bYZ5+PrmdHDA+fdqV
         Phf1m6vmpHqUFgh8Iv+3Q+I+9W38mZ2BRgCh0avQmfSGFjY2OUP2z2QkT8sIDokGBS
         dq+66O2Fzr5cgEA+6HrK24a5hFCP7rIq8anq0IU8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, DaeRyong Jeong <threeearcat@gmail.com>,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.18 07/23] ALSA: aloop: Add missing cable lock to ctl API callbacks
Date:   Mon, 14 May 2018 08:48:36 +0200
Message-Id: <20180514064704.364237172@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180514064704.046463679@linuxfoundation.org>
References: <20180514064704.046463679@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.

Some control API callbacks in aloop driver are too lazy to take the
loopback->cable_lock and it results in possible races of cable access
while it's being freed.  It eventually lead to a UAF, as reported by
fuzzer recently.

This patch covers such control API callbacks and add the proper mutex
locks.

Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/drivers/aloop.c |   17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -833,9 +833,11 @@ static int loopback_rate_shift_get(struc
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].rate_shift;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }
 
@@ -867,9 +869,11 @@ static int loopback_notify_get(struct sn
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].notify;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }
 
@@ -881,12 +885,14 @@ static int loopback_notify_put(struct sn
 	int change = 0;
 
 	val = ucontrol->value.integer.value[0] ? 1 : 0;
+	mutex_lock(&loopback->cable_lock);
 	if (val != loopback->setup[kcontrol->id.subdevice]
 				[kcontrol->id.device].notify) {
 		loopback->setup[kcontrol->id.subdevice]
 			[kcontrol->id.device].notify = val;
 		change = 1;
 	}
+	mutex_unlock(&loopback->cable_lock);
 	return change;
 }
 
@@ -894,15 +900,18 @@ static int loopback_active_get(struct sn
 			       struct snd_ctl_elem_value *ucontrol)
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
-	struct loopback_cable *cable = loopback->cables
-			[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+	struct loopback_cable *cable;
+
 	unsigned int val = 0;
 
+	mutex_lock(&loopback->cable_lock);
+	cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
 	if (cable != NULL) {
 		unsigned int running = cable->running ^ cable->pause;
 
 		val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
 	}
+	mutex_unlock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] = val;
 	return 0;
 }
@@ -945,9 +954,11 @@ static int loopback_rate_get(struct snd_
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].rate;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }
 
@@ -967,9 +978,11 @@ static int loopback_channels_get(struct
 {
 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
 	
+	mutex_lock(&loopback->cable_lock);
 	ucontrol->value.integer.value[0] =
 		loopback->setup[kcontrol->id.subdevice]
 			       [kcontrol->id.device].channels;
+	mutex_unlock(&loopback->cable_lock);
 	return 0;
 }