Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4012015imm; Mon, 14 May 2018 00:58:36 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqBI7QAbJUzM72IVnrg6Ricfjt8NyBD7Ngw1XQNM8xLfDDsV61ThsU63tEi22ioDIsFd7PP X-Received: by 2002:a62:d38f:: with SMTP id z15-v6mr9385724pfk.100.1526284716615; Mon, 14 May 2018 00:58:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526284716; cv=none; d=google.com; s=arc-20160816; b=csxOZPGyLyyw7R+4O4yPyFvpvbvHGribWDYsDZaDrEFUxAAGehwFL0Po1xYfyUngip LAR8RuRN6VRSPrsINpk9qvOAbBlGGga4rRo7NnlIy97KkpudeL3YwYs5eHDg/K1i6pWM evn20zqDi1wwtXqSBMnLBfbG2A5CeeM5E01HmJcWETlHgI55+oCVMiYQyNYoNhYH5gVe OgrQ4aiSF8UodYSL3fKKDWWGH5v4SFcUbSVI4/iJgtNq9qlw4/J1Q5xhY64FXdfKJZDd +2kkJztrBw5txNutFYc+ioJKl7Lpooft/uptvYZyx+jLgXYlEA8XL5RMrICtD6rt/oso v/IA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=1ye0rHM9oDSBDvjsMlIe7pPMfqT09D9Oi7zoexmArEg=; b=wMEEIsTIOkecG39mOLpBmh4L4m7k/7bL2be0TAJtc0ZK46fKe8T5Mw13NEnDx0tsqf rGxso8oL1xZKU7Iqn8yUxg5XiOzfEsLxL7WhcQ1YVgkJLh+0qaVtgk7cEinav6XzV7n+ Rf0iw/Tr+VkvrK9Yzl5/oDDiWsYAvPKW1MsOT61Ykb9Xux7OH+Tsg+edGhNnqV0b6LDQ YuhKjVBs/Bzato0VGXtqgKzDeOnZZIyEgTpBnNS/BzmECbBqslRShEdmYsHu+8ipV5yY iU8b+OKcHBVjQWT0/XzUSR1mA4SgtL2c0CNMpoQlnr1w/KpFgBXK4yLeREcdMYPKhRfU VQXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FECJo41e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x22-v6si6650474pge.220.2018.05.14.00.58.21; Mon, 14 May 2018 00:58:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FECJo41e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752155AbeENGuL (ORCPT + 99 others); Mon, 14 May 2018 02:50:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:56810 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752138AbeENGuG (ORCPT ); Mon, 14 May 2018 02:50:06 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 096FE21736; Mon, 14 May 2018 06:50:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526280606; bh=j8YudJFgxXex/lJganiVPTa73kapRKKykaOdRrvGJUc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FECJo41eeDWgRNJ9GDIT4V8L47IDpXKl25Kp6ZKEwC97qfKmVbOHqOO9K74S8HsDw hA0cTlMXCJmXFwRO7OzJ97pTMKjuzjYKVHH/s7oFEzgl5bLVxv1Y6z4yWzXljmFksc IzcLJPwasFmpxo5lu3POpnVKujslPIssfy6PO28U= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, DaeRyong Jeong , Takashi Iwai Subject: [PATCH 3.18 05/23] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Date: Mon, 14 May 2018 08:48:34 +0200 Message-Id: <20180514064704.287680554@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514064704.046463679@linuxfoundation.org> References: <20180514064704.046463679@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8f22e52528cc372b218b5f100457469615c733ce upstream. The sequencer virmidi code has an open race at its output trigger callback: namely, virmidi keeps only one event packet for processing while it doesn't protect for concurrent output trigger calls. snd_virmidi_output_trigger() tries to process the previously unfinished event before starting encoding the given MIDI stream, but this is done without any lock. Meanwhile, if another rawmidi stream starts the output trigger, this proceeds further, and overwrites the event package that is being processed in another thread. This eventually corrupts and may lead to the invalid memory access if the event type is like SYSEX. The fix is just to move the spinlock to cover both the pending event and the new stream. The bug was spotted by a new fuzzer, RaceFuzzer. BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr Reported-by: DaeRyong Jeong Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_virmidi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_virmidi.c +++ b/sound/core/seq/seq_virmidi.c @@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s } return; } + spin_lock_irqsave(&substream->runtime->lock, flags); if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) { if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0) - return; + goto out; vmidi->event.type = SNDRV_SEQ_EVENT_NONE; } - spin_lock_irqsave(&substream->runtime->lock, flags); while (1) { count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf)); if (count <= 0)