Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2219735imm; Thu, 7 Jun 2018 07:15:37 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLCmE6ydNDIN6hJ+7xcvYitv2QGz+cO8r+KorWxfsAN4+BNdDa0DSXukcH56UaMRwZVJUtF X-Received: by 2002:a17:902:b611:: with SMTP id b17-v6mr2232573pls.284.1528380937394; Thu, 07 Jun 2018 07:15:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528380937; cv=none; d=google.com; s=arc-20160816; b=X8KrME1SgcE+FCPFkPKCLwVePtdWZ/CKK33puFZawugihuYd3mHCaKruWaqG6TeKLj ntRMQYRaQLihYDssuCtl/oiQs1KEMtmsIMHPiDtifd/ASv8WLyFbfhWm3VeJ+yU4zmV5 rQWKqmSb+0Bf0DmCeKu+tItH7Sd+kqB1R6c87+SU+giW3TbNW2boZdvuNMoy9shVAwnh DmAQpwEkZAS0sVv2H+VdTz9QFCQW3VUr6WvlohI938Fx7CytyGJrUB693+IvaySdPZAo LFRFShgqbdYaHnr2v3M8mS5AqhAUC16Z7dx79+X0GYgFX4v5+zlUzyWj2uLi3ajayARn 97iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=LTcA3Eyn4Yfg69VnOWcTOKnHp+9ahUyTIhQowdEtu+o=; b=aCcaSU+kLdtQT8jRrnOegyjdAxDhrbe+wMwkrjmUN+nX2QJVgApimqgHxaefgZI6vW WIxiVz0Q6KlfrkpN0QS76I5h5xmVGwOHj/2ob+EflJ/pYrvxcrLEkUJcokIacGx2sqOg mS6/JM5i4kqVH0DFwTzX0W0VM7Z+VAh221TPIc5tWuHFnCpnJ9mRMAQdiaoO9c1v6hSM IsnMajZ3A+458DF5ZNNsDzH1D8WgLHgYYQrM5fiFfEKaRXhz1n/f++du7o81ZuW1kyJN AzSnHCZyLtUh1h6w691dBL8m6alLWxainS3k6CNu82Vf8fNldiDGjHgtJ2cjrDdTKJV9 +UHA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2-v6si10029208pgt.611.2018.06.07.07.15.22; Thu, 07 Jun 2018 07:15:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933374AbeFGON6 (ORCPT + 99 others); Thu, 7 Jun 2018 10:13:58 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39512 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933157AbeFGOJi (ORCPT ); Thu, 7 Jun 2018 10:09:38 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbM-0005hJ-6c; Thu, 07 Jun 2018 15:09:20 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvbE-0003I8-78; Thu, 07 Jun 2018 15:09:12 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Takashi Iwai" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 388/410] ALSA: aloop: Fix access to not-yet-ready substream via cable In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e upstream. In loopback_open() and loopback_close(), we assign and release the substream object to the corresponding cable in a racy way. It's neither locked nor done in the right position. The open callback assigns the substream before its preparation finishes, hence the other side of the cable may pick it up, which may lead to the invalid memory access. This patch addresses these: move the assignment to the end of the open callback, and wrap with cable->lock for avoiding concurrent accesses. Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/drivers/aloop.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/drivers/aloop.c +++ b/sound/drivers/aloop.c @@ -667,7 +667,9 @@ static void free_cable(struct snd_pcm_su return; if (cable->streams[!substream->stream]) { /* other stream is still alive */ + spin_lock_irq(&cable->lock); cable->streams[substream->stream] = NULL; + spin_unlock_irq(&cable->lock); } else { /* free the cable */ loopback->cables[substream->number][dev] = NULL; @@ -707,7 +709,6 @@ static int loopback_open(struct snd_pcm_ loopback->cables[substream->number][dev] = cable; } dpcm->cable = cable; - cable->streams[substream->stream] = dpcm; snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS); @@ -739,6 +740,11 @@ static int loopback_open(struct snd_pcm_ runtime->hw = loopback_pcm_hardware; else runtime->hw = cable->hw; + + spin_lock_irq(&cable->lock); + cable->streams[substream->stream] = dpcm; + spin_unlock_irq(&cable->lock); + unlock: if (err < 0) { free_cable(substream);