Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5761967imm; Mon, 23 Jul 2018 05:45:36 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeksqW6P4838wIU6TXDEgASmeYAJdSo9oUAmP7DyO+pB0kwz9qOssif6nkKhP5IZoO+QzYj X-Received: by 2002:a65:550d:: with SMTP id f13-v6mr12360411pgr.340.1532349935976; Mon, 23 Jul 2018 05:45:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532349935; cv=none; d=google.com; s=arc-20160816; b=CNFt2VYIVUPBvnj3ghOS4G0USUyyEpuMkli15kyVPsVupRqmjw4+52Cl5mId5wn2p4 1J9uISICN1lsdMv125PRCBSErjxBmL1aSoPnNKuM0dylGM0JWHiFTtw8AMXaSvYTYbcn 94dxWQc1g05gu+X+M6aP5XtqrMsgp0hncaChgRwulYPZmD9RpYmrUvORyE0LZ0plCki+ PMUZWutKqqWtCZ6ljSzQqhQH1XDgMBxDqNrZ67cnvERZ6uDO/17R52nP8APAUzAbQsBt VLmf7eXJTDI6z/dRG5DdJAkKHulshwBkEyJZdACToEdkK7taQi6BUaqRc+Pz1bHa/rAI phAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=BL4EPyZLg1wz/H9Sh0hBAobwJE/y11HVhWvKm9GMuFk=; b=g7yzx0Z8kWUEcqma5TxpmKCRa+ArS9nmMoELxoEWaTpdOvvFPEAOcZseYCuyFSkQRu BcuHz4BVgub1E4K0exfUV0H7VJz8q9zMBd0cwTYUFi2rnQRJ4sXJy+ViBeJuIPhxmzVG c800p1HNK2vQD/yld3S0SSEr+Yg3cq/N8RPd9MPDd2SQMlmmEqCvhkkTNHBXBJgysp0P zIAjLAlC16R5s7gASgaT4PKC/c2Riwy/4KFJGzFmifj3JaXH0LIoVYQGyWuVgixV52hQ D9yJNkrjaCWUu1AToyRGKuxNTD5h969kpxs/PcpZdBMwYrfsunkZyHe3soYIa7IZdh9e xgMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si8258866plr.148.2018.07.23.05.45.21; Mon, 23 Jul 2018 05:45:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388904AbeGWNo3 (ORCPT + 99 others); Mon, 23 Jul 2018 09:44:29 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48196 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387937AbeGWNo2 (ORCPT ); Mon, 23 Jul 2018 09:44:28 -0400 Received: from localhost (LFbn-1-12238-233.w90-92.abo.wanadoo.fr [90.92.53.233]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0AE75C83; Mon, 23 Jul 2018 12:43:24 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.4 004/107] ALSA: rawmidi: Change resized buffers atomically Date: Mon, 23 Jul 2018 14:40:58 +0200 Message-Id: <20180723122413.163448388@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180723122413.003644357@linuxfoundation.org> References: <20180723122413.003644357@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream. The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the current code is racy. For example, the sequencer client may write to buffer while it being resized. As a simple workaround, let's switch to the resized buffer inside the stream runtime lock. Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/rawmidi.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c @@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user( int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, struct snd_rawmidi_params * params) { - char *newbuf; + char *newbuf, *oldbuf; struct snd_rawmidi_runtime *runtime = substream->runtime; if (substream->append && substream->use_count > 1) @@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd return -EINVAL; } if (params->buffer_size != runtime->buffer_size) { - newbuf = krealloc(runtime->buffer, params->buffer_size, - GFP_KERNEL); + newbuf = kmalloc(params->buffer_size, GFP_KERNEL); if (!newbuf) return -ENOMEM; + spin_lock_irq(&runtime->lock); + oldbuf = runtime->buffer; runtime->buffer = newbuf; runtime->buffer_size = params->buffer_size; runtime->avail = runtime->buffer_size; + runtime->appl_ptr = runtime->hw_ptr = 0; + spin_unlock_irq(&runtime->lock); + kfree(oldbuf); } runtime->avail_min = params->avail_min; substream->active_sensing = !params->no_active_sensing; @@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params) int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, struct snd_rawmidi_params * params) { - char *newbuf; + char *newbuf, *oldbuf; struct snd_rawmidi_runtime *runtime = substream->runtime; snd_rawmidi_drain_input(substream); @@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_ return -EINVAL; } if (params->buffer_size != runtime->buffer_size) { - newbuf = krealloc(runtime->buffer, params->buffer_size, - GFP_KERNEL); + newbuf = kmalloc(params->buffer_size, GFP_KERNEL); if (!newbuf) return -ENOMEM; + spin_lock_irq(&runtime->lock); + oldbuf = runtime->buffer; runtime->buffer = newbuf; runtime->buffer_size = params->buffer_size; + runtime->appl_ptr = runtime->hw_ptr = 0; + spin_unlock_irq(&runtime->lock); + kfree(oldbuf); } runtime->avail_min = params->avail_min; return 0;