Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp28080imm; Fri, 21 Sep 2018 17:23:10 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaqB39s64R/+neWTCtb7MpN5QD1yDfLkJjftauIxcdJ6YTfrau3OCq+vSqJelI107xVczJ+ X-Received: by 2002:a62:41d6:: with SMTP id g83-v6mr120570pfd.219.1537575790720; Fri, 21 Sep 2018 17:23:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575790; cv=none; d=google.com; s=arc-20160816; b=hGx+uSMvb8EGSX3bDrnuigRjFkyasN/hHRisw/OJkZHShmQbeJSriCo85+BtGngMlG NL+hA6VGRks5KbNxA7etXoxiLHJDtztMR7MZjE8HOC0xYkO/lWVkZD0OsMMvQMjrRKTK LwdvD1QoP+cjN8jpmPa+3/w7j1CRtxKF3qXbuq/Ek71ifM0NUZFCCZ7rEOe6wk0zgkTD iFlIPuBguO8nVbqlk2FnuvKQqgiWSGEBqR0wqfLRJhcC1Vfqv/nAAEoO228EZisvgOMR +sNx9fNscKi0MLLnpFyi9Xz4XSAazVEg2Ikui3BImdiYXrZR7856onsmpiBPQVhafTtM KFJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=5lzbNXTaVBMXek+cjIFz6mjAv/vtjPlMpl06ApC9iuQ=; b=Y2Yda0MFHK1HD6YjvWZkP8HBa6ihy8YudVtTetakK65n7AcIHGIk30a6u63U/n88VL /abp76ZSfmnqvxK1q6acDIJVdahnPopbNF0AVrFSWuPhGV+kXi8EJoBXGlWF3dBLSggd ludAtlN5sbvolOa0ot3Dk75upcl1+lsNXRNEs9mGYgl0s9+7tJmTT4E+JjB9rVSSJDCr B4HcQwqQ2u9Y+u+k1/FWG1bHkRz2NaQrlhqg6xGn1nR2szPYFkz73p84OQ3XYhj2ESPO /pPhUpmdT7+SmqB+huiLEoQkAhcwvMQgLOl5zMvNNjMPuSoDwFXRcErTq0H+GoTXtqyc Wiqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z16-v6si25310831pgi.252.2018.09.21.17.22.55; Fri, 21 Sep 2018 17:23:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392057AbeIVGKt (ORCPT + 99 others); Sat, 22 Sep 2018 02:10:49 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44232 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392003AbeIVGKs (ORCPT ); Sat, 22 Sep 2018 02:10:48 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdy-0008BN-1k; Sat, 22 Sep 2018 01:19:30 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000t3-II; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com, "Takashi Iwai" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 42/63] ALSA: rawmidi: Change resized buffers atomically In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream. The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the current code is racy. For example, the sequencer client may write to buffer while it being resized. As a simple workaround, let's switch to the resized buffer inside the stream runtime lock. Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/core/rawmidi.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c @@ -645,7 +645,7 @@ static int snd_rawmidi_info_select_user( int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream, struct snd_rawmidi_params * params) { - char *newbuf; + char *newbuf, *oldbuf; struct snd_rawmidi_runtime *runtime = substream->runtime; if (substream->append && substream->use_count > 1) @@ -658,13 +658,17 @@ int snd_rawmidi_output_params(struct snd return -EINVAL; } if (params->buffer_size != runtime->buffer_size) { - newbuf = krealloc(runtime->buffer, params->buffer_size, - GFP_KERNEL); + newbuf = kmalloc(params->buffer_size, GFP_KERNEL); if (!newbuf) return -ENOMEM; + spin_lock_irq(&runtime->lock); + oldbuf = runtime->buffer; runtime->buffer = newbuf; runtime->buffer_size = params->buffer_size; runtime->avail = runtime->buffer_size; + runtime->appl_ptr = runtime->hw_ptr = 0; + spin_unlock_irq(&runtime->lock); + kfree(oldbuf); } runtime->avail_min = params->avail_min; substream->active_sensing = !params->no_active_sensing; @@ -675,7 +679,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params) int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream, struct snd_rawmidi_params * params) { - char *newbuf; + char *newbuf, *oldbuf; struct snd_rawmidi_runtime *runtime = substream->runtime; snd_rawmidi_drain_input(substream); @@ -686,12 +690,16 @@ int snd_rawmidi_input_params(struct snd_ return -EINVAL; } if (params->buffer_size != runtime->buffer_size) { - newbuf = krealloc(runtime->buffer, params->buffer_size, - GFP_KERNEL); + newbuf = kmalloc(params->buffer_size, GFP_KERNEL); if (!newbuf) return -ENOMEM; + spin_lock_irq(&runtime->lock); + oldbuf = runtime->buffer; runtime->buffer = newbuf; runtime->buffer_size = params->buffer_size; + runtime->appl_ptr = runtime->hw_ptr = 0; + spin_unlock_irq(&runtime->lock); + kfree(oldbuf); } runtime->avail_min = params->avail_min; return 0;