Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp849232yba; Wed, 24 Apr 2019 10:34:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3bBwS0W7qivY0LUWoXnb1SU0BqWojAgUP8B7zF0NWcZf3A8vwr5xFglWi9YUoQiUHDF/0 X-Received: by 2002:a17:902:4165:: with SMTP id e92mr34178020pld.10.1556127296149; Wed, 24 Apr 2019 10:34:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556127296; cv=none; d=google.com; s=arc-20160816; b=YXQW+uMpYkOumrlWhyHMjcEQ9kQl2Ij9XeZd8DQQFIly/5g21Bo2OJd5lInRqCsz4Z jPa970+XP4Ynjktd95+EZQn7esY8ZJ3C+VVabKAfFE/PrB2CQtcdM49Eg5KeSFSH2Cc6 fgsulR1LIPXjy352GFIy++6l+c4XaUAqDIVt3FTbf/MCp7MBCEZD2KTxm7i0NNyQcSFQ 33CSOntqa3yilocGwS5o4UgAkVzqwKSJ0yLwFaO2CcnVcaLW47P1tr9Qf+Et9jyezJQ5 cyHDSuJ4Zu0LbeJAcXdZ19jZUaMDfPsK4KHByLqfT8w/hBevBQDvHYjz1qoayt2JnnX+ NNLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6qWb9+9uFMgYS1H5GTKOnsacNG0DAZC09GgA3pK3H+c=; b=ypvTT0VrmDQNRWU5uCLV1SlmG5Nh1e9G+ULIf83bptA/aDUF+65h0WihUAiLtz8fOr f8BHKvW57iFJcnHX/n4GImz6CbSlA8mhzM66bDU61h4rsvI8LdbBoxVIFXCRUeEaxRsp ouu3aQdYtZbCBSH8AJr4luC/Q+ki2nnyDvA0gxG6hcQvpLSkvq9xTur593+IZrLrBfcv oOX+151EFn1rCWbWA5Sp1GboK25Awt7YUcDyKXus4xsPBo4A1yHz5fFY0IhPC/vsWez1 voqSCHOSPsxqeFwJsIqgvVh2msMb/Ni8k3IQYl0TmLo0A+QHHH82b1tuTlu3PJ1FsyN9 0Ctg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bQktRK8P; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m21si17668642pgv.453.2019.04.24.10.34.40; Wed, 24 Apr 2019 10:34:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bQktRK8P; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390048AbfDXRdI (ORCPT + 99 others); Wed, 24 Apr 2019 13:33:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:59978 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391231AbfDXRdG (ORCPT ); Wed, 24 Apr 2019 13:33:06 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E15C421906; Wed, 24 Apr 2019 17:33:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127185; bh=Z6PeYcYC9ZRi6YMHrIEHW26rZfHvdXYkip5E8n3YpPM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bQktRK8PTNSxNZCjUl8b+qD/nwtqRYuC91mCeoL1ujnsIVCef5URIL1/A65MSspFZ eaktUIBWiJM+2Pwt53UF8/xwjg/cyQrutuU81MkX6y/VRiPhGFmNG3xQ7NM7C72gNI zehPsdCEB7m3yGNEKN5cC7QdPtf5KqTfDdTWaOf0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.19 92/96] ALSA: info: Fix racy addition/deletion of nodes Date: Wed, 24 Apr 2019 19:10:37 +0200 Message-Id: <20190424170926.040661163@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170919.829037226@linuxfoundation.org> References: <20190424170919.829037226@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream. The ALSA proc helper manages the child nodes in a linked list, but its addition and deletion is done without any lock. This leads to a corruption if they are operated concurrently. Usually this isn't a problem because the proc entries are added sequentially in the driver probe procedure itself. But the card registrations are done often asynchronously, and the crash could be actually reproduced with syzkaller. This patch papers over it by protecting the link addition and deletion with the parent's mutex. There is "access" mutex that is used for the file access, and this can be reused for this purpose as well. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/info.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/sound/core/info.c +++ b/sound/core/info.c @@ -722,8 +722,11 @@ snd_info_create_entry(const char *name, INIT_LIST_HEAD(&entry->children); INIT_LIST_HEAD(&entry->list); entry->parent = parent; - if (parent) + if (parent) { + mutex_lock(&parent->access); list_add_tail(&entry->list, &parent->children); + mutex_unlock(&parent->access); + } return entry; } @@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info list_for_each_entry_safe(p, n, &entry->children, list) snd_info_free_entry(p); - list_del(&entry->list); + p = entry->parent; + if (p) { + mutex_lock(&p->access); + list_del(&entry->list); + mutex_unlock(&p->access); + } kfree(entry->name); if (entry->private_free) entry->private_free(entry);