Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp866697yba; Wed, 24 Apr 2019 10:53:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqyn70AUoVlSVPOtTNQisQujjahWeqzMqgdhU8vIxdJDq2cBvwlXTONb7FSK9J8kddbUXUcx X-Received: by 2002:a17:902:e693:: with SMTP id cn19mr20691319plb.255.1556128395189; Wed, 24 Apr 2019 10:53:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556128395; cv=none; d=google.com; s=arc-20160816; b=evmwCPJHZeZtba3WIkVHOmKAcYPF3oSsYXf1oJwEUryqY7jIifTsGdFWm4yeeol46o ttTmkvFNJwl+/5Hn2p2vnf1QQuvcPJRDJppLAk1ochApntzC+mHZTTYcKOS4APx1ftxr uaw62ciw0SD6rQ07oGX7pecoFTp0lMWyj5BxlQnzvbp2wk+LX04xQtAkcu4LwtxU1FCj FpcQZFzNweP39UVLUo90Ex41N4S17xBNpEOjhU5uxXCPIMupePH7wj13EvtzckqaHjui TC/YJ5j3+RnlwOFWkHfHaviJ9PE+kL9bTA7zxyORXYJAToMbS2wI1oU5POyihg4IP1ct UCXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6qWb9+9uFMgYS1H5GTKOnsacNG0DAZC09GgA3pK3H+c=; b=h50E1nvUmnY29uHIaacUo+DErFUNkYKEAZ3a51Sa6P6CBWoKoQrvqcS2cWnFsbCjES p5KIkssSRTjuv5zQhwUO/niXfzbsw27rch3Goz1oea7wBUTZ6tr+r8KU6EA+RyYNFvNo 7i/DkI1qmjbPARDDUXeYd/uT5xjuMKnlaCajnGs6i4FhFtTaslrq2bqcCdSDGVPOI09Z 0HJrBqECr1ajnN4gBdB8nvj1JkN48hKzNJ/MorjC6wiYjK5/awH34T3HakveJ15/1Tuy 2Jge415woGieHh2R9QVB6iVUMNRgqqMpB/j7n9Uy90mpDchD4QU+tPQzh4aCQJsYBncZ WYTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=R9c3LrRN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1si19418596pfh.125.2019.04.24.10.52.59; Wed, 24 Apr 2019 10:53:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=R9c3LrRN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390293AbfDXR2v (ORCPT + 99 others); Wed, 24 Apr 2019 13:28:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:55066 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390030AbfDXR2o (ORCPT ); Wed, 24 Apr 2019 13:28:44 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 955C421903; Wed, 24 Apr 2019 17:28:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556126924; bh=Z6PeYcYC9ZRi6YMHrIEHW26rZfHvdXYkip5E8n3YpPM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R9c3LrRNphsWjMapiqCuLPfTlKm6gMPG0iRbLdoLQSISfg2oX/1/3KhCL0uIhjaO3 gZ2Gtd90sFtgvAuT8luhbyNBQ1vRBunHB4ANTTlxOCG2QAbmrsCDCFdtpi5DdN5Yft Nk2tYDdapsO8IWI6ZhJoYTs7vcTAjeK+OeOoT2nA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 4.14 64/70] ALSA: info: Fix racy addition/deletion of nodes Date: Wed, 24 Apr 2019 19:10:24 +0200 Message-Id: <20190424170918.853432386@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170906.751869122@linuxfoundation.org> References: <20190424170906.751869122@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream. The ALSA proc helper manages the child nodes in a linked list, but its addition and deletion is done without any lock. This leads to a corruption if they are operated concurrently. Usually this isn't a problem because the proc entries are added sequentially in the driver probe procedure itself. But the card registrations are done often asynchronously, and the crash could be actually reproduced with syzkaller. This patch papers over it by protecting the link addition and deletion with the parent's mutex. There is "access" mutex that is used for the file access, and this can be reused for this purpose as well. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/info.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/sound/core/info.c +++ b/sound/core/info.c @@ -722,8 +722,11 @@ snd_info_create_entry(const char *name, INIT_LIST_HEAD(&entry->children); INIT_LIST_HEAD(&entry->list); entry->parent = parent; - if (parent) + if (parent) { + mutex_lock(&parent->access); list_add_tail(&entry->list, &parent->children); + mutex_unlock(&parent->access); + } return entry; } @@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info list_for_each_entry_safe(p, n, &entry->children, list) snd_info_free_entry(p); - list_del(&entry->list); + p = entry->parent; + if (p) { + mutex_lock(&p->access); + list_del(&entry->list); + mutex_unlock(&p->access); + } kfree(entry->name); if (entry->private_free) entry->private_free(entry);