Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1272639yba; Wed, 24 Apr 2019 18:53:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqxjWYiVqXN9zQZYCxSwwubyEG7wDVVnrapu5V7yiwLSbZag7WG0c2gYoG8Xt+IKfJSBymhV X-Received: by 2002:a17:902:bc85:: with SMTP id bb5mr36095773plb.310.1556157224583; Wed, 24 Apr 2019 18:53:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556157224; cv=none; d=google.com; s=arc-20160816; b=Sclc2cc+G2fsmfUKnqsDembrv25TX4Zu+jX0PdiWsG2Av5+Kr56FxrFOHF0REUAeRv TwZ/BORZAhoXNr8hyltwh/VaOsq6hcXSxlSLON3qBmOEM/Ofb4bRM4xEG9ZmYuUD53HH YyAACl+9ZZHGnilIz/yw2k6fkdM92GKsLs5caqIn8Vo3xdM+i1+e+3pfsD/ZCbN6OZwK X1BcD6niB9gdZaMcZ0Ubot/UccSrbbajOGhh6hW8doELVxL3nsSh8mrLIYeaQF1uURGr vnA//TVovop6xaGQ8KNntPQAUjypAniB4byNWl4UElLz4lKKUnYi1spTCmTFxDd+gE05 /IBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6qWb9+9uFMgYS1H5GTKOnsacNG0DAZC09GgA3pK3H+c=; b=XJsbxXzUQ9Bro92hvIZjiitnsLo/I/UKDeMdLVSTMZrw+SE1p8c1/4rwG73wBCK7bw xUAvh5bWkkbAL6mvKTCnp53egUac/rVrEatMA+Ra+IBl1BpClzSShw5h67P+wGKgb43m 5WH5IkO4ZvpT6s720OxgyjVK75Kt1A28jx4DzC1QLtHbAEZ0r4Tzzbpgw9T8y7C7ejIC /YG+f+EDf79kZKlhD/vpSnhI/uiiVSiReUGAcNKU0eIe73HKQbUV7Qat28p3Y1JvGksJ 1Vv6ZkbQOQ9KPAisEkHjNnLYau0s/uGDCPF9w0N8mqXvIzd1EYH+gKm0t7JA6N7+BNBY dqcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="C+Dy/oRN"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si21817183plz.292.2019.04.24.18.53.28; Wed, 24 Apr 2019 18:53:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="C+Dy/oRN"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392407AbfDXRi0 (ORCPT + 99 others); Wed, 24 Apr 2019 13:38:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:37594 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392399AbfDXRiX (ORCPT ); Wed, 24 Apr 2019 13:38:23 -0400 Received: from localhost (62-193-50-229.as16211.net [62.193.50.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7CE7721909; Wed, 24 Apr 2019 17:38:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556127503; bh=Z6PeYcYC9ZRi6YMHrIEHW26rZfHvdXYkip5E8n3YpPM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C+Dy/oRNOVT6KGHuGQnPRoJgA2QSOeq9xMA7QIsJadVcmtooZpsitfAAgvoBI5Eet D3ECut8RzoBCVZ0u0E3jF+4AHaa+UJIO/9hlowpQl/08Si7/k9uLNiU6wR0GQAMBFX ZVcytGinay3i09sVQwUoYdt+ru9WReWUGFXJ810w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes Date: Wed, 24 Apr 2019 19:10:50 +0200 Message-Id: <20190424170931.320177910@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190424170924.797924502@linuxfoundation.org> References: <20190424170924.797924502@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream. The ALSA proc helper manages the child nodes in a linked list, but its addition and deletion is done without any lock. This leads to a corruption if they are operated concurrently. Usually this isn't a problem because the proc entries are added sequentially in the driver probe procedure itself. But the card registrations are done often asynchronously, and the crash could be actually reproduced with syzkaller. This patch papers over it by protecting the link addition and deletion with the parent's mutex. There is "access" mutex that is used for the file access, and this can be reused for this purpose as well. Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/info.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/sound/core/info.c +++ b/sound/core/info.c @@ -722,8 +722,11 @@ snd_info_create_entry(const char *name, INIT_LIST_HEAD(&entry->children); INIT_LIST_HEAD(&entry->list); entry->parent = parent; - if (parent) + if (parent) { + mutex_lock(&parent->access); list_add_tail(&entry->list, &parent->children); + mutex_unlock(&parent->access); + } return entry; } @@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info list_for_each_entry_safe(p, n, &entry->children, list) snd_info_free_entry(p); - list_del(&entry->list); + p = entry->parent; + if (p) { + mutex_lock(&p->access); + list_del(&entry->list); + mutex_unlock(&p->access); + } kfree(entry->name); if (entry->private_free) entry->private_free(entry);