Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4422525pxa; Mon, 10 Aug 2020 08:43:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTm+duRmxzFZkYTnRBH5omFkVwaZ1hAzJB8tOun6Eg3vYjcqzmlKdEJFY0wmyMTsmlYZbx X-Received: by 2002:a17:906:9392:: with SMTP id l18mr22016524ejx.357.1597074208267; Mon, 10 Aug 2020 08:43:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597074208; cv=none; d=google.com; s=arc-20160816; b=l7mxGEhmokbE7chlQOriDVaoI6vuTzqKIaHF6hQiw3k0etEUZlH/LmWIk8yTGfL96y z/9KpkZpcg5lI1DWWgO0aH6jN6HSrov4y3LaDF7rUZQ5WFGnbp9SfQrmHm5LiM7ZRTwj lwVFdXXNfl7B0bXKLrm5xLrbTWq4jgLEVHxD7OSudc8ajX2hyCkKVbcyoFWBLewNGSH5 zQUPrkALzw1ryuGWTFcV9rBIMaW6uLXDJdvMRjDx7OrvKKZorUH5K/rkoBDOLc+1fCOL iDhENo4z2b2Tt607/MrGxdEmDk2V7JGxq5g5BG+XtWbxphQJifDbPhpR3lU/eDK8BAqB IJqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NCGrkBMEU8/mTPocG0qD+G/yL9c2vXiacNOg98efYR0=; b=D2Z/PGZxKNRsXuNDrJBXTGDGs5Y5trGu6qgJSXpYxwWM/2boTC0CaGoJfay5MyH2OR qvAbwxfg/nfFg1YvKYpSnLvier0eZwmp8HJm8B1lBLzg7HzHYS1jtaTgQ/1uJYVrnFYb 2wrxr4RrYqjaAbqsuiZll3O3ztM29F9kcJEax7a62schyTVgvqVHGJB/N8nhPeibWpSQ zUIWg0vjLgt7+F+tpqnhR0QDPlib3bYuZAlOTlGbzNwWFmiNb2aEGe9zcgaDVMLWPcch qflE2y8idnMdVRKHZG5qGJszznLFcPWnnxvYuPAY7VwZwhPsMHCgVhkiZGY+V526F15I 8GuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QrnCZwk+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si11818431ejm.538.2020.08.10.08.43.05; Mon, 10 Aug 2020 08:43:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QrnCZwk+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726946AbgHJPTd (ORCPT + 99 others); Mon, 10 Aug 2020 11:19:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:49436 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725869AbgHJPT3 (ORCPT ); Mon, 10 Aug 2020 11:19:29 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1CFAC2075F; Mon, 10 Aug 2020 15:19:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597072768; bh=zn1+86pPO0MeKxVnkura4kzFBwLZ2uBgm92quMahL+U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QrnCZwk+EdjgayOpUfkazEUdBC9PIv/H4tDbD7GiNexh4Xk8dprOYzwi+jjrZIG1b EDFZVBS9yi48ErFaC+5e0si9o2Rkq1GGZEtAp1OCflSTNGmxvMTMMOIr5XdJRXo6WU X4gO6l3R0B+jPUNZMiY6T20MdlaU1jlv5cJ2Dxuw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com, syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com, Hillf Danton , Takashi Iwai Subject: [PATCH 5.8 11/38] ALSA: seq: oss: Serialize ioctls Date: Mon, 10 Aug 2020 17:19:01 +0200 Message-Id: <20200810151804.447913452@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200810151803.920113428@linuxfoundation.org> References: <20200810151803.920113428@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton Cc: Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/oss/seq_oss.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/sound/core/seq/oss/seq_oss.c +++ b/sound/core/seq/oss/seq_oss.c @@ -168,10 +168,16 @@ static long odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct seq_oss_devinfo *dp; + long rc; + dp = file->private_data; if (snd_BUG_ON(!dp)) return -ENXIO; - return snd_seq_oss_ioctl(dp, cmd, arg); + + mutex_lock(®ister_mutex); + rc = snd_seq_oss_ioctl(dp, cmd, arg); + mutex_unlock(®ister_mutex); + return rc; } #ifdef CONFIG_COMPAT