Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2658714pxj; Mon, 14 Jun 2021 04:14:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8bI9VAnFzzTt2T+LsGJOMf/CePD6tRyFZ1KsRKNcu1Wavwfg8JuwWr4dr0/agnxa+vZvY X-Received: by 2002:a05:6402:40cc:: with SMTP id z12mr16203779edb.202.1623669270429; Mon, 14 Jun 2021 04:14:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623669270; cv=none; d=google.com; s=arc-20160816; b=gALsbry+DQIhFIkB4XqlhOsg2rTyLd8Bm5ZENGoX3W4U0zRVemOZD46IwSYPNR4hJX 6C9q8BEMeLku9MriEle4TmQT8ioHXyjCIYmNEaPAaSBb02HEpW1sKwqz4LSkDtm29M9z gyTo6oo+w9tFTN4Ed+nhBcUUCAPMRem62hRCebfWLPJectC28D1pGZgQC4w338PasLP5 nsQ+IMMQFRIPtpQte2vZXSluaCru0MZzRz1dkujOpU1yokFvtT7maVqr5wZIu+hPK71W 0QAmX9ODHUSQIqbGpET8066vtbKIwzY3EZ78C+BBz6i/pN6do8LpGLn5NLm/8WfZIQ/H u1UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fG+tLIo8tCnEuXD5JPj7Tgglv6U1VtbDWkjjeCxFTd4=; b=hWMtobXq3SsZxIY5G+HbKXRIL8ArZIMnQ5viak4eVHb+R1+e05GXYNGSaR82XqR1Y0 4rIzAslUL7vkgx0wrYUZkYXcfqYCVdp7fMNITT+3z9O71fqUULYUPrOzoF3/KoU0cgEa 5dxQnFs79h4y2BL5eyQjpVqAc2mJpikggeH8PDwvbBVHeTpurLrBxPZBGASXRanIuZ6o 3eROUGGLyIPJ3Q6jJ+7c0SJP9cA/szVfR96AsBCHfFYvhlbwOPwMS//JBwB7+lL4OBZb NSYwrfb69xLb0ljF92E91PibXxD8yb7zgLcVnWd+3QhxDbA7tRVfOEbT+RMSaR8OKZGW p+YA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jSpBKzfP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f3si590726ejj.302.2021.06.14.04.14.07; Mon, 14 Jun 2021 04:14:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jSpBKzfP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234535AbhFNLPK (ORCPT + 99 others); Mon, 14 Jun 2021 07:15:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:39218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234024AbhFNLCy (ORCPT ); Mon, 14 Jun 2021 07:02:54 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0E95561447; Mon, 14 Jun 2021 10:44:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667455; bh=gPtPur8R9bU4BReM8hD8hLm4cefnseJxwoGY+DFyJo4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jSpBKzfPgBxZRlDbOxkSvFQtq3PW5Cf3Wq43YPaBpB3OMUKKlBuKAmGEFCSmSIWbm xT0vqAVmW19Df9/mP/WtYnBuMTXY6tUxQ7iwfbAhKZ5A4cTmqqlhRqFwRYA6WrbiFe uMdmhOW4Fe/MBQLE67lBFl4Twq+UcIhUCkjI7Dek= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+ddc1260a83ed1cbf6fb5@syzkaller.appspotmail.com, Takashi Iwai Subject: [PATCH 5.10 045/131] ALSA: seq: Fix race of snd_seq_timer_open() Date: Mon, 14 Jun 2021 12:26:46 +0200 Message-Id: <20210614102654.554684925@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102652.964395392@linuxfoundation.org> References: <20210614102652.964395392@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 83e197a8414c0ba545e7e3916ce05f836f349273 upstream. The timer instance per queue is exclusive, and snd_seq_timer_open() should have managed the concurrent accesses. It looks as if it's checking the already existing timer instance at the beginning, but it's not right, because there is no protection, hence any later concurrent call of snd_seq_timer_open() may override the timer instance easily. This may result in UAF, as the leftover timer instance can keep running while the queue itself gets closed, as spotted by syzkaller recently. For avoiding the race, add a proper check at the assignment of tmr->timeri again, and return -EBUSY if it's been already registered. Reported-by: syzbot+ddc1260a83ed1cbf6fb5@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/000000000000dce34f05c42f110c@google.com Link: https://lore.kernel.org/r/20210610152059.24633-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/core/seq/seq_timer.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/sound/core/seq/seq_timer.c +++ b/sound/core/seq/seq_timer.c @@ -297,8 +297,16 @@ int snd_seq_timer_open(struct snd_seq_qu return err; } spin_lock_irq(&tmr->lock); - tmr->timeri = t; + if (tmr->timeri) + err = -EBUSY; + else + tmr->timeri = t; spin_unlock_irq(&tmr->lock); + if (err < 0) { + snd_timer_close(t); + snd_timer_instance_free(t); + return err; + } return 0; }