Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2199985pxb;
        Fri, 25 Mar 2022 12:55:06 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxLQFjMFRYIf8arr91yX3Kp+yj4HM41avPy4nQTcI+zRfKyFkzSTore0K5aAfpIadGtnv+8
X-Received: by 2002:a17:902:b7c2:b0:153:b7fb:14c3 with SMTP id v2-20020a170902b7c200b00153b7fb14c3mr13623603plz.134.1648238106029;
        Fri, 25 Mar 2022 12:55:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648238106; cv=none;
        d=google.com; s=arc-20160816;
        b=iQbJyU9ClKwKAvlpQHA906X+gWxa7ZxjMpDMnpbrHFB9cIc9y2KDcgDbJmjFR3lsHD
         Qwn3UsIgQOH0392RI721MrdiLbh7sPoKPXooyBU2e4zUq0xZz9kmF2oIgDATWUTk4wVy
         oSD6mgkId9Qjhx5JS+YaihZt/GH9D0oTQawZK5n06oc5/JecDZy5cp0nEsv/QLnDnoPX
         sbVYwH+6XaJsrnux+O2jTmW6NvIMNTY0WUv6HUPBXAi/pv9prr9e/GpGqYAur4AiykOg
         6wsHRbKHha2tbuf8M/OUzmRIgP3And7iFfZ1J2DMlVQ6zaVeICKYn3EMh5WaXPSjkjvN
         5zNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=f9oI5DGM66azfxSJw5eE3NbbvHVOLIj0lvjh1BIC7Zg=;
        b=UYb5GbXJgPYBESeHj8kfH1CERJCrmlmu6H/bBtA9nogLf5dsn8wFAf3qIMq7hONVxE
         I/wL8Cv8eiLvDL5cfkeuklkPmPB84hfrpk4FZWyeTyPyu2Q3EBCLXpr50Aob2OZf09Yv
         6YvhSz3J0pr6oYYHAYfx27HVJhxliJLsYIL+qX3ha2s0DHdTJZtWGP8u5oOrssMhqo6W
         f/js58fc3TFrbkXam5PcgHXd5OcJJdhynZMGIDSxWpN/OdyFadz9L495Unn5aq8cmTH9
         M6cLeklUBXq6XaCXYiZiBJfv09SVMvYuxrTQDMvvLKSSbDmgrQ69vYCp/wHNmhwhz0ry
         a2cQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pf5ynpzt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id i12-20020a170902e48c00b00153b2d164e9si2816198ple.241.2022.03.25.12.55.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 25 Mar 2022 12:55:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pf5ynpzt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id A76EE1A4899;
	Fri, 25 Mar 2022 11:44:05 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1378108AbiCYPeY (ORCPT <rfc822;2014014876lha@gmail.com>
        + 99 others); Fri, 25 Mar 2022 11:34:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42878 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377717AbiCYPYb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 Mar 2022 11:24:31 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCBEAE997B;
        Fri, 25 Mar 2022 08:18:40 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 43CBDB827E0;
        Fri, 25 Mar 2022 15:18:39 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A9FB3C340E9;
        Fri, 25 Mar 2022 15:18:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1648221518;
        bh=5rCFA85s5S+qiRWrhD5HCF9nWwgiP1x6tSx3WyKd6t0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=pf5ynpztNPajD5NCLBcpO3hsCwpQQnU3KodKwghorRDqsGIY8JCKhtPkhCP7cLhfe
         sJbLAfk2hNjpCngogW779r3N6Z08izbiWwLcTrOYywFb7viTFOg20pUqtsFDsXSrYA
         yxMt/8/vTH/wvK5ZfyjZrldCYP3qthcyU9By6/eA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 5.17 14/39] ALSA: pcm: Fix races among concurrent prealloc proc writes
Date:   Fri, 25 Mar 2022 16:14:29 +0100
Message-Id: <20220325150420.652238669@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220325150420.245733653@linuxfoundation.org>
References: <20220325150420.245733653@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream.

We have no protection against concurrent PCM buffer preallocation
changes via proc files, and it may potentially lead to UAF or some
weird problem.  This patch applies the PCM open_mutex to the proc
write operation for avoiding the racy proc writes and the PCM stream
open (and further operations).

Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/pcm_memory.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/sound/core/pcm_memory.c
+++ b/sound/core/pcm_memory.c
@@ -163,19 +163,20 @@ static void snd_pcm_lib_preallocate_proc
 	size_t size;
 	struct snd_dma_buffer new_dmab;
 
+	mutex_lock(&substream->pcm->open_mutex);
 	if (substream->runtime) {
 		buffer->error = -EBUSY;
-		return;
+		goto unlock;
 	}
 	if (!snd_info_get_line(buffer, line, sizeof(line))) {
 		snd_info_get_str(str, line, sizeof(str));
 		size = simple_strtoul(str, NULL, 10) * 1024;
 		if ((size != 0 && size < 8192) || size > substream->dma_max) {
 			buffer->error = -EINVAL;
-			return;
+			goto unlock;
 		}
 		if (substream->dma_buffer.bytes == size)
-			return;
+			goto unlock;
 		memset(&new_dmab, 0, sizeof(new_dmab));
 		new_dmab.dev = substream->dma_buffer.dev;
 		if (size > 0) {
@@ -189,7 +190,7 @@ static void snd_pcm_lib_preallocate_proc
 					 substream->pcm->card->number, substream->pcm->device,
 					 substream->stream ? 'c' : 'p', substream->number,
 					 substream->pcm->name, size);
-				return;
+				goto unlock;
 			}
 			substream->buffer_bytes_max = size;
 		} else {
@@ -201,6 +202,8 @@ static void snd_pcm_lib_preallocate_proc
 	} else {
 		buffer->error = -EINVAL;
 	}
+ unlock:
+	mutex_unlock(&substream->pcm->open_mutex);
 }
 
 static inline void preallocate_info_init(struct snd_pcm_substream *substream)