Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2206786pxb;
        Fri, 25 Mar 2022 13:03:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyB6BcjnNkuHnSzj6szwt8Mh25fglP2uZaoCUJQdbPcz17e4EFUhPIqZCK8MLIzsygJ/HUx
X-Received: by 2002:a17:90a:de83:b0:1c7:3d7b:7a5d with SMTP id n3-20020a17090ade8300b001c73d7b7a5dmr14458831pjv.242.1648238585081;
        Fri, 25 Mar 2022 13:03:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648238585; cv=none;
        d=google.com; s=arc-20160816;
        b=ysweXY6P6thoMFtJ3/vamwc7MOd0QkqQdgXLiKyno56+xH4wWEPImq4n1Lmo7EzikV
         0IsjEb87BGoeEi+hME2BzXAlN0lzVQqSf6d6RdjBIYAqwK4WDwYlHESuLX3f4l9XBLfy
         u87heoUdjiEYwfvKndUUeEhEn+AKeiFBpt1WX+mBoWLvD27kqiyCppAHNumS+hu2usDk
         rqOKqXEU5Q6P7ux5X1ECQ7v7rD/jpXSsdCT7gR13v9PLazMJ5fVCBqaGXj/pgSVIrBMq
         vyVUgOtwuD0mm4wObDJ51OM0PigXQx1rKblBa6lhYqjfWXulDKegcWNovHgnalVuoear
         Jxrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=N/X0Sicn+VkHH94HiEQSr6Pah5wKloeu6g2PXH89J0I=;
        b=qPWDQpl3hdgMliJc4VpFXgQ9U9fnCcxoA8LsHyT7oN/Wz5jsYnlC5xS3YnJE9ZMktA
         bmFX2EMoik5RDfExVL4BRX1b5uoKxxST9tAMM5vvGiCG/DMtWM9RqnyQtLdNZxhfa3kw
         QiYGLKz8gbkbrfA7zZk39SQ7pHcvwft6gy7YF0DHSoHzaRXYdlKAJkJixaR4j9phD1b/
         gVn4Dd401wSpv7VirtNgvxitMJZsoJCUaC/CFiT6d1Ir0Q7QW39XHvRLsupe+Yh78xte
         Op3YC4w/wqaCct/pvVKgcAsjArAHRB09MwO3rq/dVO6ZZ7rg5HHJJRVh86KT4EYoarB6
         9lkA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=otM5k3E6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id t4-20020a62d144000000b004fa3a8e00bdsi3280458pfl.372.2022.03.25.13.03.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 25 Mar 2022 13:03:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=otM5k3E6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 59D4E214063;
	Fri, 25 Mar 2022 11:53:07 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1376498AbiCYPWj (ORCPT <rfc822;2014014876lha@gmail.com>
        + 99 others); Fri, 25 Mar 2022 11:22:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37610 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1376406AbiCYPU2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 Mar 2022 11:20:28 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7DB4E29F4;
        Fri, 25 Mar 2022 08:15:44 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 166D960ACA;
        Fri, 25 Mar 2022 15:15:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1FB32C340F5;
        Fri, 25 Mar 2022 15:15:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1648221307;
        bh=RWXkZ+zWgph1cSfGePSXGgZMA8rOQMKE8iT4s726B48=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=otM5k3E6du9ZBlmYtgZXKEpODXVEVv+ogqkYdjlQ1m2ZZthjioHxlcl1Y12YBHDcr
         rxUDjB8tUxoHEXlKWnDGwB7eEf+J2wiZbX+EX6Xk0u2UlcxLcMIalmxu0xJp872aHQ
         xfbu0i4VG3WdtrymYGjnMHY5wylXTQav5sNDEPL0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 5.15 16/37] ALSA: pcm: Fix races among concurrent prealloc proc writes
Date:   Fri, 25 Mar 2022 16:14:17 +0100
Message-Id: <20220325150420.398181124@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220325150419.931802116@linuxfoundation.org>
References: <20220325150419.931802116@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream.

We have no protection against concurrent PCM buffer preallocation
changes via proc files, and it may potentially lead to UAF or some
weird problem.  This patch applies the PCM open_mutex to the proc
write operation for avoiding the racy proc writes and the PCM stream
open (and further operations).

Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/pcm_memory.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/sound/core/pcm_memory.c
+++ b/sound/core/pcm_memory.c
@@ -158,19 +158,20 @@ static void snd_pcm_lib_preallocate_proc
 	size_t size;
 	struct snd_dma_buffer new_dmab;
 
+	mutex_lock(&substream->pcm->open_mutex);
 	if (substream->runtime) {
 		buffer->error = -EBUSY;
-		return;
+		goto unlock;
 	}
 	if (!snd_info_get_line(buffer, line, sizeof(line))) {
 		snd_info_get_str(str, line, sizeof(str));
 		size = simple_strtoul(str, NULL, 10) * 1024;
 		if ((size != 0 && size < 8192) || size > substream->dma_max) {
 			buffer->error = -EINVAL;
-			return;
+			goto unlock;
 		}
 		if (substream->dma_buffer.bytes == size)
-			return;
+			goto unlock;
 		memset(&new_dmab, 0, sizeof(new_dmab));
 		new_dmab.dev = substream->dma_buffer.dev;
 		if (size > 0) {
@@ -183,7 +184,7 @@ static void snd_pcm_lib_preallocate_proc
 					 substream->pcm->card->number, substream->pcm->device,
 					 substream->stream ? 'c' : 'p', substream->number,
 					 substream->pcm->name, size);
-				return;
+				goto unlock;
 			}
 			substream->buffer_bytes_max = size;
 		} else {
@@ -195,6 +196,8 @@ static void snd_pcm_lib_preallocate_proc
 	} else {
 		buffer->error = -EINVAL;
 	}
+ unlock:
+	mutex_unlock(&substream->pcm->open_mutex);
 }
 
 static inline void preallocate_info_init(struct snd_pcm_substream *substream)