Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6237118iob;
        Tue, 10 May 2022 13:37:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwwyTUgjxQCdxDDl3MA5+1BGLB7xD+4elCfazORnFwMmd9K8xjtmSji65Z2DZEnZ9BRMpTz
X-Received: by 2002:a05:6402:254f:b0:427:d23c:ac69 with SMTP id l15-20020a056402254f00b00427d23cac69mr25667807edb.314.1652215029467;
        Tue, 10 May 2022 13:37:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652215029; cv=none;
        d=google.com; s=arc-20160816;
        b=bDZAwPAa53c3XNIrmChIk71zEv2FwDTxmy1N6F/bZceTr86FndzSXHytjM6EYrBbaQ
         H8a2VKmgK8fN9FW5ZPw1GFbRYPS33u+UgIJYcS4Ypfg4YICsdr4zk7JysTtQYWVc3neA
         iQRHjUwsJqW21GfF6mtFZyq/f5dcQhHzBvkVTZZ0TnHQAc7ugSOBcNzhAyPJ5rKTAbZ3
         wyutHBsBViywxxhp0U7aKYSbG5dus8OQD1pte6KIqm7hXlDDNdNEXFZHOp2FgkaCbCE9
         Sogd+zZbR3yuI1Ri3hObB1G92T9XMoHI6ml2p81ZbanFuoycJQAm0OEU4MLFQRiW403d
         WfpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=b70QXQ5eo1eQoNwtiON5fYZBPKoMI5aEBStGTxSamlo=;
        b=uj6clDeCh+Z99Vz2cq0Ncsnd/CIxfjYTrbWSFIV0cXxZ2dgox1MnEuHuDziH2KugCC
         Y9Bm77dkjJ63YGyyqiWFi4Xyssl6qQv0tRXEN3tB2ZRdAyFdgju4Fx8AFtn6hGJjv0a+
         cVQUF7oQ5kbho52dJpuYfWQU9B8p+XFvcTAr6TI9PSrGrdKnsNOtkisW5mgLr44hpKHw
         Y/sWMX6PwW3+UxhBmzZSl+UZ5TjoCCDJPCvleZe650z6OEWxYnpGa6OAOrpxewsHN/G8
         UOMqI+UCKeVgKoADfTAzO7hUiflpp36lWvpqawJkcZ94321Sp+gPOQ4zl6NOwiVdgen2
         FdzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mR39yUCG;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lg15-20020a170906f88f00b006f37c73010esi448975ejb.209.2022.05.10.13.36.44;
        Tue, 10 May 2022 13:37:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mR39yUCG;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S245007AbiEJNvo (ORCPT <rfc822;apple4onegiven@gmail.com>
        + 99 others); Tue, 10 May 2022 09:51:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43378 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243078AbiEJNeL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 May 2022 09:34:11 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8F41238D69;
        Tue, 10 May 2022 06:24:29 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 7AB1E6176A;
        Tue, 10 May 2022 13:24:29 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 85D28C385C2;
        Tue, 10 May 2022 13:24:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1652189068;
        bh=1AXQ3dyomRPqn7p9wxP3qVn0xywkRsSkCHmDBhRbD88=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=mR39yUCGfHhdKmrRPzTHQAZcOlOF9pmMnLep2NVCUHPkyiPYNxQbWdMw3vzUO2zuP
         nQ790U/u//8oC5btO3M+Xj7d8j7bS121bSo+K1EuQB8Xl4X2jaes9bhB88/GbMPmg7
         Cr93ImOTezltL939pqMNBoH933sSiwrdfdOgU1E4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.de>,
        Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 5.4 45/52] ALSA: pcm: Fix races among concurrent prealloc proc writes
Date:   Tue, 10 May 2022 15:08:14 +0200
Message-Id: <20220510130731.171954555@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220510130729.852544477@linuxfoundation.org>
References: <20220510130729.852544477@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream.

We have no protection against concurrent PCM buffer preallocation
changes via proc files, and it may potentially lead to UAF or some
weird problem.  This patch applies the PCM open_mutex to the proc
write operation for avoiding the racy proc writes and the PCM stream
open (and further operations).

Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[OP: backport to 5.4: adjusted context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/pcm_memory.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/sound/core/pcm_memory.c
+++ b/sound/core/pcm_memory.c
@@ -133,19 +133,20 @@ static void snd_pcm_lib_preallocate_proc
 	size_t size;
 	struct snd_dma_buffer new_dmab;
 
+	mutex_lock(&substream->pcm->open_mutex);
 	if (substream->runtime) {
 		buffer->error = -EBUSY;
-		return;
+		goto unlock;
 	}
 	if (!snd_info_get_line(buffer, line, sizeof(line))) {
 		snd_info_get_str(str, line, sizeof(str));
 		size = simple_strtoul(str, NULL, 10) * 1024;
 		if ((size != 0 && size < 8192) || size > substream->dma_max) {
 			buffer->error = -EINVAL;
-			return;
+			goto unlock;
 		}
 		if (substream->dma_buffer.bytes == size)
-			return;
+			goto unlock;
 		memset(&new_dmab, 0, sizeof(new_dmab));
 		new_dmab.dev = substream->dma_buffer.dev;
 		if (size > 0) {
@@ -153,7 +154,7 @@ static void snd_pcm_lib_preallocate_proc
 						substream->dma_buffer.dev.dev,
 						size, &new_dmab) < 0) {
 				buffer->error = -ENOMEM;
-				return;
+				goto unlock;
 			}
 			substream->buffer_bytes_max = size;
 		} else {
@@ -165,6 +166,8 @@ static void snd_pcm_lib_preallocate_proc
 	} else {
 		buffer->error = -EINVAL;
 	}
+ unlock:
+	mutex_unlock(&substream->pcm->open_mutex);
 }
 
 static inline void preallocate_info_init(struct snd_pcm_substream *substream)