Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp991903iob; Fri, 13 May 2022 18:52:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzh+USG5apGl6sAnNpew52T6xHn+stuW00Bvz/ytrZ/WCFUNgv3UdnSy82j8OWJFXoGmsKS X-Received: by 2002:a05:600c:354e:b0:394:89ba:e211 with SMTP id i14-20020a05600c354e00b0039489bae211mr17165212wmq.86.1652493153250; Fri, 13 May 2022 18:52:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652493153; cv=none; d=google.com; s=arc-20160816; b=FRf66aPX6J5wKKJJF35d916SOpgQ9m2uiqjCVqTuYjvynOVB8fG4IUyQ95IlrrS84z mzKrI+AM6mFjhvMggvgHCfxHTmJAeIL7z5FwZOD47Co9Sk0HZUqSF5vxBrtsyK9x6gjc NMkRQdwJ7h/lz4U9c1GF41eEMALSV30/Iosgb4XsmK9kd1lP6PrcmasAHBfx6vq65Vla o5p89g+H1f08EdyNg4q/YJ+UySVoCLJElHujtsGNBCuigGkzz/AL4B6gqQkh1n4ULUmp 7Ystyf51b1JINx3BsfIsPIvdJoKVcQoAR4luNGSgcfPCQxOi0VA1QYqt79/0wI9QKUgE R33A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=V/b4U1Edcwly6hyJ3tK4Bxa6JfltlZ1jWGu8b/nWkSM=; b=ae0l2Oo8VkA2dsaijfGgQvFBLWHNpZ5Hw1RE/mTWMLlT2Vewgl3AjtCKoTXm2u7u+L gdsh/Fw+NtoexVpT7qIOzASXe7y5xk9NAoeSmIgCCDUaw8+BvcyIySDnCPAEOJ/w+5Lf 1Ak1mx5nlG1W07BfH8gVoUJJ2ox+SSe5wR7b/X4PcMD79cynkIAAjSV6moAjTwfJ5Kb4 j6WyyVodFgtzoA7eMT/x7Pj62JLwrgKpTYpRJ8gg4BZVIDVwhu3wbBBAUWYeXaeD4nTZ fk8nVQFbjHd1iwydPFb+dyQyp6UQ0tqr48Vdoe8NEFdY6DjKNZcYkoBQMFrvhoUNSRYP MYRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nC35oZME; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id f6-20020a5d64c6000000b0020cfa60d371si592838wri.246.2022.05.13.18.52.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 18:52:33 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nC35oZME; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EE8984525F8; Fri, 13 May 2022 17:16:16 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357965AbiEMOZ7 (ORCPT + 99 others); Fri, 13 May 2022 10:25:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1358696AbiEMOZg (ORCPT ); Fri, 13 May 2022 10:25:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13D5350E24; Fri, 13 May 2022 07:24:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2888562154; Fri, 13 May 2022 14:24:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EE98C36AED; Fri, 13 May 2022 14:24:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1652451897; bh=3l8oLSFBFL6JeyqCXKSRDsL0L+zpyYluaqxwg+Vr58A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nC35oZMEzRlvBgEml1WGdFeBdEgc8SGx7YOZp9gq4Yxln5HvImCoL7fPXlG7W4RtK oMAs2X7LR1iWgENkgrTxtmCvmOR7xsF9yTfeqAkrrzt0ZlhBxvqWgerp4C8Tsz6q9a kq7DRF8TbeAA1v8iFTc7u/bfc2Sqd086Y/e8WY+s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Jaroslav Kysela , Takashi Iwai , Ovidiu Panait Subject: [PATCH 4.14 12/14] ALSA: pcm: Fix races among concurrent prealloc proc writes Date: Fri, 13 May 2022 16:23:28 +0200 Message-Id: <20220513142227.746603027@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220513142227.381154244@linuxfoundation.org> References: <20220513142227.381154244@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream. We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). Cc: Reviewed-by: Jaroslav Kysela Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de Signed-off-by: Takashi Iwai [OP: backport to 4.14: adjusted context] Signed-off-by: Ovidiu Panait Signed-off-by: Greg Kroah-Hartman --- sound/core/pcm_memory.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/sound/core/pcm_memory.c +++ b/sound/core/pcm_memory.c @@ -160,19 +160,20 @@ static void snd_pcm_lib_preallocate_proc size_t size; struct snd_dma_buffer new_dmab; + mutex_lock(&substream->pcm->open_mutex); if (substream->runtime) { buffer->error = -EBUSY; - return; + goto unlock; } if (!snd_info_get_line(buffer, line, sizeof(line))) { snd_info_get_str(str, line, sizeof(str)); size = simple_strtoul(str, NULL, 10) * 1024; if ((size != 0 && size < 8192) || size > substream->dma_max) { buffer->error = -EINVAL; - return; + goto unlock; } if (substream->dma_buffer.bytes == size) - return; + goto unlock; memset(&new_dmab, 0, sizeof(new_dmab)); new_dmab.dev = substream->dma_buffer.dev; if (size > 0) { @@ -180,7 +181,7 @@ static void snd_pcm_lib_preallocate_proc substream->dma_buffer.dev.dev, size, &new_dmab) < 0) { buffer->error = -ENOMEM; - return; + goto unlock; } substream->buffer_bytes_max = size; } else { @@ -192,6 +193,8 @@ static void snd_pcm_lib_preallocate_proc } else { buffer->error = -EINVAL; } + unlock: + mutex_unlock(&substream->pcm->open_mutex); } static inline void preallocate_info_init(struct snd_pcm_substream *substream)