Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1055316iob;
        Fri, 13 May 2022 21:20:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyZl4BOnZyEnDOx+pM/MNdWKR0FEquhbiDO041LuCMMbzzcVGiyZP9B6/F4cXNTD2phRO6n
X-Received: by 2002:a5d:4ac2:0:b0:20c:7844:fb79 with SMTP id y2-20020a5d4ac2000000b0020c7844fb79mr6230252wrs.33.1652502020474;
        Fri, 13 May 2022 21:20:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652502020; cv=none;
        d=google.com; s=arc-20160816;
        b=CBSxzfs2EbyoY8GdYl/xB3f8zimZiZ86nEXn0q5O/ZnMNvmGFuCThRghKJL3H7lQxt
         dnxDW9uqQb0xK5z4PbOblaPPduIvZ6BsZF7Nugvg1TOKIbJGibz+xUK/nUe+GoOeTKzZ
         N9Vf1+qW0T0PplpySvO6tkps6QddH03bTugJEn3wASYLIVb7P2ViRs+3Il42HhiPAXDo
         qdq/hLmXcCG6YXh5KRZjdvR1lXe0wyTnk1s5RtE6dNz8pG2Icm1+pNFk9NuNR+6ziFcE
         DZdnMrn5XPVsEa9p830pRBLneiRWwV41SskTi6mXSMlyrY6EUNxInZr9w4xvVtik2xqb
         /iWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=HbXeVBQtwkelLV/1nB8Eb0KN3A76b/8VdfGV/Kr8QiE=;
        b=q569ggFSzHqlix+jcHyphBxHEdE5xaC3AYAX63svTk5WowSHHGtY9wJDySx6QldcEq
         V+fluRYRqdns+FNzmCw02fQFC3NiurnobWneYN823p5cD62+ClwUOeRn77EDjIx6+HxA
         kU5rLp2NYRUL2vqH49aDo+f0zWzI/Fq7E8PoulAwb91tp2le4WGXzgTJbuegvSJG7dZy
         Nil2LMozcYOb/jvYDbWrKCjymFET10h8O5PTsLqYImtgQ+eU70YoNI08XfrCm++OUQgw
         /F5GRXtfFm6EauCBZcvC4JA7LRSmor2beY6gvhUVfRs8+WwkxjYMpwW5x5lKrgPu5SVR
         bL2w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=O1zFmxIL;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id u18-20020adfeb52000000b0020acd55c089si3673435wrn.212.2022.05.13.21.20.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 May 2022 21:20:20 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=O1zFmxIL;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1E3634FF5AC;
	Fri, 13 May 2022 17:51:00 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1380707AbiEMO1z (ORCPT <rfc822;yangyccccc@gmail.com>
        + 99 others); Fri, 13 May 2022 10:27:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42200 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1380857AbiEMO0L (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 May 2022 10:26:11 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A6F7A8CCD2;
        Fri, 13 May 2022 07:25:39 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 342896214D;
        Fri, 13 May 2022 14:25:39 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 45F7FC34100;
        Fri, 13 May 2022 14:25:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1652451938;
        bh=zqVNRAyJ1B/WfOlab3usNivBJq6d+QjR9nvrIzyMpYc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=O1zFmxILpfIwu57/WlXVBgjmDgCkq4q+nG5NdaU/w78DJtW+ZHv4DCa9Inlch8G0y
         xxcP7jq2Hzsf1hYopk3ndJNTO6bnO/3cVYrm2+1fNffLLVHvsM/lFDFRebHSCSRO7H
         dM3rhvieI3c7ftPfkFG4IawBKoJTTg/0dgT6tenk=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.de>,
        Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.19 11/15] ALSA: pcm: Fix races among concurrent prealloc proc writes
Date:   Fri, 13 May 2022 16:23:33 +0200
Message-Id: <20220513142228.230689107@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220513142227.897535454@linuxfoundation.org>
References: <20220513142227.897535454@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Takashi Iwai <tiwai@suse.de>

commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream.

We have no protection against concurrent PCM buffer preallocation
changes via proc files, and it may potentially lead to UAF or some
weird problem.  This patch applies the PCM open_mutex to the proc
write operation for avoiding the racy proc writes and the PCM stream
open (and further operations).

Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[OP: backport to 4.19: adjusted context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/pcm_memory.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/sound/core/pcm_memory.c
+++ b/sound/core/pcm_memory.c
@@ -160,19 +160,20 @@ static void snd_pcm_lib_preallocate_proc
 	size_t size;
 	struct snd_dma_buffer new_dmab;
 
+	mutex_lock(&substream->pcm->open_mutex);
 	if (substream->runtime) {
 		buffer->error = -EBUSY;
-		return;
+		goto unlock;
 	}
 	if (!snd_info_get_line(buffer, line, sizeof(line))) {
 		snd_info_get_str(str, line, sizeof(str));
 		size = simple_strtoul(str, NULL, 10) * 1024;
 		if ((size != 0 && size < 8192) || size > substream->dma_max) {
 			buffer->error = -EINVAL;
-			return;
+			goto unlock;
 		}
 		if (substream->dma_buffer.bytes == size)
-			return;
+			goto unlock;
 		memset(&new_dmab, 0, sizeof(new_dmab));
 		new_dmab.dev = substream->dma_buffer.dev;
 		if (size > 0) {
@@ -180,7 +181,7 @@ static void snd_pcm_lib_preallocate_proc
 						substream->dma_buffer.dev.dev,
 						size, &new_dmab) < 0) {
 				buffer->error = -ENOMEM;
-				return;
+				goto unlock;
 			}
 			substream->buffer_bytes_max = size;
 		} else {
@@ -192,6 +193,8 @@ static void snd_pcm_lib_preallocate_proc
 	} else {
 		buffer->error = -EINVAL;
 	}
+ unlock:
+	mutex_unlock(&substream->pcm->open_mutex);
 }
 
 static inline void preallocate_info_init(struct snd_pcm_substream *substream)