Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp2484002rdb;
        Thu, 21 Sep 2023 22:56:41 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHV0HTggfgcyvqKraJMS2ndrGxmFS6tmppWaTOUIlo6Ej7sGc4AQGVm0xsNyOoyrzxcRRAs
X-Received: by 2002:a05:6358:91a3:b0:139:cb15:ecd3 with SMTP id j35-20020a05635891a300b00139cb15ecd3mr7991101rwa.8.1695362200940;
        Thu, 21 Sep 2023 22:56:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695362200; cv=none;
        d=google.com; s=arc-20160816;
        b=eA3jQzKLPNs0u6wWSL9Jj+wyE3ZUCQjEg7Rv+NBnI8JquViu6+/oPLY0+EveJD2sRe
         961br2k1A45yNfp5q9ChH9julFBS3mGOfBZZ0Tf+Yd1J/U8sktDwbxdz0+eCqJVE5BPf
         Mh29kH7LsGf7/luxRYJK3LIhA8o3LwokTvTkmI/GTqZUTpmJJq7oNedojdwA2Ct5Lnt4
         IBBzNZkaR7jAL1GWvcWOMthYqk9mj8s9JuYA80fUL/C/BBfmC9Ld5BALFW3Bszh4fF1f
         WpT8lZa9FN7tsyR7/9QtUMI8Zw6SnmkS3wsqfE3d4SNM2k6xojDWOnyK4JgXyY3YbxT3
         1W1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature;
        bh=B4ukeL06gNkW2qwY73xzCc5or7ZOWYu47UFNiHA4sRE=;
        fh=LyQPWv+79P0Xl8yMXc7QH6+G7IQTIJhq66JyAxkKMUI=;
        b=sTniIGBroEJef1vwbLLKVnXTm08OmNU5lgMbY8hTjRDyiyBGFddZgZzm4UTqdt15HB
         HcbSJHZvhya0BkvKhGRVSZYQsIV6NMor/iDjiOt6bbLpBy7/rdIlJIacLsqLipyqeopB
         /k1LmA1eq0VgVEHpfqymtHypc8VtuF4jS+gdBmpKuoFvR7Sbkj7gUauvBB4+5m+6TgkZ
         egG2FaP+gN+TK8neHbfafd4YHXTTpUtZuTmYb1oazEwPTo/MACgRJ4qiMaDbDWglc216
         ikCkJ20sZsVy+w3MtoIzNaAG043H4VlNrDS/GnYLL7b0UBSl7MFhmRugtxHRwe6VOvFw
         f1mA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=uJQgO2Dm;
       dkim=neutral (no key) header.i=@suse.de header.b=ieGH00Us;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id u36-20020a631424000000b00578b6ac52ecsi3132990pgl.467.2023.09.21.22.56.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 Sep 2023 22:56:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=uJQgO2Dm;
       dkim=neutral (no key) header.i=@suse.de header.b=ieGH00Us;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 0EB1E831C828;
	Thu, 21 Sep 2023 15:26:00 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231905AbjIUWZr (ORCPT <rfc822;bh1scw@gmail.com> + 99 others);
        Thu, 21 Sep 2023 18:25:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59780 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232873AbjIUWZ2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Sep 2023 18:25:28 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A61312451
        for <linux-kernel@vger.kernel.org>; Thu, 21 Sep 2023 10:06:54 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 05151338AA;
        Thu, 21 Sep 2023 13:29:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1695302968; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=B4ukeL06gNkW2qwY73xzCc5or7ZOWYu47UFNiHA4sRE=;
        b=uJQgO2DmrOlob0nOo/gvqcHgDMSNFGUM2gGXPdp79ntAOsVO7hmqxktnsfDHPFZniVf01T
        v7Kn5AgQT6huYctuoqJ8LwO6G7g0cwZ44V3ggVgYfN2VUsSeIQQ80bnmTP05396MlpEmII
        fSA/dV5eo7ZFdyCoaSK4+dAcLUSAbRg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1695302968;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=B4ukeL06gNkW2qwY73xzCc5or7ZOWYu47UFNiHA4sRE=;
        b=ieGH00UspKgSKl5QEaY/iWTETyiW7Scz3JDoW1tgNAc/gFtBfLNVWlYo33/zUyHcj0IeaR
        NPwDU9XbPWCYX2Ag==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id BA60B134B0;
        Thu, 21 Sep 2023 13:29:27 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id A5qWLDdFDGV0OQAAMHmgww
        (envelope-from <tiwai@suse.de>); Thu, 21 Sep 2023 13:29:27 +0000
Date:   Thu, 21 Sep 2023 15:29:27 +0200
Message-ID: <87il83zmbs.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Ma Ke <make_ruc2021@163.com>
Cc:     perex@perex.cz, tiwai@suse.com, Liam.Howlett@Oracle.com,
        rppt@kernel.org, mgorman@techsingularity.net, mhocko@suse.com,
        surenb@google.com, alsa-devel@alsa-project.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SETTRIGGER
In-Reply-To: <20230921064258.3582115-1-make_ruc2021@163.com>
References: <20230921064258.3582115-1-make_ruc2021@163.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
        SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 21 Sep 2023 15:26:00 -0700 (PDT)

On Thu, 21 Sep 2023 08:42:58 +0200,
Ma Ke wrote:
> 
> There is a small race window at snd_pcm_oss_set_trigger() that is
> called from OSS PCM SNDCTL_DSP_SETTRIGGER ioctl; namely the function
> calls snd_pcm_oss_make_ready() at first, then takes the params_lock
> mutex for the rest. When the stream is set up again by another thread
> between them, it leads to inconsistency, and may result in unexpected
> results such as NULL dereference of OSS buffer as a fuzzer spotted
> recently.
> The fix is simply to cover snd_pcm_oss_make_ready() call into the same
> params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
> 
> Signed-off-by: Ma Ke <make_ruc2021@163.com>
> ---
>  sound/core/oss/pcm_oss.c | 18 ++++++++----------
>  1 file changed, 8 insertions(+), 10 deletions(-)
> 
> diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
> index 728c211142d1..f6340a2fe52b 100644
> --- a/sound/core/oss/pcm_oss.c
> +++ b/sound/core/oss/pcm_oss.c
> @@ -2083,21 +2083,15 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
>  	psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
>  	csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
>  
> -	if (psubstream) {
> -		err = snd_pcm_oss_make_ready(psubstream);
> -		if (err < 0)
> -			return err;
> -	}
> -	if (csubstream) {
> -		err = snd_pcm_oss_make_ready(csubstream);
> -		if (err < 0)
> -			return err;
> -	}
>        	if (psubstream) {
>        		runtime = psubstream->runtime;
>  		cmd = 0;
>  		if (mutex_lock_interruptible(&runtime->oss.params_lock))
>  			return -ERESTARTSYS;
> +		err = snd_pcm_oss_make_ready_locked(psubstream);
> +		if (err < 0)
> +			mutex_unlock(&runtime->oss.params_lock);
> +			return err;

This breaks totally;  you missed braces...  (Ditto for another place).


Takashi

>  		if (trigger & PCM_ENABLE_OUTPUT) {
>  			if (runtime->oss.trigger)
>  				goto _skip1;
> @@ -2128,6 +2122,10 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
>  		cmd = 0;
>  		if (mutex_lock_interruptible(&runtime->oss.params_lock))
>  			return -ERESTARTSYS;
> +		err = snd_pcm_oss_make_ready_locked(csubstream);
> +		if (err < 0)
> +			mutex_unlock(&runtime->oss.params_lock);
> +			return err;
>  		if (trigger & PCM_ENABLE_INPUT) {
>  			if (runtime->oss.trigger)
>  				goto _skip2;
> -- 
> 2.37.2
>