Received: by 2002:a05:7412:da14:b0:e2:908c:2ebd with SMTP id fe20csp233860rdb;
        Fri, 6 Oct 2023 01:36:20 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHs0hQA1VYup5FoBB4ODEmE7Bf0lUjMEDW3x9zSlBN1Nz0+LCnETv7Mu0t+yZW4PoFLi9P4
X-Received: by 2002:a25:6b0b:0:b0:d90:6efc:4c4e with SMTP id g11-20020a256b0b000000b00d906efc4c4emr6776541ybc.57.1696581380562;
        Fri, 06 Oct 2023 01:36:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696581380; cv=none;
        d=google.com; s=arc-20160816;
        b=LKrSe20R/OdfBlYfIBbV8zf/1MLk9z0z/f9T6hiLY6EdA1OXrCoYj/r6sx8we++UVX
         Nzs1Fv+/v3uqgKel+sEIs36HoQA6uiF9K7x5QEdRNquPCFMGuWCirg6Ypi377+AO6zoK
         3r7v08+/PH3N3Cg1Pnztimc+IVij7ZvBIedvbK6zd2LNgn7gUKtFWNVcltjR5uWpErc3
         mRFuT4Xyo66S29PYJMeeLD9ZpNvEBJbWQ5pZXo6jsa29s3szpyt7VEz0pc7LjUkaOtpm
         n2SXb9H9hFTgj+wJr+CuIxb1OCHPtwGRy0xO3PjGN8Ef/RDUgUSTM5Vu4hsIyGS8++LH
         ipYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature;
        bh=ZGO2mlUqE3aPcsibFoQXFlBLId1U3oI6EbfB7CylCGI=;
        fh=cjaWs5VE97hkL4BNKBjjdOP8A57y7ceKL2UoCi9yZpg=;
        b=jkYLx5sfBQI0NEvHbgOEtQD8MGBMSKh5BMOf1P7XpF8vhQaO1/ODBCF8J9v95sXyQx
         6m1dbDjcTPs7DbFePRxlMk5894YY/7CfxH3nvdjXP5X6aLMD7GIBkLVhQ/6+D1dGifYy
         dqC7NnG02242OyY/1At9V368fZbdNOApDeFHVbgJhXbM3pPfjBgl9G4ZOSQ0HaaNZkfR
         fzXQ23rdZAUD2FBKkRYP50PEWJUoOeLtdneKle0Qcd3y+rkqK14f+/fyxq00c8t0b70R
         oBD8ovm+aKS3NkKasZFRJw7mxoKa1Ax0QrVWhBkDzatQeVQmfYLVZomDovNfa2T2SXVq
         qRnw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=wP2UXOhu;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
        by mx.google.com with ESMTPS id s140-20020a632c92000000b00573f7d09445si3290568pgs.330.2023.10.06.01.36.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 06 Oct 2023 01:36:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=wP2UXOhu;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 28B458375C84;
	Fri,  6 Oct 2023 01:36:18 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231217AbjJFIgC (ORCPT <rfc822;smith.dustin2017@gmail.com>
        + 99 others); Fri, 6 Oct 2023 04:36:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54046 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230266AbjJFIf7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Oct 2023 04:35:59 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADE0E93
        for <linux-kernel@vger.kernel.org>; Fri,  6 Oct 2023 01:35:58 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id 6BDBF1F45F;
        Fri,  6 Oct 2023 08:35:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1696581357; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=ZGO2mlUqE3aPcsibFoQXFlBLId1U3oI6EbfB7CylCGI=;
        b=wP2UXOhuOPQagS4qtjhTDzOcJuBmqZQagcfwVqH74ZrdSomM771xtKx2HusMgvXX2t8vRU
        Q9AHM8DQNRsnBvPCfLO1SqNw1qChCJE18GgPl2qRrDiGhgBSIdPbpOsblcmopRWlMfflKq
        I4NQSQxpUVFk6fNFzmnRcFF8SU296Io=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1696581357;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=ZGO2mlUqE3aPcsibFoQXFlBLId1U3oI6EbfB7CylCGI=;
        b=UhUaC8ONSa4MQOaXEnJZh82SKSYlYnn6Nro96QOl8VO42nDc7URMp0BCzwdElCIibJ+vrL
        CSLUS6HXWR9G/QCg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 2575F13A2E;
        Fri,  6 Oct 2023 08:35:57 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id KvsuCO3GH2W+GQAAMHmgww
        (envelope-from <tiwai@suse.de>); Fri, 06 Oct 2023 08:35:57 +0000
Date:   Fri, 06 Oct 2023 10:35:56 +0200
Message-ID: <87zg0ww3kj.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Ma Ke <make_ruc2021@163.com>
Cc:     perex@perex.cz, tiwai@suse.com, mhocko@suse.com,
        mgorman@techsingularity.net, 42.hyeyoo@gmail.com,
        surenb@google.com, alsa-devel@alsa-project.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] ALSA: pcm: oss: Fix race at SNDCTL_DSP_SETTRIGGER
In-Reply-To: <20230921135837.3590897-1-make_ruc2021@163.com>
References: <20230921135837.3590897-1-make_ruc2021@163.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 06 Oct 2023 01:36:18 -0700 (PDT)

On Thu, 21 Sep 2023 15:58:37 +0200,
Ma Ke wrote:
> 
> There is a small race window at snd_pcm_oss_set_trigger() that is
> called from OSS PCM SNDCTL_DSP_SETTRIGGER ioctl; namely the function
> calls snd_pcm_oss_make_ready() at first, then takes the params_lock
> mutex for the rest. When the stream is set up again by another thread
> between them, it leads to inconsistency, and may result in unexpected
> results such as NULL dereference of OSS buffer as a fuzzer spotted
> recently.
> The fix is simply to cover snd_pcm_oss_make_ready() call into the same
> params_lock mutex with snd_pcm_oss_make_ready_locked() variant.

Sorry for the late response, as I've been (still) off since the last
week.

The code change itself looks OK, but unlike the change (with almost
same changelog) in commit 8423f0b6d513, this won't hit a serious
problem like NULL dereference.  The code path merely sets
runtime->oss.trigger and start_threshold flags, then issues the ioctl
outside the lock.

Unless you really hit a problem with a fuzzer, the changelog is
misleading and better to be rewritten.


thanks,

Takashi

> 
> Signed-off-by: Ma Ke <make_ruc2021@163.com>
> ---
>  sound/core/oss/pcm_oss.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
> index 728c211142d1..fd9d23c3684b 100644
> --- a/sound/core/oss/pcm_oss.c
> +++ b/sound/core/oss/pcm_oss.c
> @@ -2083,21 +2083,16 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
>  	psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
>  	csubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
>  
> -	if (psubstream) {
> -		err = snd_pcm_oss_make_ready(psubstream);
> -		if (err < 0)
> -			return err;
> -	}
> -	if (csubstream) {
> -		err = snd_pcm_oss_make_ready(csubstream);
> -		if (err < 0)
> -			return err;
> -	}
>        	if (psubstream) {
>        		runtime = psubstream->runtime;
>  		cmd = 0;
>  		if (mutex_lock_interruptible(&runtime->oss.params_lock))
>  			return -ERESTARTSYS;
> +		err = snd_pcm_oss_make_ready_locked(psubstream);
> +		if (err < 0) {
> +			mutex_unlock(&runtime->oss.params_lock);
> +			return err;
> +		}
>  		if (trigger & PCM_ENABLE_OUTPUT) {
>  			if (runtime->oss.trigger)
>  				goto _skip1;
> @@ -2128,6 +2123,11 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
>  		cmd = 0;
>  		if (mutex_lock_interruptible(&runtime->oss.params_lock))
>  			return -ERESTARTSYS;
> +		err = snd_pcm_oss_make_ready_locked(csubstream);
> +		if (err < 0) {
> +			mutex_unlock(&runtime->oss.params_lock);
> +			return err;
> +		}
>  		if (trigger & PCM_ENABLE_INPUT) {
>  			if (runtime->oss.trigger)
>  				goto _skip2;
> -- 
> 2.37.2
>