From patchwork Tue May 9 14:42:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98931 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857598qge; Tue, 9 May 2017 07:43:37 -0700 (PDT) X-Received: by 10.99.115.11 with SMTP id o11mr575091pgc.10.1494341017739; Tue, 09 May 2017 07:43:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341017; cv=none; d=google.com; s=arc-20160816; b=FndQxV4/CkhmRi1sh07ufwAY6GjEc1tVoNFQi6pSIOc9lskO/KVJ4k2nK1arjkGk99 +a1/dYGsGuMRAGwcNWskjFrfIDsLe5E/TuW59kox73DzVzbli3h0Do4bWRcYAmLXYlwZ Tvo/2x3O17dIX3TG7OUSPx86bMJuUA0QoVoDped8HmTt0RdCVM7jkqhNbB4tJ3BCKxTJ fziV5lsbdh4J3t00DZ066jdyYxHXMVkKCP4qMHtI24XZ1o1L4MiZreGpxKQuZ4V63edv 4kUUrE+xsahPEOyuN2YOP9TnBSojpuEsdGbgR+wvV/icQyWIquYB9ycI+bj+vcAt4W2t VinA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=P8h47N0QIp9/YN48MVxW5iUkqvbrSFXTAnMxIewCtq0=; b=fpUKqfZNJdZiJAVuFU0PSlSSDfrp211+9JyEUxxwx6MSt6vGSeNUeI5+IXn0/jXtz5 t8IaxjQ35vIS69/xozG2rfTKenr6NV1n1Lw54LB7O8nQ5ZaeWf8y21S07RZ5+iiTryyA H+SdGOrYxd6dVEAhOhWgZwVK5PcJLpVOlgJvRYtJZGrDa/oceZqzLaUia8yeb46ny1n/ kxLDUV7ouq/FZ9kal0cvXjTuMOztpZhm1+ZsIWip1lF74rUJRdXxew7QQmEP1na+1Snm 7WjVOX8KYAm7IY5Srd8kAnI1wYDBP3gPRZvQ5k99QkqdpatJieV7Xcfs+PRx9CwKHedC EcFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.37; Tue, 09 May 2017 07:43:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754261AbdEIOnh (ORCPT + 6 others); Tue, 9 May 2017 10:43:37 -0400 Received: from mail-pg0-f54.google.com ([74.125.83.54]:33217 "EHLO mail-pg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754251AbdEIOng (ORCPT ); Tue, 9 May 2017 10:43:36 -0400 Received: by mail-pg0-f54.google.com with SMTP id u187so788865pgb.0 for ; Tue, 09 May 2017 07:43:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=P8h47N0QIp9/YN48MVxW5iUkqvbrSFXTAnMxIewCtq0=; b=C0xMmRrlJiMC1V9tUiinqNSEwD7hPpqdT5jesw5BhfqFVtG7XMLFNU3XdYj4vjNkvD dFydfX/B5O61J3XJKuaTw+5lruAAErhtC1yj1upKNqIIDJ6fbSOb7XsilvHLeJbgNLOv ckzJDz3QEpvGaTrvxoUqfybH1yFA+Zf8R+D+8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=P8h47N0QIp9/YN48MVxW5iUkqvbrSFXTAnMxIewCtq0=; b=ZhVkGTYQoB7D0DeCRtTV56B7jhkKYli/ptO11J1k1YpqauZ/VXvYjutSX1GYuVZe/I NS8Iga0dXve+pnaHPaoY4JzYufXnQ+8WIdfXUgutaoUwuN/XFCrerT+BQLMQYEpyTDQR jQfIx0CAl3Scaq9dSj29j30YXBxsT9qfX8psC2r+yO0F2z6fy0+8wOs1hLf6BoBsqI/j 7IXeJQx4SwLo0YKB0mQKtCWKY9t0UO8l8NyWtHLnI4oabS+VoNBhV286a0ti2dFUzHxR P2wuuetGrxroYN4fKNBkiEnSIpQUx60WgBKqNuG/xED1YJvdK5qEBFczoknoTsvCL6y5 ICTw== X-Gm-Message-State: AODbwcA4L+s5uZ60kkyLKiAbObY/TgfdQzoX0r0YY5+MIQaH8LWqehaZ esPCGtfiuXqg40qREUgaVRmv X-Received: by 10.98.103.207 with SMTP id t76mr231787pfj.147.1494341015708; Tue, 09 May 2017 07:43:35 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:34 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Takashi Iwai Subject: [PATCH for-3.18 18/24] ALSA: timer: Fix race among timer ioctls Date: Tue, 9 May 2017 20:12:42 +0530 Message-Id: <1494340968-17152-19-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit af368027a49a751d6ff4ee9e3f9961f35bb4fede upstream. ALSA timer ioctls have an open race and this may lead to a use-after-free of timer instance object. A simplistic fix is to make each ioctl exclusive. We have already tread_sem for controlling the tread, and extend this as a global mutex to be applied to each ioctl. The downside is, of course, the worse concurrency. But these ioctls aren't to be parallel accessible, in anyway, so it should be fine to serialize there. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/timer.c | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) -- 2.7.4 diff --git a/sound/core/timer.c b/sound/core/timer.c index c9da76e05b3f..fa4ded0c2230 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -77,7 +77,7 @@ struct snd_timer_user { struct timespec tstamp; /* trigger tstamp */ wait_queue_head_t qchange_sleep; struct fasync_struct *fasync; - struct mutex tread_sem; + struct mutex ioctl_lock; }; /* list of timers */ @@ -1342,7 +1342,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file) return -ENOMEM; spin_lock_init(&tu->qlock); init_waitqueue_head(&tu->qchange_sleep); - mutex_init(&tu->tread_sem); + mutex_init(&tu->ioctl_lock); tu->ticks = 1; tu->queue_size = 128; tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), @@ -1362,8 +1362,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) if (file->private_data) { tu = file->private_data; file->private_data = NULL; + mutex_lock(&tu->ioctl_lock); if (tu->timeri) snd_timer_close(tu->timeri); + mutex_unlock(&tu->ioctl_lock); kfree(tu->queue); kfree(tu->tqueue); kfree(tu); @@ -1601,7 +1603,6 @@ static int snd_timer_user_tselect(struct file *file, int err = 0; tu = file->private_data; - mutex_lock(&tu->tread_sem); if (tu->timeri) { snd_timer_close(tu->timeri); tu->timeri = NULL; @@ -1645,7 +1646,6 @@ static int snd_timer_user_tselect(struct file *file, } __err: - mutex_unlock(&tu->tread_sem); return err; } @@ -1861,7 +1861,7 @@ enum { SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), }; -static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, +static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { struct snd_timer_user *tu; @@ -1878,17 +1878,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, { int xarg; - mutex_lock(&tu->tread_sem); - if (tu->timeri) { /* too late */ - mutex_unlock(&tu->tread_sem); + if (tu->timeri) /* too late */ return -EBUSY; - } - if (get_user(xarg, p)) { - mutex_unlock(&tu->tread_sem); + if (get_user(xarg, p)) return -EFAULT; - } tu->tread = xarg ? 1 : 0; - mutex_unlock(&tu->tread_sem); return 0; } case SNDRV_TIMER_IOCTL_GINFO: @@ -1921,6 +1915,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, return -ENOTTY; } +static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + struct snd_timer_user *tu = file->private_data; + long ret; + + mutex_lock(&tu->ioctl_lock); + ret = __snd_timer_user_ioctl(file, cmd, arg); + mutex_unlock(&tu->ioctl_lock); + return ret; +} + static int snd_timer_user_fasync(int fd, struct file * file, int on) { struct snd_timer_user *tu;