Commit 623e5c8a authored by Takashi Iwai's avatar Takashi Iwai Committed by Greg Kroah-Hartman

ALSA: seq: Make ioctls race-free

commit b3defb79 upstream.

The ALSA sequencer ioctls have no protection against racy calls while
the concurrent operations may lead to interfere with each other.  As
reported recently, for example, the concurrent calls of setting client
pool with a combination of write calls may lead to either the
unkillable dead-lock or UAF.

As a slightly big hammer solution, this patch introduces the mutex to
make each ioctl exclusive.  Although this may reduce performance via
parallel ioctl calls, usually it's not demanded for sequencer usages,
hence it should be negligible.
Reported-by: default avatarLuo Quan <a4651386@163.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
[bwh: Backported to 4.4: ioctl dispatch is done from snd_seq_do_ioctl();
 take the mutex and add ret variable there.]
Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 145ebf95
...@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize) ...@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
rwlock_init(&client->ports_lock); rwlock_init(&client->ports_lock);
mutex_init(&client->ports_mutex); mutex_init(&client->ports_mutex);
INIT_LIST_HEAD(&client->ports_list_head); INIT_LIST_HEAD(&client->ports_list_head);
mutex_init(&client->ioctl_mutex);
/* find free slot in the client table */ /* find free slot in the client table */
spin_lock_irqsave(&clients_lock, flags); spin_lock_irqsave(&clients_lock, flags);
...@@ -2195,6 +2196,7 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd, ...@@ -2195,6 +2196,7 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd,
void __user *arg) void __user *arg)
{ {
struct seq_ioctl_table *p; struct seq_ioctl_table *p;
int ret;
switch (cmd) { switch (cmd) {
case SNDRV_SEQ_IOCTL_PVERSION: case SNDRV_SEQ_IOCTL_PVERSION:
...@@ -2208,8 +2210,12 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd, ...@@ -2208,8 +2210,12 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd,
if (! arg) if (! arg)
return -EFAULT; return -EFAULT;
for (p = ioctl_tables; p->cmd; p++) { for (p = ioctl_tables; p->cmd; p++) {
if (p->cmd == cmd) if (p->cmd == cmd) {
return p->func(client, arg); mutex_lock(&client->ioctl_mutex);
ret = p->func(client, arg);
mutex_unlock(&client->ioctl_mutex);
return ret;
}
} }
pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
cmd, _IOC_TYPE(cmd), _IOC_NR(cmd)); cmd, _IOC_TYPE(cmd), _IOC_NR(cmd));
......
...@@ -59,6 +59,7 @@ struct snd_seq_client { ...@@ -59,6 +59,7 @@ struct snd_seq_client {
struct list_head ports_list_head; struct list_head ports_list_head;
rwlock_t ports_lock; rwlock_t ports_lock;
struct mutex ports_mutex; struct mutex ports_mutex;
struct mutex ioctl_mutex;
int convert32; /* convert 32->64bit */ int convert32; /* convert 32->64bit */
/* output pool */ /* output pool */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment