diff options
| author | Takashi Iwai <tiwai@suse.de> | 2018-01-09 17:11:03 -0500 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2018-01-11 08:37:51 -0500 |
| commit | b3defb791b26ea0683a93a4f49c77ec45ec96f10 (patch) | |
| tree | c9539c590735a52b90dac37d859d0e49c83d6f5e | |
| parent | 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c (diff) | |
ALSA: seq: Make ioctls race-free
The ALSA sequencer ioctls have no protection against racy calls while
the concurrent operations may lead to interfere with each other. As
reported recently, for example, the concurrent calls of setting client
pool with a combination of write calls may lead to either the
unkillable dead-lock or UAF.
As a slightly big hammer solution, this patch introduces the mutex to
make each ioctl exclusive. Although this may reduce performance via
parallel ioctl calls, usually it's not demanded for sequencer usages,
hence it should be negligible.
Reported-by: Luo Quan <a4651386@163.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
| -rw-r--r-- | sound/core/seq/seq_clientmgr.c | 3 | ||||
| -rw-r--r-- | sound/core/seq/seq_clientmgr.h | 1 |
2 files changed, 4 insertions, 0 deletions
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c index 6e22eea72654..d01913404581 100644 --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c | |||
| @@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize) | |||
| 221 | rwlock_init(&client->ports_lock); | 221 | rwlock_init(&client->ports_lock); |
| 222 | mutex_init(&client->ports_mutex); | 222 | mutex_init(&client->ports_mutex); |
| 223 | INIT_LIST_HEAD(&client->ports_list_head); | 223 | INIT_LIST_HEAD(&client->ports_list_head); |
| 224 | mutex_init(&client->ioctl_mutex); | ||
| 224 | 225 | ||
| 225 | /* find free slot in the client table */ | 226 | /* find free slot in the client table */ |
| 226 | spin_lock_irqsave(&clients_lock, flags); | 227 | spin_lock_irqsave(&clients_lock, flags); |
| @@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd, | |||
| 2130 | return -EFAULT; | 2131 | return -EFAULT; |
| 2131 | } | 2132 | } |
| 2132 | 2133 | ||
| 2134 | mutex_lock(&client->ioctl_mutex); | ||
| 2133 | err = handler->func(client, &buf); | 2135 | err = handler->func(client, &buf); |
| 2136 | mutex_unlock(&client->ioctl_mutex); | ||
| 2134 | if (err >= 0) { | 2137 | if (err >= 0) { |
| 2135 | /* Some commands includes a bug in 'dir' field. */ | 2138 | /* Some commands includes a bug in 'dir' field. */ |
| 2136 | if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || | 2139 | if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT || |
diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h index c6614254ef8a..0611e1e0ed5b 100644 --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h | |||
| @@ -61,6 +61,7 @@ struct snd_seq_client { | |||
| 61 | struct list_head ports_list_head; | 61 | struct list_head ports_list_head; |
| 62 | rwlock_t ports_lock; | 62 | rwlock_t ports_lock; |
| 63 | struct mutex ports_mutex; | 63 | struct mutex ports_mutex; |
| 64 | struct mutex ioctl_mutex; | ||
| 64 | int convert32; /* convert 32->64bit */ | 65 | int convert32; /* convert 32->64bit */ |
| 65 | 66 | ||
| 66 | /* output pool */ | 67 | /* output pool */ |