This is a note to let you know that I've just added the patch titled
ALSA: mixer: oss: Fix racy access to slots
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
alsa-mixer-oss-fix-racy-access-to-slots.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 411cef6adfb38a5bb6bd9af3941b28198e7fb680 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@xxxxxxx>
Date: Wed, 20 Oct 2021 18:48:46 +0200
Subject: ALSA: mixer: oss: Fix racy access to slots
From: Takashi Iwai <tiwai@xxxxxxx>
commit 411cef6adfb38a5bb6bd9af3941b28198e7fb680 upstream.
The OSS mixer can reassign the mapping slots dynamically via proc
file. Although the addition and deletion of those slots are protected
by mixer->reg_mutex, the access to slots aren't, hence this may cause
UAF when the slots in use are deleted concurrently.
This patch applies the mixer->reg_mutex in all appropriate code paths
(i.e. the ioctl functions) that may access slots.
Reported-by: syzbot+9988f17cf72a1045a189@xxxxxxxxxxxxxxxxxxxxxxxxx
Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/00000000000036adc005ceca9175@xxxxxxxxxx
Link: https://lore.kernel.org/r/20211020164846.922-1-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/core/oss/mixer_oss.c | 43 +++++++++++++++++++++++++++++++++----------
1 file changed, 33 insertions(+), 10 deletions(-)
--- a/sound/core/oss/mixer_oss.c
+++ b/sound/core/oss/mixer_oss.c
@@ -144,11 +144,13 @@ static int snd_mixer_oss_devmask(struct
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
for (chn = 0; chn < 31; chn++) {
pslot = &mixer->slots[chn];
if (pslot->put_volume || pslot->put_recsrc)
result |= 1 << chn;
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -160,11 +162,13 @@ static int snd_mixer_oss_stereodevs(stru
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
for (chn = 0; chn < 31; chn++) {
pslot = &mixer->slots[chn];
if (pslot->put_volume && pslot->stereo)
result |= 1 << chn;
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -175,6 +179,7 @@ static int snd_mixer_oss_recmask(struct
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
if (mixer->put_recsrc && mixer->get_recsrc) { /* exclusive */
result = mixer->mask_recsrc;
} else {
@@ -186,6 +191,7 @@ static int snd_mixer_oss_recmask(struct
result |= 1 << chn;
}
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -196,11 +202,12 @@ static int snd_mixer_oss_get_recsrc(stru
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
if (mixer->put_recsrc && mixer->get_recsrc) { /* exclusive */
- int err;
unsigned int index;
- if ((err = mixer->get_recsrc(fmixer, &index)) < 0)
- return err;
+ result = mixer->get_recsrc(fmixer, &index);
+ if (result < 0)
+ goto unlock;
result = 1 << index;
} else {
struct snd_mixer_oss_slot *pslot;
@@ -215,7 +222,10 @@ static int snd_mixer_oss_get_recsrc(stru
}
}
}
- return mixer->oss_recsrc = result;
+ mixer->oss_recsrc = result;
+ unlock:
+ mutex_unlock(&mixer->reg_mutex);
+ return result;
}
static int snd_mixer_oss_set_recsrc(struct snd_mixer_oss_file *fmixer, int recsrc)
@@ -228,6 +238,7 @@ static int snd_mixer_oss_set_recsrc(stru
if (mixer == NULL)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
if (mixer->get_recsrc && mixer->put_recsrc) { /* exclusive input */
if (recsrc & ~mixer->oss_recsrc)
recsrc &= ~mixer->oss_recsrc;
@@ -253,6 +264,7 @@ static int snd_mixer_oss_set_recsrc(stru
}
}
}
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -264,6 +276,7 @@ static int snd_mixer_oss_get_volume(stru
if (mixer == NULL || slot > 30)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
pslot = &mixer->slots[slot];
left = pslot->volume[0];
right = pslot->volume[1];
@@ -271,15 +284,21 @@ static int snd_mixer_oss_get_volume(stru
result = pslot->get_volume(fmixer, pslot, &left, &right);
if (!pslot->stereo)
right = left;
- if (snd_BUG_ON(left < 0 || left > 100))
- return -EIO;
- if (snd_BUG_ON(right < 0 || right > 100))
- return -EIO;
+ if (snd_BUG_ON(left < 0 || left > 100)) {
+ result = -EIO;
+ goto unlock;
+ }
+ if (snd_BUG_ON(right < 0 || right > 100)) {
+ result = -EIO;
+ goto unlock;
+ }
if (result >= 0) {
pslot->volume[0] = left;
pslot->volume[1] = right;
result = (left & 0xff) | ((right & 0xff) << 8);
}
+ unlock:
+ mutex_unlock(&mixer->reg_mutex);
return result;
}
@@ -292,6 +311,7 @@ static int snd_mixer_oss_set_volume(stru
if (mixer == NULL || slot > 30)
return -EIO;
+ mutex_lock(&mixer->reg_mutex);
pslot = &mixer->slots[slot];
if (left > 100)
left = 100;
@@ -302,10 +322,13 @@ static int snd_mixer_oss_set_volume(stru
if (pslot->put_volume)
result = pslot->put_volume(fmixer, pslot, left, right);
if (result < 0)
- return result;
+ goto unlock;
pslot->volume[0] = left;
pslot->volume[1] = right;
- return (left & 0xff) | ((right & 0xff) << 8);
+ result = (left & 0xff) | ((right & 0xff) << 8);
+ unlock:
+ mutex_lock(&mixer->reg_mutex);
+ return result;
}
static int snd_mixer_oss_ioctl1(struct snd_mixer_oss_file *fmixer, unsigned int cmd, unsigned long arg)
Patches currently in stable-queue which might be from tiwai@xxxxxxx are
queue-4.4/input-i8042-add-quirk-for-fujitsu-lifebook-t725.patch
queue-4.4/alsa-ua101-fix-division-by-zero-at-probe.patch
queue-4.4/alsa-mixer-fix-deadlock-in-snd_mixer_oss_set_volume.patch
queue-4.4/alsa-line6-fix-control-and-interrupt-message-timeouts.patch
queue-4.4/alsa-timer-unconditionally-unlink-slave-instances-too.patch
queue-4.4/alsa-synth-missing-check-for-possible-null-after-the-call-to-kstrdup.patch
queue-4.4/alsa-mixer-oss-fix-racy-access-to-slots.patch
queue-4.4/alsa-timer-fix-use-after-free-problem.patch
queue-4.4/alsa-6fire-fix-control-and-bulk-message-timeouts.patch
