From: Takashi Iwai <tiwai@xxxxxxx> commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream. We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). Cc: <stable@xxxxxxxxxxxxxxx> Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx> Link: https://lore.kernel.org/r/20220322170720.3529-5-tiwai@xxxxxxx Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- sound/core/pcm_memory.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/sound/core/pcm_memory.c +++ b/sound/core/pcm_memory.c @@ -164,19 +164,20 @@ static void snd_pcm_lib_preallocate_proc size_t size; struct snd_dma_buffer new_dmab; + mutex_lock(&substream->pcm->open_mutex); if (substream->runtime) { buffer->error = -EBUSY; - return; + goto unlock; } if (!snd_info_get_line(buffer, line, sizeof(line))) { snd_info_get_str(str, line, sizeof(str)); size = simple_strtoul(str, NULL, 10) * 1024; if ((size != 0 && size < 8192) || size > substream->dma_max) { buffer->error = -EINVAL; - return; + goto unlock; } if (substream->dma_buffer.bytes == size) - return; + goto unlock; memset(&new_dmab, 0, sizeof(new_dmab)); new_dmab.dev = substream->dma_buffer.dev; if (size > 0) { @@ -185,7 +186,7 @@ static void snd_pcm_lib_preallocate_proc substream->dma_buffer.dev.dev, size, &new_dmab) < 0) { buffer->error = -ENOMEM; - return; + goto unlock; } substream->buffer_bytes_max = size; } else { @@ -197,6 +198,8 @@ static void snd_pcm_lib_preallocate_proc } else { buffer->error = -EINVAL; } + unlock: + mutex_unlock(&substream->pcm->open_mutex); } static inline void preallocate_info_init(struct snd_pcm_substream *substream) Patches currently in stable-queue which might be from tiwai@xxxxxxx are queue-5.10/alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-np70pnj.patch queue-5.10/alsa-hda-realtek-add-quirk-for-asus-ga402.patch queue-5.10/alsa-cmipci-restore-aux-vol-on-suspend-resume.patch queue-5.10/alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch queue-5.10/asoc-sti-fix-deadlock-via-snd_pcm_stop_xrun-call.patch queue-5.10/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-rode-nt-usb.patch queue-5.10/alsa-oss-fix-pcm-oss-buffer-allocation-overflow.patch queue-5.10/alsa-pci-fix-reading-of-swapped-values-from-pcmreg-in-ac97-codec.patch queue-5.10/alsa-usb-audio-add-mapping-for-new-corsair-virtuoso-se.patch queue-5.10/alsa-hda-realtek-add-quirk-for-clevo-np50pnj.patch queue-5.10/alsa-pcm-fix-races-among-concurrent-hw_params-and-hw_free-calls.patch queue-5.10/alsa-pcm-add-stream-lock-during-pcm-reset-ioctl-operations.patch queue-5.10/alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch queue-5.10/alsa-hda-realtek-fix-headset-mic-problem-for-a-hp-machine-with-alc671.patch
