git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Thu, 22 Nov 2018 13:36:17 +0000 (14:36 +0100)
committer	Sultan Alsawaf <sultan.alsawaf@canonical.com>
	Wed, 24 Jul 2019 15:44:58 +0000 (09:44 -0600)
commit	5d0f5489033505616896a01ca144b6ae08f8c098
tree	8e98c35b52b87d82005e230d85c47d256a4938c5	tree
parent	6991bdc622824d43d4be245ff466e1fe3b830527	commit \| diff

ALSA: control: Fix race between adding and removing a user element

BugLink: https://bugs.launchpad.net/bugs/1836968
commit e1a7bfe3807974e66f971f2589d4e0197ec0fced upstream.

The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element.  This was
caught by syzkaller, hitting a KASAN use-after-free error.

This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.

This required a slight code refactoring, too.  The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it.  The former is called from the
function for adding a user control element inside the controls_rwsem.

One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem.  But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.

Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>