git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Tue, 22 Mar 2022 17:07:17 +0000 (18:07 +0100)
committer	Stefan Bader <stefan.bader@canonical.com>
	Fri, 20 May 2022 12:37:09 +0000 (14:37 +0200)
commit	c1ce6064c2159edb72194e516679d14dad403441
tree	04c0ed7462fd217dc12f1bd133eea7a360c03c5b	tree
parent	b0f78bbf4000ee4115518e85c9189faf43579b02	commit \| diff

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

BugLink: https://bugs.launchpad.net/bugs/1969106
commit 92ee3c60ec9fe64404dc035e7c41277d74aa26cb upstream.

Currently we have neither proper check nor protection against the
concurrent calls of PCM hw_params and hw_free ioctls, which may result
in a UAF. Since the existing PCM stream lock can't be used for
protecting the whole ioctl operations, we need a new mutex to protect
those racy calls.

This patch introduced a new mutex, runtime->buffer_mutex, and applies
it to both hw_params and hw_free ioctl code paths. Along with it, the
both functions are slightly modified (the mmap_count check is moved
into the state-check block) for code simplicity.

Reported-by: Hu Jiahui <kirin.say@gmail.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20220322170720.3529-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 33061d0fba51d2bf70a2ef9645f703c33fe8e438)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

include/sound/pcm.h		diff \| blob \| blame \| history
sound/core/pcm.c		diff \| blob \| blame \| history
sound/core/pcm_native.c		diff \| blob \| blame \| history