ALSA: pcm: Fix races among concurrent read/write and buffer changes

stable inclusion from linux-4.19.243 commit b3830197aa7413c65767cf5a1aa8775c83f0dbf7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I50WAS CVE: CVE-2022-1048 -------------------------------- commit dca947d4 upstream. In the current PCM design, the read/write syscalls (as well as the equivalent ioctls) are allowed before the PCM stream is running, that is, at PCM PREPARED state. Meanwhile, we also allow to re-issue hw_params and hw_free ioctl calls at the PREPARED state that may change or free the buffers, too. The problem is that there is no protection against those mix-ups. This patch applies the previously introduced runtime->buffer_mutex to the read/write operations so that the concurrent hw_params or hw_free call can no longer interfere during the operation. The mutex is unlocked before scheduling, so we don't take it too long. Cc: <stable@vger.kernel.org> Reviewed-by: N Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20220322170720.3529-3-tiwai@suse.deSigned-off-by: N Takashi Iwai <tiwai@suse.de> Signed-off-by: N Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Rui Xiang <rui.xiang@huawei.com> Reviewed-by: N zhangxiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

ALSA: pcm: Fix races among concurrent read/write and buffer changes
stable inclusion from linux-4.19.243 commit b3830197aa7413c65767cf5a1aa8775c83f0dbf7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I50WAS CVE: CVE-2022-1048 -------------------------------- commit dca947d4 upstream. In the current PCM design, the read/write syscalls (as well as the equivalent ioctls) are allowed before the PCM stream is running, that is, at PCM PREPARED state. Meanwhile, we also allow to re-issue hw_params and hw_free ioctl calls at the PREPARED state that may change or free the buffers, too. The problem is that there is no protection against those mix-ups. This patch applies the previously introduced runtime->buffer_mutex to the read/write operations so that the concurrent hw_params or hw_free call can no longer interfere during the operation. The mutex is unlocked before scheduling, so we don't take it too long. Cc: <stable@vger.kernel.org> Reviewed-by: N Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20220322170720.3529-3-tiwai@suse.deSigned-off-by: N Takashi Iwai <tiwai@suse.de> Signed-off-by: N Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Rui Xiang <rui.xiang@huawei.com> Reviewed-by: N zhangxiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
9fdc9668 · Takashi Iwai · Yongqiang Liu · 450bee2d · 9fdc9668
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

sound/core/pcm_lib.c sound/core/pcm_lib.c +4 -0

未找到文件。
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1875,9 +1875,11 @@ static int wait_for_avail(struct snd_pcm_substream *substream,
 		if (avail >= runtime->twake)
 			break;
 		snd_pcm_stream_unlock_irq(substream);
+		mutex_unlock(&runtime->buffer_mutex);
 		tout = schedule_timeout(wait_time);
+		mutex_lock(&runtime->buffer_mutex);
 		snd_pcm_stream_lock_irq(substream);
 		set_current_state(TASK_INTERRUPTIBLE);
 		switch (runtime->status->state) {
@@ -2171,6 +2173,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream,
 	nonblock = !!(substream->f_flags & O_NONBLOCK);
+	mutex_lock(&runtime->buffer_mutex);
 	snd_pcm_stream_lock_irq(substream);
 	err = pcm_accessible_state(runtime);
 	if (err < 0)
@@ -2253,6 +2256,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream,
 	if (xfer > 0 && err >= 0)
 		snd_pcm_update_state(substream, runtime);
 	snd_pcm_stream_unlock_irq(substream);
+	mutex_unlock(&runtime->buffer_mutex);
 	return xfer > 0 ? (snd_pcm_sframes_t)xfer : err;
 }
 EXPORT_SYMBOL(__snd_pcm_lib_xfer);