releases/5.0.10/alsa-info-fix-racy-addition-deletion-of-nodes.patch

   1 From 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 Mon Sep 17 00:00:00 2001
   2 From: Takashi Iwai <tiwai@suse.de>
   3 Date: Tue, 16 Apr 2019 15:25:00 +0200
   4 Subject: ALSA: info: Fix racy addition/deletion of nodes
   5
   6 From: Takashi Iwai <tiwai@suse.de>
   7
   8 commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream.
   9
  10 The ALSA proc helper manages the child nodes in a linked list, but its
  11 addition and deletion is done without any lock.  This leads to a
  12 corruption if they are operated concurrently.  Usually this isn't a
  13 problem because the proc entries are added sequentially in the driver
  14 probe procedure itself.  But the card registrations are done often
  15 asynchronously, and the crash could be actually reproduced with
  16 syzkaller.
  17
  18 This patch papers over it by protecting the link addition and deletion
  19 with the parent's mutex.  There is "access" mutex that is used for the
  20 file access, and this can be reused for this purpose as well.
  21
  22 Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
  23 Cc: <stable@vger.kernel.org>
  24 Signed-off-by: Takashi Iwai <tiwai@suse.de>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26
  27 ---
  28  sound/core/info.c |   12 ++++++++++--
  29  1 file changed, 10 insertions(+), 2 deletions(-)
  30
  31 --- a/sound/core/info.c
  32 +++ b/sound/core/info.c
  33 @@ -722,8 +722,11 @@ snd_info_create_entry(const char *name,
  34         INIT_LIST_HEAD(&entry->children);
  35         INIT_LIST_HEAD(&entry->list);
  36         entry->parent = parent;
  37 -       if (parent)
  38 +       if (parent) {
  39 +               mutex_lock(&parent->access);
  40                 list_add_tail(&entry->list, &parent->children);
  41 +               mutex_unlock(&parent->access);
  42 +       }
  43         return entry;
  44  }
  45
  46 @@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info
  47         list_for_each_entry_safe(p, n, &entry->children, list)
  48                 snd_info_free_entry(p);
  49
  50 -       list_del(&entry->list);
  51 +       p = entry->parent;
  52 +       if (p) {
  53 +               mutex_lock(&p->access);
  54 +               list_del(&entry->list);
  55 +               mutex_unlock(&p->access);
  56 +       }
  57         kfree(entry->name);
  58         if (entry->private_free)
  59                 entry->private_free(entry);