--- /dev/null
+From 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 12 Apr 2019 11:37:19 +0200
+Subject: ALSA: seq: Cover unsubscribe_port() in list_mutex
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e upstream.
+
+The call of unsubscribe_port() which manages the group count and
+module refcount from delete_and_unsubscribe_port() looks racy; it's
+not covered by the group list lock, and it's likely a cause of the
+reported unbalance at port deletion. Let's move the call inside the
+group list_mutex to plug the hole.
+
+Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_ports.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -550,10 +550,10 @@ static void delete_and_unsubscribe_port(
+ list_del_init(list);
+ grp->exclusive = 0;
+ write_unlock_irq(&grp->list_lock);
+- up_write(&grp->list_mutex);
+
+ if (!empty)
+ unsubscribe_port(client, port, grp, &subs->info, ack);
++ up_write(&grp->list_mutex);
+ }
+
+ /* connect two ports */
+++ /dev/null
-From 84680168bc86ac3e20854bcdf42343148cf5c292 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 9 Apr 2019 17:35:22 +0200
-Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex
-
-[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
-
-ALSA OSS sequencer calls the ioctl function indirectly via
-snd_seq_kernel_client_ctl(). While we already applied the protection
-against races between the normal ioctls and writes via the client's
-ioctl_mutex, this code path was left untouched. And this seems to be
-the cause of still remaining some rare UAF as spontaneously triggered
-by syzkaller.
-
-For the sake of robustness, wrap the ioctl_mutex also for the call via
-snd_seq_kernel_client_ctl(), too.
-
-Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/core/seq/seq_clientmgr.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index b55cb96d1fed..40ae8f67efde 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -2343,14 +2343,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
- {
- const struct ioctl_handler *handler;
- struct snd_seq_client *client;
-+ int err;
-
- client = clientptr(clientid);
- if (client == NULL)
- return -ENXIO;
-
- for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
-- if (handler->cmd == cmd)
-- return handler->func(client, arg);
-+ if (handler->cmd == cmd) {
-+ mutex_lock(&client->ioctl_mutex);
-+ err = handler->func(client, arg);
-+ mutex_unlock(&client->ioctl_mutex);
-+ return err;
-+ }
- }
-
- pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
---
-2.20.1
-
arm-dts-imx6qdl-specify-imx6qdl_clk_ipg-as-ipg-clock.patch
pci-rpadlpar-fix-leaked-device_node-references-in-ad.patch
drm-amd-display-use-plane-color_space-for-dpp-if-spe.patch
-alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch
arm-omap2-pm33xx-core-do-not-turn-off-cefuse-as-ppa-.patch
platform-x86-intel_pmc_ipc-adding-error-handling.patch
power-supply-max14656-fix-potential-use-before-alloc.patch
ovl-check-the-capability-before-cred-overridden.patch
ovl-support-stacked-seek_hole-seek_data.patch
drm-vc4-fix-fb-references-in-async-update.patch
+alsa-seq-cover-unsubscribe_port-in-list_mutex.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
