| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Feb 2018 16:46:29 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Andres Bertens <abertensu@...oo.com>, linux-kernel@...r.kernel.org,
stable@...r.kernel.org, ben@...adent.org.uk
Subject: Re: Linux 3.16.54: suspend stops working.
On Mon, 19 Feb 2018 16:36:03 +0100,
Andres Bertens wrote:
>
> Hi,
>
> Yes sir, supend works with the attached patch!
>
> As for using some sequencer audio stuff, I have enabled
> CONFIG_SND_SEQUENCER and some others *SEQ* as modules in my kernel
> config. Nothing else to my knowledge.
Good to hear!
Greg, could you revert the previous one and apply the new one instead?
Below is with a more description explaining the difference.
Or if you prefer an incremental patch instead of revert and re-apply,
let me know. I'll cook it.
thanks,
Takashi
-- 8< --
From: Takashi Iwai <tiwai@...e.de>
Subject: [PATCH] ALSA: seq: Make ioctls race-free (revised)
commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream.
The ALSA sequencer ioctls have no protection against racy calls while
the concurrent operations may lead to interfere with each other. As
reported recently, for example, the concurrent calls of setting client
pool with a combination of write calls may lead to either the
unkillable dead-lock or UAF.
As a slightly big hammer solution, this patch introduces the mutex to
make each ioctl exclusive. Although this may reduce performance via
parallel ioctl calls, usually it's not demanded for sequencer usages,
hence it should be negligible.
[ NOTE: this is the revised backport of the commit b3defb791b26.
We had another backport (e.g. 623e5c8ae32b in 4.4.115), but it
applies the new mutex also to the code paths via faked
kernel-to-kernel ioctls, and it seems leading to a deadlock, as
reported recently as a regression. This revised patch takes the
mutex only in the code path invoked by user-space, just like the
original fix patch does -- tiwai ]
Reported-by: Luo Quan <a4651386@....com>
Reviewed-by: Kees Cook <keescook@...omium.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: <stable@...r.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
sound/core/seq/seq_clientmgr.c | 7 ++++++-
sound/core/seq/seq_clientmgr.h | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create
rwlock_init(&client->ports_lock);
mutex_init(&client->ports_mutex);
INIT_LIST_HEAD(&client->ports_list_head);
+ mutex_init(&client->ioctl_mutex);
/* find free slot in the client table */
spin_lock_irqsave(&clients_lock, flags);
@@ -2220,11 +2221,15 @@ static int snd_seq_do_ioctl(struct snd_s
static long snd_seq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
struct snd_seq_client *client = file->private_data;
+ long ret;
if (snd_BUG_ON(!client))
return -ENXIO;
- return snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+ mutex_lock(&client->ioctl_mutex);
+ ret = snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+ mutex_unlock(&client->ioctl_mutex);
+ return ret;
}
#ifdef CONFIG_COMPAT
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -59,6 +59,7 @@ struct snd_seq_client {
struct list_head ports_list_head;
rwlock_t ports_lock;
struct mutex ports_mutex;
+ struct mutex ioctl_mutex;
int convert32; /* convert 32->64bit */
/* output pool */
Powered by blists - more mailing lists