renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-11 15:14:03 +08:00
Code
c1f6e3c818
linux-next/sound
History
Takashi Iwai c1f6e3c818 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses 
The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or
writes: the read/write functions unlock the runtime lock temporarily
during copying form/to user-space, and that's the race window.

This patch fixes the hole by introducing a reference counter for the
runtime buffer read/write access and returns -EBUSY error when the
resize is performed concurrently against read/write.

Note that the ref count field is a simple integer instead of
refcount_t here, since the all contexts accessing the buffer is
basically protected with a spinlock, hence we need no expensive atomic
ops.  Also, note that this busy check is needed only against read /
write functions, and not in receive/transmit callbacks; the race can
happen only at the spinlock hole mentioned in the above, while the
whole function is protected for receive / transmit callbacks.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-05-07 22:29:14 +02:00
..
ac97 ALSA: ac97: Constify snd_ac97_bus_ops definitions 2020-01-03 09:24:11 +01:00
aoa ALSA: aoa: More constifications 2020-01-05 16:14:27 +01:00
arm ASoC: arm: use asoc_rtd_to_cpu() / asoc_rtd_to_codec() macro for DAI pointer 2020-03-27 14:44:56 +00:00
atmel ALSA: atmel: Constify snd_ac97_bus_ops definitions 2020-01-03 09:24:12 +01:00
core ALSA: rawmidi: Fix racy buffer resize under concurrent accesses 2020-05-07 22:29:14 +02:00
drivers ALSA: dummy: Use standard macros for fixing PCM format cast 2020-02-10 08:27:31 +01:00
firewire ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints format 2020-05-03 09:24:44 +02:00
hda ALSA: hda: Allow setting preallocation again for x86 2020-04-13 22:22:28 +02:00
i2c ALSA: i2c: Constify snd_kcontrol_new items 2020-01-03 09:24:24 +01:00
isa ALSA: opti9xx: shut up gcc-10 range warning 2020-04-30 08:11:42 +02:00
mips ALSA: sgio2audio: Remove usage of dropped hw_params/hw_free functions 2020-03-06 12:06:41 +01:00
oss compat_ioctl: remove translation for sound ioctls 2019-10-23 17:23:45 +02:00
parisc sound updates for 5.6-rc1 2020-01-28 16:26:57 -08:00
pci ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse 2020-05-03 21:00:29 +02:00
pcmcia ALSA: pdaudiocf: More constification 2020-01-05 16:15:13 +01:00
ppc ALSA: ppc: keywest: convert to use i2c_new_client_device() 2020-03-27 09:33:01 +01:00
sh ALSA: sh: Fix compile warning wrt const 2020-01-05 16:15:14 +01:00
soc ASoC: wm8960: Fix wrong clock after suspend & resume 2020-04-21 15:43:22 +01:00
sparc ALSA: sparc: More constifications 2020-01-05 16:14:56 +01:00
spi ALSA: spi: More constification 2020-01-05 16:15:13 +01:00
synth ALSA: emux: More constifications 2020-01-05 16:14:46 +01:00
usb ALSA: usb-audio: add mapping for ASRock TRX40 Creator 2020-05-04 08:23:57 +02:00
x86 sound updates for 5.6-rc1 2020-01-28 16:26:57 -08:00
xen ALSA: xen: Drop superfluous ioctl PCM ops 2019-12-11 07:25:35 +01:00
ac97_bus.c ALSA: ac97: Treat snd_ac97_bus_ops as const 2020-01-03 09:24:08 +01:00
Kconfig
last.c
Makefile
sound_core.c sound: fix a memory leak bug 2019-08-08 08:18:32 +02:00