On Mon, 19 Feb 2018 16:36:03 +0100,
Andres Bertens wrote:
> Hi,
> Yes sir, supend works with the attached patch!
> As for using some sequencer audio stuff, I have enabled
> CONFIG_SND_SEQUENCER and some others *SEQ* as modules in my kernel
> config. Nothing else to my knowledge.

Good to hear!

Greg, could you revert the previous one and apply the new one instead?
Below is with a more description explaining the difference.

Or if you prefer an incremental patch instead of revert and re-apply,
let me know.  I'll cook it.



-- 8< --
From: Takashi Iwai <ti...@suse.de>
Subject: [PATCH] ALSA: seq: Make ioctls race-free (revised)

commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream.

The ALSA sequencer ioctls have no protection against racy calls while
the concurrent operations may lead to interfere with each other.  As
reported recently, for example, the concurrent calls of setting client
pool with a combination of write calls may lead to either the
unkillable dead-lock or UAF.

As a slightly big hammer solution, this patch introduces the mutex to
make each ioctl exclusive.  Although this may reduce performance via
parallel ioctl calls, usually it's not demanded for sequencer usages,
hence it should be negligible.

[ NOTE: this is the revised backport of the commit b3defb791b26.
  We had another backport (e.g. 623e5c8ae32b in 4.4.115), but it
  applies the new mutex also to the code paths via faked
  kernel-to-kernel ioctls, and it seems leading to a deadlock, as
  reported recently as a regression.  This revised patch takes the
  mutex only in the code path invoked by user-space, just like the
  original fix patch does -- tiwai ]

Reported-by: Luo Quan <a4651...@163.com>
Reviewed-by: Kees Cook <keesc...@chromium.org>
Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Cc: <sta...@vger.kernel.org>
Signed-off-by: Takashi Iwai <ti...@suse.de>

 sound/core/seq/seq_clientmgr.c |    7 ++++++-
 sound/core/seq/seq_clientmgr.h |    1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create
+       mutex_init(&client->ioctl_mutex);
        /* find free slot in the client table */
        spin_lock_irqsave(&clients_lock, flags);
@@ -2220,11 +2221,15 @@ static int snd_seq_do_ioctl(struct snd_s
 static long snd_seq_ioctl(struct file *file, unsigned int cmd, unsigned long 
        struct snd_seq_client *client = file->private_data;
+       long ret;
        if (snd_BUG_ON(!client))
                return -ENXIO;
-       return snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+       mutex_lock(&client->ioctl_mutex);
+       ret = snd_seq_do_ioctl(client, cmd, (void __user *) arg);
+       mutex_unlock(&client->ioctl_mutex);
+       return ret;
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -59,6 +59,7 @@ struct snd_seq_client {
        struct list_head ports_list_head;
        rwlock_t ports_lock;
        struct mutex ports_mutex;
+       struct mutex ioctl_mutex;
        int convert32;          /* convert 32->64bit */
        /* output pool */

Reply via email to