diff options
| author | Takashi Iwai <[email protected]> | 2022-03-22 18:07:17 +0100 |
|---|---|---|
| committer | Takashi Iwai <[email protected]> | 2022-03-22 20:56:07 +0100 |
| commit | 92ee3c60ec9fe64404dc035e7c41277d74aa26cb (patch) | |
| tree | 495dbd456ef721512b0113483cc62e34879e6d6c /include | |
| parent | 646b907e1559f006c79a752ee3eebe220ceb983d (diff) | |
ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
Currently we have neither proper check nor protection against the
concurrent calls of PCM hw_params and hw_free ioctls, which may result
in a UAF. Since the existing PCM stream lock can't be used for
protecting the whole ioctl operations, we need a new mutex to protect
those racy calls.
This patch introduced a new mutex, runtime->buffer_mutex, and applies
it to both hw_params and hw_free ioctl code paths. Along with it, the
both functions are slightly modified (the mmap_count check is moved
into the state-check block) for code simplicity.
Reported-by: Hu Jiahui <[email protected]>
Cc: <[email protected]>
Reviewed-by: Jaroslav Kysela <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Diffstat (limited to 'include')
| -rw-r--r-- | include/sound/pcm.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/sound/pcm.h b/include/sound/pcm.h index 36da42cd0774..314f2779cab5 100644 --- a/include/sound/pcm.h +++ b/include/sound/pcm.h @@ -401,6 +401,7 @@ struct snd_pcm_runtime { wait_queue_head_t tsleep; /* transfer sleep */ struct fasync_struct *fasync; bool stop_operating; /* sync_stop will be called */ + struct mutex buffer_mutex; /* protect for buffer changes */ /* -- private section -- */ void *private_data; |