Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.6.131 2024-09-12T09:11:28+00:00 2024-09-12T09:11:28+00:00 Takashi Iwai tiwai@suse.de 2024-06-16T07:34:44+00:00 urn:sha1:4a67c7c03830b730f538b5ad114a44a08c7b272e [ Upstream commit 50ed081284fe2bfd1f25e8b92f4f6a4990e73c0a ] Although we have already a mechanism for sanity checks of input values for control writes, it's not applied unless the kconfig CONFIG_SND_CTL_INPUT_VALIDATION is set due to the performance reason. Nevertheless, it still makes sense to apply the same check for user elements despite of its cost, as that's the only way to filter out the invalid values; the user controls are handled solely in ALSA core code, and there is no corresponding driver, after all. This patch adds the same input value validation for user control elements at its put callback. The kselftest will be happier with this change, as the incorrect values will be bailed out now with errors. For other normal controls, the check is applied still only when CONFIG_SND_CTL_INPUT_VALIDATION is set. Reported-by: Paul Menzel <pmenzel@molgen.mpg.de> Closes: https://lore.kernel.org/r/1d44be36-9bb9-4d82-8953-5ae2a4f09405@molgen.mpg.de Reviewed-by: Jaroslav Kysela <perex@perex.cz> Reviewed-by: Mark Brown <broonie@kernel.org> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/20240616073454.16512-4-tiwai@suse.de Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-08-17T07:23:30+00:00 Takashi Iwai tiwai@suse.de 2023-08-16T16:02:45+00:00 urn:sha1:6a66b01de48855d92450904ccfafda9d692efbb9 Embedding the ctl_dev in the snd_card object may result in UAF when the delayed kobj release is used; at the delayed kobj release, it still accesses the struct device itself while the card memory (that embeds the struct device) may be already gone. As a workaround, detach the struct device from the card object by allocating via the new snd_device_alloc() helper. The rest are just replacing ctl_dev access to the pointer. This is based on the fix Curtis posted initially. In this patch, the changes are split and use the new helper function instead. Link: https://lore.kernel.org/r/20230801171928.1460120-1-cujomalainey@chromium.org Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Curtis Malainey <cujomalainey@chromium.org> Tested-by: Curtis Malainey <cujomalainey@chromium.org> Link: https://lore.kernel.org/r/20230816160252.23396-3-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-07-20T08:03:00+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:13:03+00:00 urn:sha1:9c2cc5652e4390bd4492433d96ad4caa785b09de Now all needed callers have been replaced with *_locked() versions, let's turn on the locking in snd_ctl_find_id() and snd_ctl_find_numid(). This patch also adds the lockdep assertions for debugging, too. Link: https://lore.kernel.org/r/20230718141304.1032-11-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-07-20T08:03:00+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:13:02+00:00 urn:sha1:b1e055f67611daf098e27e8731386eeb5257bde3 For reducing the unnecessary use of controls_rwsem in the drivers, this patch adds a new variant for snd_ctl_find_*() helpers: snd_ctl_find_id_locked() and snd_ctl_find_numid_locked() look for a kctl element inside the card->controls_rwsem -- that is, doing the very same as what snd_ctl_find_id() and snd_ctl_find_numid() did until now. snd_ctl_find_id() and snd_ctl_find_numid() remain same, i.e. still unlocked version, but they will be switched to locked version once after all callers are replaced. The patch also replaces the calls of snd_ctl_find_id() and snd_ctl_find_numid() in a few places; all of those are places where we know that the functions are called properly with controls_rwsem held. All others are without rwsem (although they should have been). After this patch, we'll turn on the locking in snd_ctl_find_id() and snd_ctl_find_numid() to be more race-free. Link: https://lore.kernel.org/r/20230718141304.1032-10-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-07-20T08:02:59+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:13:01+00:00 urn:sha1:6723670a483501497dc339ae37676525245a913a The id object passed to snd_ctl_find_id() is only read, and we can mark it with const gracefully. Link: https://lore.kernel.org/r/20230718141304.1032-9-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-07-20T08:01:40+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:12:58+00:00 urn:sha1:8320ba0ce534dea603b7ba22f484ee39ef2ce746 To assure the proper locking, add the lockdep check to __snd_ctl_remove(), __snd_ctl_add_replace() and other internal functions to handle user controls. Link: https://lore.kernel.org/r/20230718141304.1032-6-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-07-20T08:01:27+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:12:57+00:00 urn:sha1:192c4cccd015f52c94d0420eb5d7305a1ca28998 So far, snd_ctl_remove() requires its caller to take card->controls_rwsem manually before the call for avoiding possible races. However, many callers don't care and miss the locking. Basically it's cumbersome and error-prone to enforce it to each caller. Moreover, card->controls_rwsem is a field that should be used only by internal or proper helpers, and it's not to be touched at random external places. This patch is an attempt to make those calls more consistent: now snd_ctl_remove() takes the card->controls_rwsem internally, just like other API functions for kctls. Since a few callers already take the controls_rwsem locks, the patch removes those locks at the same time, too. Link: https://lore.kernel.org/r/20230718141304.1032-5-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-07-20T08:00:02+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:12:54+00:00 urn:sha1:d4e99962d16ce60ac9ecf995489dc60d7854f1bd snd_ctl_rename() expects that card->controls_rwsem is held in the caller side for avoiding possible races, but actually no one really did that. It's likely because this operation is done usually only at the device initialization where no race can happen. But, it's still safer to take a lock, so we just take the lock inside snd_ctl_rename() like most of other API functions do. Link: https://lore.kernel.org/r/20230718141304.1032-2-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-06-06T12:34:30+00:00 Takashi Iwai tiwai@suse.de 2023-06-06T09:40:35+00:00 urn:sha1:306f3f78a5ff578bdfd97c658a862cb2c2419fb6 We don't need to change the numid at each time snd_ctl_rename_id() is called, as the control element size itself doesn't change. Let's keep the previous numid value. Along with it, add a note about calling this function only in the card init phase. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20230606094035.14808-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2023-01-13T13:15:26+00:00 Clement Lecigne clecigne@google.com 2023-01-13T12:07:45+00:00 urn:sha1:56b88b50565cd8b946a2d00b0c83927b7ebb055e Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne <clecigne@google.com> Reviewed-by: Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>