summaryrefslogtreecommitdiff
path: root/sound/core
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-04-09 18:35:22 +0300
committerTakashi Iwai <tiwai@suse.de>2019-04-09 19:54:12 +0300
commitfeb689025fbb6f0aa6297d3ddf97de945ea4ad32 (patch)
tree47404a3ee86fa26298233e346c5a05341e6f4088 /sound/core
parentf823b8a75527dca0b93cf577bbabbe47fd79b2a8 (diff)
downloadlinux-feb689025fbb6f0aa6297d3ddf97de945ea4ad32.tar.xz
ALSA: seq: Protect in-kernel ioctl calls with mutex
ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller. For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too. Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/core')
-rw-r--r--sound/core/seq/seq_clientmgr.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 933bde3843d9..976404691261 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -2340,14 +2340,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
{
const struct ioctl_handler *handler;
struct snd_seq_client *client;
+ int err;
client = clientptr(clientid);
if (client == NULL)
return -ENXIO;
for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
- if (handler->cmd == cmd)
- return handler->func(client, arg);
+ if (handler->cmd == cmd) {
+ mutex_lock(&client->ioctl_mutex);
+ err = handler->func(client, arg);
+ mutex_unlock(&client->ioctl_mutex);
+ return err;
+ }
}
pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",