mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-22 10:31:08 +00:00
c1f6e3c818
The rawmidi core allows user to resize the runtime buffer via ioctl, and this may lead to UAF when performed during concurrent reads or writes: the read/write functions unlock the runtime lock temporarily during copying form/to user-space, and that's the race window. This patch fixes the hole by introducing a reference counter for the runtime buffer read/write access and returns -EBUSY error when the resize is performed concurrently against read/write. Note that the ref count field is a simple integer instead of refcount_t here, since the all contexts accessing the buffer is basically protected with a spinlock, hence we need no expensive atomic ops. Also, note that this busy check is needed only against read / write functions, and not in receive/transmit callbacks; the race can happen only at the spinlock hole mentioned in the above, while the whole function is protected for receive / transmit callbacks. Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
---|---|---|
.. | ||
oss | ||
seq | ||
compress_offload.c | ||
control.c | ||
control_compat.c | ||
ctljack.c | ||
device.c | ||
hrtimer.c | ||
hwdep.c | ||
hwdep_compat.c | ||
info.c | ||
info_oss.c | ||
init.c | ||
isadma.c | ||
jack.c | ||
Kconfig | ||
Makefile | ||
memalloc.c | ||
memory.c | ||
misc.c | ||
pcm.c | ||
pcm_compat.c | ||
pcm_dmaengine.c | ||
pcm_drm_eld.c | ||
pcm_iec958.c | ||
pcm_lib.c | ||
pcm_local.h | ||
pcm_memory.c | ||
pcm_misc.c | ||
pcm_native.c | ||
pcm_param_trace.h | ||
pcm_timer.c | ||
pcm_trace.h | ||
rawmidi.c | ||
rawmidi_compat.c | ||
seq_device.c | ||
sgbuf.c | ||
sound.c | ||
sound_oss.c | ||
timer.c | ||
timer_compat.c | ||
vmaster.c |