linux/include
Takashi Iwai c1f6e3c818 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
The rawmidi core allows user to resize the runtime buffer via ioctl,
and this may lead to UAF when performed during concurrent reads or
writes: the read/write functions unlock the runtime lock temporarily
during copying form/to user-space, and that's the race window.

This patch fixes the hole by introducing a reference counter for the
runtime buffer read/write access and returns -EBUSY error when the
resize is performed concurrently against read/write.

Note that the ref count field is a simple integer instead of
refcount_t here, since the all contexts accessing the buffer is
basically protected with a spinlock, hence we need no expensive atomic
ops.  Also, note that this busy check is needed only against read /
write functions, and not in receive/transmit callbacks; the race can
happen only at the spinlock hole mentioned in the above, while the
whole function is protected for receive / transmit callbacks.

Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com
Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2020-05-07 22:29:14 +02:00
..
acpi ACPI fixes for 5.6-rc4 2020-02-28 09:02:18 -08:00
asm-generic Microblaze patches for 5.6-rc1 2020-02-04 11:58:07 +00:00
clocksource clocksource/drivers/hyper-v: Untangle stimers and timesync from clocksources 2020-01-16 19:09:02 +01:00
crypto crypto: x86/curve25519 - support assemblers with no adx support 2020-03-05 18:28:09 +11:00
drm drm/dp_mst: Use full_pbn instead of available_pbn for bandwidth checks 2020-03-12 19:07:24 -04:00
dt-bindings Merge branch 'asoc-5.7' into asoc-next 2020-03-27 17:29:20 +00:00
keys
kunit
kvm
linux ASoC: Updates for v5.7 2020-03-30 13:43:00 +02:00
math-emu
media
misc
net fib: add missing attribute validation for tun_id 2020-03-03 13:28:48 -08:00
pcmcia
ras
rdma RDMA/core: Make the entire API tree static 2020-01-30 16:28:52 -04:00
scsi scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" 2020-02-14 17:13:54 -05:00
soc net: mscc: ocelot: properly account for VLAN header length when setting MRU 2020-03-09 18:58:17 -07:00
sound ALSA: rawmidi: Fix racy buffer resize under concurrent accesses 2020-05-07 22:29:14 +02:00
target
trace ARM: SoC-related driver updates 2020-02-08 14:04:19 -08:00
uapi Revert "ALSA: uapi: Drop asound.h inclusion from asoc.h" 2020-03-31 11:01:12 +02:00
vdso
video
xen xen/xenbus: fix locking 2020-03-05 09:42:23 -06:00