linux/sound/core
Takashi Iwai e1a7bfe380 ALSA: control: Fix race between adding and removing a user element
The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element.  This was
caught by syzkaller, hitting a KASAN use-after-free error.

This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.

This required a slight code refactoring, too.  The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it.  The former is called from the
function for adding a user control element inside the controls_rwsem.

One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem.  But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.

Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-11-24 19:57:51 +01:00
..
oss ALSA: oss: Use kvzalloc() for local buffer allocations 2018-11-09 14:12:04 +01:00
seq ALSA: seq: oss: Use the standard fall-through annotation 2018-10-12 09:31:29 +02:00
compress_offload.c ALSA: compress: Remove empty init and exit 2018-08-03 16:11:23 +02:00
control_compat.c ALSA: control: fix a redundant-copy issue 2018-05-13 09:27:57 +02:00
control.c ALSA: control: Fix race between adding and removing a user element 2018-11-24 19:57:51 +01:00
ctljack.c ALSA: declare snd_kcontrol_new structures as const 2017-05-30 10:29:25 +02:00
device.c ALSA: core: Assure control device to be registered at last 2018-05-17 08:21:23 +02:00
hrtimer.c Merge branch 'for-next' into for-linus 2017-11-13 15:43:13 +01:00
hwdep_compat.c
hwdep.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
info_oss.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
info.c sound: Use octal not symbolic permissions 2018-05-28 11:27:20 +02:00
init.c sound: Use octal not symbolic permissions 2018-05-28 11:27:20 +02:00
isadma.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
jack.c ALSA: fix kernel-doc build warning 2017-10-30 08:10:07 +01:00
Kconfig docs: Fix some broken references 2018-06-15 18:10:01 -03:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
memalloc.c ALSA: memalloc: Add fall-through annotation 2018-10-12 09:31:23 +02:00
memory.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
misc.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
pcm_compat.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
pcm_dmaengine.c ASoC: dmaengine_pcm: Add support for packed transfers 2016-04-27 17:34:11 +01:00
pcm_drm_eld.c ALSA: pcm: use helper function to refer parameter as read-only 2017-05-17 07:24:39 +02:00
pcm_iec958.c ALSA: pcm: Allow 32 bit sample format in IEC958 channel status helper 2016-04-06 14:33:38 -07:00
pcm_lib.c ALSA: pcm: Update hardware pointer before start capture 2018-09-10 09:06:55 +02:00
pcm_local.h ALSA: pcm: trace XRUN event at injection, too 2018-07-04 15:34:57 +02:00
pcm_memory.c sound: Use octal not symbolic permissions 2018-05-28 11:27:20 +02:00
pcm_misc.c ALSA: pcm: add SNDRV_PCM_FORMAT_{S,U}20 2017-11-29 09:26:33 +01:00
pcm_native.c ALSA: pcm: Use snd_pcm_stop_xrun() for xrun injection 2018-07-04 15:34:59 +02:00
pcm_param_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm_timer.c ALSA: pcm: include pcm_local.h and remove some extraneous tabs 2017-05-30 18:04:47 +02:00
pcm_trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pcm.c ALSA: pcm: Use snd_pcm_stop_xrun() for xrun injection 2018-07-04 15:34:59 +02:00
rawmidi_compat.c ALSA: rawmidi: Fix missing input substream checks in compat ioctls 2018-04-19 18:16:15 +02:00
rawmidi.c ALSA: rawmidi: A lightweight function to discard pending bytes 2018-10-04 20:13:17 +02:00
seq_device.c ALSA: seq: Cancel pending autoload work at unbinding device 2017-09-12 12:41:20 +02:00
sgbuf.c ALSA: memalloc: Add non-cached buffer type 2018-08-28 13:56:47 +02:00
sound_oss.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
sound.c ALSA: core: Follow standard EXPORT_SYMBOL() declarations 2017-06-16 16:19:16 +02:00
timer_compat.c ALSA: timer: Remove kernel warning at compat ioctl error paths 2017-11-21 16:36:11 +01:00
timer.c ALSA: timer: catch invalid timer object creation 2018-07-22 10:42:41 +02:00
vmaster.c - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00