On Thu, Jun 13, 2019 at 11:02:54AM +0200, Takashi Iwai wrote:
On Thu, 13 Jun 2019 10:33:44 +0200, Greg Kroah-Hartman wrote:
[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
ALSA OSS sequencer calls the ioctl function indirectly via snd_seq_kernel_client_ctl(). While we already applied the protection against races between the normal ioctls and writes via the client's ioctl_mutex, this code path was left untouched. And this seems to be the cause of still remaining some rare UAF as spontaneously triggered by syzkaller.
For the sake of robustness, wrap the ioctl_mutex also for the call via snd_seq_kernel_client_ctl(), too.
Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org
This commit is reverted later by commit f0654ba94e33. So please drop this. The proper fix is done later by commit 7c32ae35fbf9 ("ALSA: seq: Cover unsubscribe_port() in list_mutex")
Ditto for 4.19.y and 5.1.y.
Now dropped everywhere, and I added 7c32ae35fbf9 ("ALSA: seq: Cover unsubscribe_port() in list_mutex") everywhere instead.
thanks,
greg k-h