linux-toradex.git/sound/core/control.c, branch v6.6 Linux kernel for Apalis and Colibri modules ALSA: control: Don't embed ctl_dev 2023-08-17T07:23:30+00:00 Takashi Iwai tiwai@suse.de 2023-08-16T16:02:45+00:00 6a66b01de48855d92450904ccfafda9d692efbb9 Embedding the ctl_dev in the snd_card object may result in UAF when the delayed kobj release is used; at the delayed kobj release, it still accesses the struct device itself while the card memory (that embeds the struct device) may be already gone. As a workaround, detach the struct device from the card object by allocating via the new snd_device_alloc() helper. The rest are just replacing ctl_dev access to the pointer. This is based on the fix Curtis posted initially. In this patch, the changes are split and use the new helper function instead. Link: https://lore.kernel.org/r/20230801171928.1460120-1-cujomalainey@chromium.org Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Curtis Malainey <cujomalainey@chromium.org> Tested-by: Curtis Malainey <cujomalainey@chromium.org> Link: https://lore.kernel.org/r/20230816160252.23396-3-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Embedding the ctl_dev in the snd_card object may result in UAF when
the delayed kobj release is used; at the delayed kobj release, it
still accesses the struct device itself while the card memory (that
embeds the struct device) may be already gone.

As a workaround, detach the struct device from the card object by
allocating via the new snd_device_alloc() helper.  The rest are just
replacing ctl_dev access to the pointer.

This is based on the fix Curtis posted initially.  In this patch, the
changes are split and use the new helper function instead.

Link: https://lore.kernel.org/r/20230801171928.1460120-1-cujomalainey@chromium.org
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
Tested-by: Curtis Malainey <cujomalainey@chromium.org>
Link: https://lore.kernel.org/r/20230816160252.23396-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Take lock in snd_ctl_find_id() and snd_ctl_find_numid() 2023-07-20T08:03:00+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:13:03+00:00 9c2cc5652e4390bd4492433d96ad4caa785b09de Now all needed callers have been replaced with *_locked() versions, let's turn on the locking in snd_ctl_find_id() and snd_ctl_find_numid(). This patch also adds the lockdep assertions for debugging, too. Link: https://lore.kernel.org/r/20230718141304.1032-11-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Now all needed callers have been replaced with *_locked() versions,
let's turn on the locking in snd_ctl_find_id() and
snd_ctl_find_numid().

This patch also adds the lockdep assertions for debugging, too.

Link: https://lore.kernel.org/r/20230718141304.1032-11-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Introduce unlocked version for snd_ctl_find_*() helpers 2023-07-20T08:03:00+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:13:02+00:00 b1e055f67611daf098e27e8731386eeb5257bde3 For reducing the unnecessary use of controls_rwsem in the drivers, this patch adds a new variant for snd_ctl_find_*() helpers: snd_ctl_find_id_locked() and snd_ctl_find_numid_locked() look for a kctl element inside the card->controls_rwsem -- that is, doing the very same as what snd_ctl_find_id() and snd_ctl_find_numid() did until now. snd_ctl_find_id() and snd_ctl_find_numid() remain same, i.e. still unlocked version, but they will be switched to locked version once after all callers are replaced. The patch also replaces the calls of snd_ctl_find_id() and snd_ctl_find_numid() in a few places; all of those are places where we know that the functions are called properly with controls_rwsem held. All others are without rwsem (although they should have been). After this patch, we'll turn on the locking in snd_ctl_find_id() and snd_ctl_find_numid() to be more race-free. Link: https://lore.kernel.org/r/20230718141304.1032-10-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
For reducing the unnecessary use of controls_rwsem in the drivers,
this patch adds a new variant for snd_ctl_find_*() helpers:
snd_ctl_find_id_locked() and snd_ctl_find_numid_locked() look for a
kctl element inside the card->controls_rwsem -- that is, doing the
very same as what snd_ctl_find_id() and snd_ctl_find_numid() did until
now.  snd_ctl_find_id() and snd_ctl_find_numid() remain same,
i.e. still unlocked version, but they will be switched to locked
version once after all callers are replaced.

The patch also replaces the calls of snd_ctl_find_id() and
snd_ctl_find_numid() in a few places; all of those are places where we
know that the functions are called properly with controls_rwsem held.
All others are without rwsem (although they should have been).

After this patch, we'll turn on the locking in snd_ctl_find_id() and
snd_ctl_find_numid() to be more race-free.

Link: https://lore.kernel.org/r/20230718141304.1032-10-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Make snd_ctl_find_id() argument const 2023-07-20T08:02:59+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:13:01+00:00 6723670a483501497dc339ae37676525245a913a The id object passed to snd_ctl_find_id() is only read, and we can mark it with const gracefully. Link: https://lore.kernel.org/r/20230718141304.1032-9-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The id object passed to snd_ctl_find_id() is only read, and we can
mark it with const gracefully.

Link: https://lore.kernel.org/r/20230718141304.1032-9-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Add lockdep warning to internal functions 2023-07-20T08:01:40+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:12:58+00:00 8320ba0ce534dea603b7ba22f484ee39ef2ce746 To assure the proper locking, add the lockdep check to __snd_ctl_remove(), __snd_ctl_add_replace() and other internal functions to handle user controls. Link: https://lore.kernel.org/r/20230718141304.1032-6-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
To assure the proper locking, add the lockdep check to
__snd_ctl_remove(), __snd_ctl_add_replace() and other internal
functions to handle user controls.

Link: https://lore.kernel.org/r/20230718141304.1032-6-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Take controls_rwsem lock in snd_ctl_remove() 2023-07-20T08:01:27+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:12:57+00:00 192c4cccd015f52c94d0420eb5d7305a1ca28998 So far, snd_ctl_remove() requires its caller to take card->controls_rwsem manually before the call for avoiding possible races. However, many callers don't care and miss the locking. Basically it's cumbersome and error-prone to enforce it to each caller. Moreover, card->controls_rwsem is a field that should be used only by internal or proper helpers, and it's not to be touched at random external places. This patch is an attempt to make those calls more consistent: now snd_ctl_remove() takes the card->controls_rwsem internally, just like other API functions for kctls. Since a few callers already take the controls_rwsem locks, the patch removes those locks at the same time, too. Link: https://lore.kernel.org/r/20230718141304.1032-5-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
So far, snd_ctl_remove() requires its caller to take
card->controls_rwsem manually before the call for avoiding possible
races.  However, many callers don't care and miss the locking.

Basically it's cumbersome and error-prone to enforce it to each
caller.  Moreover, card->controls_rwsem is a field that should be used
only by internal or proper helpers, and it's not to be touched at
random external places.

This patch is an attempt to make those calls more consistent: now
snd_ctl_remove() takes the card->controls_rwsem internally, just like
other API functions for kctls.  Since a few callers already take the
controls_rwsem locks, the patch removes those locks at the same time,
too.

Link: https://lore.kernel.org/r/20230718141304.1032-5-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Take card->controls_rwsem in snd_ctl_rename() 2023-07-20T08:00:02+00:00 Takashi Iwai tiwai@suse.de 2023-07-18T14:12:54+00:00 d4e99962d16ce60ac9ecf995489dc60d7854f1bd snd_ctl_rename() expects that card->controls_rwsem is held in the caller side for avoiding possible races, but actually no one really did that. It's likely because this operation is done usually only at the device initialization where no race can happen. But, it's still safer to take a lock, so we just take the lock inside snd_ctl_rename() like most of other API functions do. Link: https://lore.kernel.org/r/20230718141304.1032-2-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
snd_ctl_rename() expects that card->controls_rwsem is held in the
caller side for avoiding possible races, but actually no one really
did that.  It's likely because this operation is done usually only at
the device initialization where no race can happen.  But, it's still
safer to take a lock, so we just take the lock inside snd_ctl_rename()
like most of other API functions do.

Link: https://lore.kernel.org/r/20230718141304.1032-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: Keep the previous numid at snd_ctl_rename_id() 2023-06-06T12:34:30+00:00 Takashi Iwai tiwai@suse.de 2023-06-06T09:40:35+00:00 306f3f78a5ff578bdfd97c658a862cb2c2419fb6 We don't need to change the numid at each time snd_ctl_rename_id() is called, as the control element size itself doesn't change. Let's keep the previous numid value. Along with it, add a note about calling this function only in the card init phase. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20230606094035.14808-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
We don't need to change the numid at each time snd_ctl_rename_id() is
called, as the control element size itself doesn't change.  Let's keep
the previous numid value.

Along with it, add a note about calling this function only in the
card init phase.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20230606094035.14808-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF 2023-01-13T13:15:26+00:00 Clement Lecigne clecigne@google.com 2023-01-13T12:07:45+00:00 56b88b50565cd8b946a2d00b0c83927b7ebb055e Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce snd_ctl_notify_one() helper"). Doing this way we are also fixing the following locking issue happening in the compat path which can be easily triggered and turned into an use-after-free. 64-bits: snd_ctl_ioctl snd_ctl_elem_read_user [takes controls_rwsem] snd_ctl_elem_read [lock properly held, all good] [drops controls_rwsem] 32-bits: snd_ctl_ioctl_compat snd_ctl_elem_write_read_compat ctl_elem_write_read snd_ctl_elem_read [missing lock, not good] CVE-2023-0266 was assigned for this issue. Cc: stable@kernel.org # 5.13+ Signed-off-by: Clement Lecigne <clecigne@google.com> Reviewed-by: Jaroslav Kysela <perex@perex.cz> Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user
like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce
snd_ctl_notify_one() helper"). Doing this way we are also fixing the following
locking issue happening in the compat path which can be easily triggered and
turned into an use-after-free.

64-bits:
snd_ctl_ioctl
  snd_ctl_elem_read_user
    [takes controls_rwsem]
    snd_ctl_elem_read [lock properly held, all good]
    [drops controls_rwsem]

32-bits:
snd_ctl_ioctl_compat
  snd_ctl_elem_write_read_compat
    ctl_elem_write_read
      snd_ctl_elem_read [missing lock, not good]

CVE-2023-0266 was assigned for this issue.

Cc: stable@kernel.org # 5.13+
Signed-off-by: Clement Lecigne <clecigne@google.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: control: add snd_ctl_rename() 2022-10-21T06:17:08+00:00 Maciej S. Szmigiero maciej.szmigiero@oracle.com 2022-10-20T20:46:21+00:00 966f015fe4329199cc49084ee2886cfb626b34d3 Add a snd_ctl_rename() function that takes care of updating the control hash entries for callers that already have the relevant struct snd_kcontrol at hand and hold the control write lock (or simply haven't registered the card yet). Fixes: c27e1efb61c5 ("ALSA: control: Use xarray for faster lookups") Cc: stable@vger.kernel.org Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com> Link: https://lore.kernel.org/r/4170b71117ea81357a4f7eb8410f7cde20836c70.1666296963.git.maciej.szmigiero@oracle.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Add a snd_ctl_rename() function that takes care of updating the control
hash entries for callers that already have the relevant struct snd_kcontrol
at hand and hold the control write lock (or simply haven't registered the
card yet).

Fixes: c27e1efb61c5 ("ALSA: control: Use xarray for faster lookups")
Cc: stable@vger.kernel.org
Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
Link: https://lore.kernel.org/r/4170b71117ea81357a4f7eb8410f7cde20836c70.1666296963.git.maciej.szmigiero@oracle.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>