CVE-2022-49272
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
26/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock<br />
<br />
syzbot caught a potential deadlock between the PCM<br />
runtime->buffer_mutex and the mm->mmap_lock. It was brought by the<br />
recent fix to cover the racy read/write and other ioctls, and in that<br />
commit, I overlooked a (hopefully only) corner case that may take the<br />
revert lock, namely, the OSS mmap. The OSS mmap operation<br />
exceptionally allows to re-configure the parameters inside the OSS<br />
mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the<br />
copy_from/to_user calls at read/write operations also take the<br />
mm->mmap_lock internally, hence it may lead to a AB/BA deadlock.<br />
<br />
A similar problem was already seen in the past and we fixed it with a<br />
refcount (in commit b248371628aa). The former fix covered only the<br />
call paths with OSS read/write and OSS ioctls, while we need to cover<br />
the concurrent access via both ALSA and OSS APIs now.<br />
<br />
This patch addresses the problem above by replacing the buffer_mutex<br />
lock in the read/write operations with a refcount similar as we&#39;ve<br />
used for OSS. The new field, runtime->buffer_accessing, keeps the<br />
number of concurrent read/write operations. Unlike the former<br />
buffer_mutex protection, this protects only around the<br />
copy_from/to_user() calls; the other codes are basically protected by<br />
the PCM stream lock. The refcount can be a negative, meaning blocked<br />
by the ioctls. If a negative value is seen, the read/write aborts<br />
with -EBUSY. In the ioctl side, OTOH, they check this refcount, too,<br />
and set to a negative value for blocking unless it&#39;s already being<br />
accessed.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595
- https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9
- https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4
- https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0
- https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d
- https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e
- https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433
- https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5