CVE-2022-49272
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock syzbot caught a potential deadlock between the PCM runtime->buffer_mutex and the mm->mmap_lock. It was brought by the recent fix to cover the racy read/write and other ioctls, and in that commit, I overlooked a (hopefully only) corner case that may take the revert lock, namely, the OSS mmap. The OSS mmap operation exceptionally allows to re-configure the parameters inside the OSS mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the copy_from/to_user calls at read/write operations also take the mm->mmap_lock internally, hence it may lead to a AB/BA deadlock. A similar problem was already seen in the past and we fixed it with a refcount (in commit b248371628aa). The former fix covered only the call paths with OSS read/write and OSS ioctls, while we need to cover the concurrent access via both ALSA and OSS APIs now. This patch addresses the problem above by replacing the buffer_mutex lock in the read/write operations with a refcount similar as we've used for OSS. The new field, runtime->buffer_accessing, keeps the number of concurrent read/write operations. Unlike the former buffer_mutex protection, this protects only around the copy_from/to_user() calls; the other codes are basically protected by the PCM stream lock. The refcount can be a negative, meaning blocked by the ioctls. If a negative value is seen, the read/write aborts with -EBUSY. In the ioctl side, OTOH, they check this refcount, too, and set to a negative value for blocking unless it's already being accessed.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 2%
Techniques & Countermeasures
- CWE-667•Improper Locking
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Affected Systems
- linux•linux
≥ 73867cb2bc7dfa7fbd219e53a0b68d253d8fda09, < 7e9133607e1501c94881be35e118d8f84d96dcb4 | ≥ b3830197aa7413c65767cf5a1aa8775c83f0dbf7, < 40f4cffbe13a51faf136faf5f9ef6847782cd595 | ≥ 08d1807f097a63ea00a7067dad89c1c81cb2115e, < 9661bf674d6a82b76e4ae424438a8ce1e3ed855d | ≥ 8527c8f052fb42091c6569cb928e472376a4a889, < 9017201e8d8c6d1472273361389ed431188584a0 | ≥ 47711ff10c7e126702cfa725f6d86ef529d15a5f, < 7777744e92a0b30e3e0cce2758d911837011ebd9 | ≥ 4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5, < abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e | ≥ dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03, < be9813ad2fc8f0885f5ce6925af0d993ce5da4e5 | ≥ dca947d4d26dbf925a64a6cfb2ddbc035e831a3d, < bc55cfd5718c7c23e5524582e9fa70b4d10f2433 | ≥ 5.10.109, < 5.10.110 | ≥ 5.15.32, < 5.15.33 | ≥ 5.16.18, < 5.16.19 | ≥ 5.17.1, < 5.17.2
- linux•linux_kernel
5.10.109 | 5.15.32 | 5.16.18 | 5.17.1
References (8)
- https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4
- https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595
- https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d
- https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0
- https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9
- https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e
- https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5
- https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433