ALSA: seq: Fix racy access for queue timer in proc read

commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream.

snd_seq_info_timer_read() reads the information of the timer assigned
for each queue, but it's done in a racy way which may lead to UAF as
spotted by syzkaller.

This patch applies the missing q->timer_mutex lock while accessing the
timer object as well as a slight code change to adapt the standard
coding style.

Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/sound/core/seq/seq_timer.c b/sound/core/seq/seq_timer.c
index b80985fbc334cc6598d7ca2953d1ce79edb9f68b..0e1feb597586fbcab9278b4ed53367a294071c7d 100644 (file)
--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -479,15 +479,19 @@ void snd_seq_info_timer_read(struct snd_info_entry *entry,
                q = queueptr(idx);
                if (q == NULL)
                        continue;
-               if ((tmr = q->timer) == NULL ||
-                   (ti = tmr->timeri) == NULL) {
-                       queuefree(q);
-                       continue;
-               }
+               mutex_lock(&q->timer_mutex);
+               tmr = q->timer;
+               if (!tmr)
+                       goto unlock;
+               ti = tmr->timeri;
+               if (!ti)
+                       goto unlock;
                snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name);
                resolution = snd_timer_resolution(ti) * tmr->ticks;
                snd_iprintf(buffer, "  Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000);
                snd_iprintf(buffer, "  Skew : %u / %u\n", tmr->skew, tmr->skew_base);
+unlock:
+               mutex_unlock(&q->timer_mutex);
                queuefree(q);
        }
 }