Commit db635784 authored Jan 03, 2025 by Takashi Iwai Committed by Xiongfeng Wang Jan 03, 2025

ALSA: pcm: Add sanity NULL check for the default mmap fault handler

stable inclusion
from stable-v6.6.64
commit bc200027ee92fba84f1826494735ed675f3aa911
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEADU
CVE: CVE-2024-53180

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bc200027ee92fba84f1826494735ed675f3aa911



--------------------------------

commit d2913a07d9037fe7aed4b7e680684163eaed6bc4 upstream.

A driver might allow the mmap access before initializing its
runtime->dma_area properly.  Add a proper NULL check before passing to
virt_to_page() for avoiding a panic.

Reported-by:  <syzbot+4bf62a7b1d0f4fdb7ae2@syzkaller.appspotmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20241120141104.7060-1-tiwai@suse.de


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>

parent 604e996d

sound/core/pcm_native.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -3794,9 +3794,11 @@ static vm_fault_t snd_pcm_mmap_data_fault(struct vm_fault *vmf)
		return VM_FAULT_SIGBUS;
		if (substream->ops->page)
		page = substream->ops->page(substream, offset);
		else if (!snd_pcm_get_dma_buf(substream))
		else if (!snd_pcm_get_dma_buf(substream)) {
		if (WARN_ON_ONCE(!runtime->dma_area))
		return VM_FAULT_SIGBUS;
		page = virt_to_page(runtime->dma_area + offset);
		else
		} else
		page = snd_sgbuf_get_page(snd_pcm_get_dma_buf(substream), offset);
		if (!page)
		return VM_FAULT_SIGBUS;