{"id":"CVE-2022-49272","summary":"ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock\n\nsyzbot caught a potential deadlock between the PCM\nruntime-\u003ebuffer_mutex and the mm-\u003emmap_lock.  It was brought by the\nrecent fix to cover the racy read/write and other ioctls, and in that\ncommit, I overlooked a (hopefully only) corner case that may take the\nrevert lock, namely, the OSS mmap.  The OSS mmap operation\nexceptionally allows to re-configure the parameters inside the OSS\nmmap syscall, where mm-\u003emmap_mutex is already held.  Meanwhile, the\ncopy_from/to_user calls at read/write operations also take the\nmm-\u003emmap_lock internally, hence it may lead to a AB/BA deadlock.\n\nA similar problem was already seen in the past and we fixed it with a\nrefcount (in commit b248371628aa).  The former fix covered only the\ncall paths with OSS read/write and OSS ioctls, while we need to cover\nthe concurrent access via both ALSA and OSS APIs now.\n\nThis patch addresses the problem above by replacing the buffer_mutex\nlock in the read/write operations with a refcount similar as we've\nused for OSS.  The new field, runtime-\u003ebuffer_accessing, keeps the\nnumber of concurrent read/write operations.  Unlike the former\nbuffer_mutex protection, this protects only around the\ncopy_from/to_user() calls; the other codes are basically protected by\nthe PCM stream lock.  The refcount can be a negative, meaning blocked\nby the ioctls.  If a negative value is seen, the read/write aborts\nwith -EBUSY.  In the ioctl side, OTOH, they check this refcount, too,\nand set to a negative value for blocking unless it's already being\naccessed.","modified":"2026-05-18T05:55:50.129586902Z","published":"2025-02-26T01:56:18.626Z","related":["SUSE-SU-2025:0983-1","SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1194-1","SUSE-SU-2025:1241-1","SUSE-SU-2025:1263-1","SUSE-SU-2025:1293-1","SUSE-SU-2026:0385-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49272.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433"},{"type":"WEB","url":"https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49272.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49272"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"73867cb2bc7dfa7fbd219e53a0b68d253d8fda09"},{"fixed":"7e9133607e1501c94881be35e118d8f84d96dcb4"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b3830197aa7413c65767cf5a1aa8775c83f0dbf7"},{"fixed":"40f4cffbe13a51faf136faf5f9ef6847782cd595"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"08d1807f097a63ea00a7067dad89c1c81cb2115e"},{"fixed":"9661bf674d6a82b76e4ae424438a8ce1e3ed855d"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8527c8f052fb42091c6569cb928e472376a4a889"},{"fixed":"9017201e8d8c6d1472273361389ed431188584a0"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"47711ff10c7e126702cfa725f6d86ef529d15a5f"},{"fixed":"7777744e92a0b30e3e0cce2758d911837011ebd9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5"},{"fixed":"abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03"},{"fixed":"be9813ad2fc8f0885f5ce6925af0d993ce5da4e5"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dca947d4d26dbf925a64a6cfb2ddbc035e831a3d"},{"fixed":"bc55cfd5718c7c23e5524582e9fa70b4d10f2433"}]}],"versions":["v5.10.109","v5.15.32","v5.16.18","v5.17.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49272.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.10.109"},{"fixed":"5.10.110"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.15.32"},{"fixed":"5.15.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.18"},{"fixed":"5.16.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.17.1"},{"fixed":"5.17.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49272.json"}}],"schema_version":"1.7.5"}