mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-25 15:39:26 -05:00
39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
|
From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001
|
||
|
From: Takashi Iwai <tiwai@suse.de>
|
||
|
Date: Tue, 12 Jan 2016 15:36:27 +0100
|
||
|
Subject: ALSA: seq: Fix race at timer setup and close
|
||
|
|
||
|
ALSA sequencer code has an open race between the timer setup ioctl and
|
||
|
the close of the client. This was triggered by syzkaller fuzzer, and
|
||
|
a use-after-free was caught there as a result.
|
||
|
|
||
|
This patch papers over it by adding a proper queue->timer_mutex lock
|
||
|
around the timer-related calls in the relevant code path.
|
||
|
|
||
|
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||
|
Tested-by: Dmitry Vyukov <dvyukov@google.com>
|
||
|
Cc: <stable@vger.kernel.org>
|
||
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||
|
---
|
||
|
sound/core/seq/seq_queue.c | 2 ++
|
||
|
1 file changed, 2 insertions(+)
|
||
|
|
||
|
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
|
||
|
index 7dfd0f4..0bec02e 100644
|
||
|
--- a/sound/core/seq/seq_queue.c
|
||
|
+++ b/sound/core/seq/seq_queue.c
|
||
|
@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
|
||
|
static void queue_delete(struct snd_seq_queue *q)
|
||
|
{
|
||
|
/* stop and release the timer */
|
||
|
+ mutex_lock(&q->timer_mutex);
|
||
|
snd_seq_timer_stop(q->timer);
|
||
|
snd_seq_timer_close(q);
|
||
|
+ mutex_unlock(&q->timer_mutex);
|
||
|
/* wait until access free */
|
||
|
snd_use_lock_sync(&q->use_lock);
|
||
|
/* release resources... */
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|