mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-20 04:11:32 -05:00
39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001
|
|
From: Takashi Iwai <tiwai@suse.de>
|
|
Date: Tue, 12 Jan 2016 15:36:27 +0100
|
|
Subject: ALSA: seq: Fix race at timer setup and close
|
|
|
|
ALSA sequencer code has an open race between the timer setup ioctl and
|
|
the close of the client. This was triggered by syzkaller fuzzer, and
|
|
a use-after-free was caught there as a result.
|
|
|
|
This patch papers over it by adding a proper queue->timer_mutex lock
|
|
around the timer-related calls in the relevant code path.
|
|
|
|
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
|
Tested-by: Dmitry Vyukov <dvyukov@google.com>
|
|
Cc: <stable@vger.kernel.org>
|
|
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
|
---
|
|
sound/core/seq/seq_queue.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
|
|
index 7dfd0f4..0bec02e 100644
|
|
--- a/sound/core/seq/seq_queue.c
|
|
+++ b/sound/core/seq/seq_queue.c
|
|
@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
|
|
static void queue_delete(struct snd_seq_queue *q)
|
|
{
|
|
/* stop and release the timer */
|
|
+ mutex_lock(&q->timer_mutex);
|
|
snd_seq_timer_stop(q->timer);
|
|
snd_seq_timer_close(q);
|
|
+ mutex_unlock(&q->timer_mutex);
|
|
/* wait until access free */
|
|
snd_use_lock_sync(&q->use_lock);
|
|
/* release resources... */
|
|
--
|
|
cgit v1.1
|
|
|