| From 117159f0b9d392fb433a7871426fad50317f06f7 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Mon, 8 Feb 2016 17:36:25 +0100 |
| Subject: ALSA: timer: Fix wrong instance passed to slave callbacks |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit 117159f0b9d392fb433a7871426fad50317f06f7 upstream. |
| |
| In snd_timer_notify1(), the wrong timer instance was passed for slave |
| ccallback function. This leads to the access to the wrong data when |
| an incompatible master is handled (e.g. the master is the sequencer |
| timer and the slave is a user timer), as spotted by syzkaller fuzzer. |
| |
| This patch fixes that wrong assignment. |
| |
| BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/timer.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/sound/core/timer.c |
| +++ b/sound/core/timer.c |
| @@ -422,7 +422,7 @@ static void snd_timer_notify1(struct snd |
| spin_lock_irqsave(&timer->lock, flags); |
| list_for_each_entry(ts, &ti->slave_active_head, active_list) |
| if (ts->ccallback) |
| - ts->ccallback(ti, event + 100, &tstamp, resolution); |
| + ts->ccallback(ts, event + 100, &tstamp, resolution); |
| spin_unlock_irqrestore(&timer->lock, flags); |
| } |
| |
