| From 3567eb6af614dac436c4b16a8d426f9faed639b3 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Tue, 12 Jan 2016 15:36:27 +0100 |
| Subject: ALSA: seq: Fix race at timer setup and close |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. |
| |
| ALSA sequencer code has an open race between the timer setup ioctl and |
| the close of the client. This was triggered by syzkaller fuzzer, and |
| a use-after-free was caught there as a result. |
| |
| This patch papers over it by adding a proper queue->timer_mutex lock |
| around the timer-related calls in the relevant code path. |
| |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Tested-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/seq/seq_queue.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/sound/core/seq/seq_queue.c |
| +++ b/sound/core/seq/seq_queue.c |
| @@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(i |
| static void queue_delete(struct snd_seq_queue *q) |
| { |
| /* stop and release the timer */ |
| + mutex_lock(&q->timer_mutex); |
| snd_seq_timer_stop(q->timer); |
| snd_seq_timer_close(q); |
| + mutex_unlock(&q->timer_mutex); |
| /* wait until access free */ |
| snd_use_lock_sync(&q->use_lock); |
| /* release resources... */ |
