| From ee8413b01045c74340aa13ad5bdf905de32be736 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Wed, 13 Jan 2016 21:35:06 +0100 |
| Subject: ALSA: timer: Fix double unlink of active_list |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit ee8413b01045c74340aa13ad5bdf905de32be736 upstream. |
| |
| ALSA timer instance object has a couple of linked lists and they are |
| unlinked unconditionally at snd_timer_stop(). Meanwhile |
| snd_timer_interrupt() unlinks it, but it calls list_del() which leaves |
| the element list itself unchanged. This ends up with unlinking twice, |
| and it was caught by syzkaller fuzzer. |
| |
| The fix is to use list_del_init() variant properly there, too. |
| |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Tested-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/timer.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/sound/core/timer.c |
| +++ b/sound/core/timer.c |
| @@ -704,7 +704,7 @@ void snd_timer_interrupt(struct snd_time |
| } else { |
| ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; |
| if (--timer->running) |
| - list_del(&ti->active_list); |
| + list_del_init(&ti->active_list); |
| } |
| if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || |
| (ti->flags & SNDRV_TIMER_IFLG_FAST)) |
