ALSA: seq: Fix race at closing in virmidi driver

The virmidi driver has an open race at closing its assigned rawmidi device, and this may lead to use-after-free in snd_seq_deliver_single_event(). Plug the hole by properly protecting the linked list deletion and calling in the right order in snd_virmidi_input_close(). BugLink: http://lkml.kernel.org/r/CACT4Y+Zd66+w12fNN85-425cVQT=K23kWbhnCEcMB8s3us-Frw@mail.gmail.com Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
author: Takashi Iwai <tiwai@suse.de> 2016-02-01 06:06:42 -0500
committer: Takashi Iwai <tiwai@suse.de> 2016-02-01 06:21:46 -0500
commit: 2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 (patch)
tree: 61e6e56dc08107b25eafb2ada7e583f51378139d /sound/core/seq
parent: f1d51595a2a54d725cd6a21dd54508335a14ab90 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c
index 3da2d48610b3..f71aedfb408c 100644
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -254,9 +254,13 @@ static int snd_virmidi_output_open(struct snd_rawmidi_substream *substream)
 */
 static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream)
 {
+        struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
        struct snd_virmidi *vmidi = substream->runtime->private_data;
-        snd_midi_event_free(vmidi->parser);
+        write_lock_irq(&rdev->filelist_lock);
        list_del(&vmidi->list);
+        write_unlock_irq(&rdev->filelist_lock);
+        snd_midi_event_free(vmidi->parser);
        substream->runtime->private_data = NULL;
        kfree(vmidi);
        return 0;
author	Takashi Iwai <tiwai@suse.de>	2016-02-01 06:06:42 -0500
committer	Takashi Iwai <tiwai@suse.de>	2016-02-01 06:21:46 -0500
commit	2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 (patch)
tree	61e6e56dc08107b25eafb2ada7e583f51378139d /sound/core/seq
parent	f1d51595a2a54d725cd6a21dd54508335a14ab90 (diff)

diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c index 3da2d48610b3..f71aedfb408c 100644 --- a/sound/core/seq/seq_virmidi.c +++ b/sound/core/seq/seq_virmidi.c
@@ -254,9 +254,13 @@ static int snd_virmidi_output_open(struct snd_rawmidi_substream *substream)
254	*/	254	*/
255	static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream)	255	static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream)
256	{	256	{
		257	struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
257	struct snd_virmidi *vmidi = substream->runtime->private_data;	258	struct snd_virmidi *vmidi = substream->runtime->private_data;
258	snd_midi_event_free(vmidi->parser);	259
		260	write_lock_irq(&rdev->filelist_lock);
259	list_del(&vmidi->list);	261	list_del(&vmidi->list);
		262	write_unlock_irq(&rdev->filelist_lock);
		263	snd_midi_event_free(vmidi->parser);
260	substream->runtime->private_data = NULL;	264	substream->runtime->private_data = NULL;
261	kfree(vmidi);	265	kfree(vmidi);
262	return 0;	266	return 0;