diff options
| author | Takashi Iwai <tiwai@suse.de> | 2016-01-12 09:36:27 -0500 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2016-01-12 11:50:41 -0500 |
| commit | 3567eb6af614dac436c4b16a8d426f9faed639b3 (patch) | |
| tree | 4f2b3091ad80d3b49bd54b9951fa8743e2f6cfee /sound | |
| parent | 030e2c78d3a91dd0d27fef37e91950dde333eba1 (diff) | |
ALSA: seq: Fix race at timer setup and close
ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client. This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.
This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
| -rw-r--r-- | sound/core/seq/seq_queue.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c index 7dfd0f429410..0bec02e89d51 100644 --- a/sound/core/seq/seq_queue.c +++ b/sound/core/seq/seq_queue.c | |||
| @@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked) | |||
| 142 | static void queue_delete(struct snd_seq_queue *q) | 142 | static void queue_delete(struct snd_seq_queue *q) |
| 143 | { | 143 | { |
| 144 | /* stop and release the timer */ | 144 | /* stop and release the timer */ |
| 145 | mutex_lock(&q->timer_mutex); | ||
| 145 | snd_seq_timer_stop(q->timer); | 146 | snd_seq_timer_stop(q->timer); |
| 146 | snd_seq_timer_close(q); | 147 | snd_seq_timer_close(q); |
| 148 | mutex_unlock(&q->timer_mutex); | ||
| 147 | /* wait until access free */ | 149 | /* wait until access free */ |
| 148 | snd_use_lock_sync(&q->use_lock); | 150 | snd_use_lock_sync(&q->use_lock); |
| 149 | /* release resources... */ | 151 | /* release resources... */ |