forked from luck/tmp_suning_uos_patched
a820ccbe21
The PCM runtime object is created and freed dynamically at PCM stream open / close time. This is tracked via substream->runtime, and it's cleared at snd_pcm_detach_substream(). The runtime object assignment is protected by PCM open_mutex, so for all PCM operations, it's safely handled. However, each PCM substream provides also an ALSA timer interface, and user-space can access to this while closing a PCM substream. This may eventually lead to a UAF, as snd_pcm_timer_resolution() tries to access the runtime while clearing it in other side. Fortunately, it's the only concurrent access from the PCM timer, and it merely reads runtime->timer_resolution field. So, we can avoid the race by reordering kfree() and wrapping the substream->runtime clearance with the corresponding timer lock. Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| oss | ||
| seq | ||
| compress_offload.c | ||
| control_compat.c | ||
| control.c | ||
| ctljack.c | ||
| device.c | ||
| hrtimer.c | ||
| hwdep_compat.c | ||
| hwdep.c | ||
| info_oss.c | ||
| info.c | ||
| init.c | ||
| isadma.c | ||
| jack.c | ||
| Kconfig | ||
| Makefile | ||
| memalloc.c | ||
| memory.c | ||
| misc.c | ||
| pcm_compat.c | ||
| pcm_dmaengine.c | ||
| pcm_drm_eld.c | ||
| pcm_iec958.c | ||
| pcm_lib.c | ||
| pcm_local.h | ||
| pcm_memory.c | ||
| pcm_misc.c | ||
| pcm_native.c | ||
| pcm_param_trace.h | ||
| pcm_timer.c | ||
| pcm_trace.h | ||
| pcm.c | ||
| rawmidi_compat.c | ||
| rawmidi.c | ||
| seq_device.c | ||
| sgbuf.c | ||
| sound_oss.c | ||
| sound.c | ||
| timer_compat.c | ||
| timer.c | ||
| vmaster.c | ||