github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-14 01:40:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
4d5f99ec00
linux/sound/core
History
Takashi Iwai 73f607aca1 ALSA: control: Fix race between adding and removing a user element 
commit e1a7bfe380 upstream.

The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element.  This was
caught by syzkaller, hitting a KASAN use-after-free error.

This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.

This required a slight code refactoring, too.  The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it.  The former is called from the
function for adding a user control element inside the controls_rwsem.

One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem.  But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.

Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-12-13 09:21:27 +01:00
..
oss ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation 2018-04-24 09:32:09 +02:00
seq ALSA: virmidi: Fix too long output trigger loop 2018-08-22 07:48:36 +02:00
compress_offload.c
control_compat.c ALSA: control: fix a redundant-copy issue 2018-05-26 08:48:52 +02:00
control.c ALSA: control: Fix race between adding and removing a user element 2018-12-13 09:21:27 +01:00
ctljack.c
device.c
hrtimer.c
hwdep_compat.c
hwdep.c
info_oss.c
info.c
init.c
isadma.c
jack.c
Kconfig
Makefile
memalloc.c ALSA: memalloc: Don't exceed over the requested size 2018-08-22 07:48:36 +02:00
memory.c
misc.c
pcm_compat.c ALSA: pcm: Check PCM state at xfern compat ioctl 2018-05-16 10:06:47 +02:00
pcm_dmaengine.c
pcm_drm_eld.c
pcm_iec958.c
pcm_lib.c ALSA: pcm: Fix snd_interval_refine first/last with open min/max 2018-09-26 08:35:09 +02:00
pcm_memory.c
pcm_misc.c
pcm_native.c ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr 2018-05-02 07:53:41 -07:00
pcm_timer.c
pcm_trace.h
pcm.c ALSA: pcm: Fix UAF at PCM release via PCM timer access 2018-04-24 09:32:07 +02:00
rawmidi_compat.c ALSA: rawmidi: Fix missing input substream checks in compat ioctls 2018-04-24 09:32:10 +02:00
rawmidi.c ALSA: rawmidi: Change resized buffers atomically 2018-07-25 10:18:15 +02:00
rtctimer.c
sgbuf.c
sound_oss.c
sound.c
timer_compat.c
timer.c ALSA: timer: Fix zero-division by continue of uninitialized instance 2018-11-10 07:41:38 -08:00
vmaster.c ALSA: vmaster: Propagate slave error 2018-05-30 07:49:13 +02:00