From patchwork Tue May 9 14:42:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98930 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857576qge; Tue, 9 May 2017 07:43:35 -0700 (PDT) X-Received: by 10.84.204.8 with SMTP id a8mr724840ple.4.1494341015512; Tue, 09 May 2017 07:43:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341015; cv=none; d=google.com; s=arc-20160816; b=KorHg/L5DbtwwbBDZpW00Boqa0jNgmr7bsXrqNJ3O/Nm42ox7L/XiiIvDQp2srhKcx 02Pq92Yj5GH286tUMHkuM4gKc6quMLkqQP3n0vQCv7mABIpIoDGwOGC6kT1neG26in41 Sp/jyw/NYSsd3BKGxNwstcx6KxPGgmi/Ftv/au6ppdeOINWWYLxVols1HIYsQL5MToJJ tSe/l2X/4rS8kM+8H2moJUGL4dEtqecHe3aFqSUAFaFZuMZNXI9Zo+F6ZU9Reg2XULvF 31v+wJ/QJyCjDJ9Xwn5jFH0DuQNItc+t7LX6JNRWSJQ+TP2J83FN2gd+juu4RqAo+HuG 6e3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=MPja4xXiwzCdjNxPDJDFQmO1vNNvQ+hIIvzGxpiE07E=; b=TlwROY3EUJcMppypepJg808MDgO4/Rb1enwDuZ9nq1jOV8fdZbL2p1ADWeGleQkU3y CIML+2ZnUnZX029em1MPD57fESrMBWiJH1HEyKmRYrUA6vtfxzQk6f1nHvrJ18u8gmwa 0G4SqiR4xXdFfzzG3+STjLLBcGDVnSmzDAHSCw/TmnsvaQ31vvU1ZBXYd0LHThAAprwt SeGrTYbx3pTdYmWkaNkJvlQSO0T48YiCRr8K0uAjRmHqAEcf2vYADcll3dsiJU7xveqk j4P0Z4Jbr/poebyWSQXLSWLwgx91WeKgfmqVQdUGvVFqil5AfGs8MeMnz0NPhvZ1gyn2 SSQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.35; Tue, 09 May 2017 07:43:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754254AbdEIOne (ORCPT + 6 others); Tue, 9 May 2017 10:43:34 -0400 Received: from mail-pg0-f42.google.com ([74.125.83.42]:35704 "EHLO mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754237AbdEIOne (ORCPT ); Tue, 9 May 2017 10:43:34 -0400 Received: by mail-pg0-f42.google.com with SMTP id o3so753393pgn.2 for ; Tue, 09 May 2017 07:43:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=MPja4xXiwzCdjNxPDJDFQmO1vNNvQ+hIIvzGxpiE07E=; b=OWzPFu+fryAMn/M6AQ7ZhQw7spcMnFRqR2TuH1IhcxLBT/l8ou9uYwKkYUTU9d+imG xAYzIXlqc9aMVCGMkgwlhEbrmFx9wJPTtYqESpmqky6c86yOig6JiLTdDs7RnrSS63sE YdRPqyfFJsLMKGB8MPb2UTd/iitxUAgHIPvxo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MPja4xXiwzCdjNxPDJDFQmO1vNNvQ+hIIvzGxpiE07E=; b=TXES+mczJdx7TBJTufzLfCgns9fl6d/IVSiVYWchTVUgaqHkOBfr94276xPgAIlwc3 y73bIwDfoXxfFiG2y0EIyR7hRpO8nEJiMH/v6r3gDOvRVmX9C8aD6H4uCykOEmi4DkyJ OoUdnnJcRLxnISsXID0NBmLQGIuYP8gUdLWbtHOOP1lA0uwlW5Doa+VyAZGnZYsH7o1e DyOen4w5tXqvs8PgdPHk56lrBaNL+xDmXSi8SydrWS7Fhk5CV2PYgZFgmf5EdfgtWrtV uQEC/Ba1ktqBshecsqEN82p7j8qT2WDMKyk/b/VHN3Qh41T2pP8sxvVOMFCS1ZOz8khm YURg== X-Gm-Message-State: AODbwcAmf0WTx7oqWuYzzCI9bHTnZg3EboE4Xb8t6PZIlJn6RV4bvwZw fWWCrpSm/AJLp6bU X-Received: by 10.98.36.80 with SMTP id r77mr302013pfj.164.1494341013510; Tue, 09 May 2017 07:43:33 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:32 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Takashi Iwai Subject: [PATCH for-3.18 17/24] ALSA: seq: Fix race at timer setup and close Date: Tue, 9 May 2017 20:12:41 +0530 Message-Id: <1494340968-17152-18-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Takashi Iwai commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Amit Pundir --- sound/core/seq/seq_queue.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.7.4 diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c index a0cda38205b9..77ec21420355 100644 --- a/sound/core/seq/seq_queue.c +++ b/sound/core/seq/seq_queue.c @@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked) static void queue_delete(struct snd_seq_queue *q) { /* stop and release the timer */ + mutex_lock(&q->timer_mutex); snd_seq_timer_stop(q->timer); snd_seq_timer_close(q); + mutex_unlock(&q->timer_mutex); /* wait until access free */ snd_use_lock_sync(&q->use_lock); /* release resources... */