ALSA: seq: Fix race at timer setup and close

commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream. ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Takashi Iwai <tiwai@suse.de> 2016-01-12 15:36:27 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-01-31 11:23:33 -0800
commit: 49c9eb3db86407868a664ade6da041fabeb457f8 (patch)
tree: acdc846f6bfde8401ebb4d598bb355ee4673b421 /sound
parent: 9a6003a362acb814fea7422209be344b822b047a (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
index a0cda38205b9..77ec21420355 100644
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
 static void queue_delete(struct snd_seq_queue *q)
 {
 	/* stop and release the timer */
+	mutex_lock(&q->timer_mutex);
 	snd_seq_timer_stop(q->timer);
 	snd_seq_timer_close(q);
+	mutex_unlock(&q->timer_mutex);
 	/* wait until access free */
 	snd_use_lock_sync(&q->use_lock);
 	/* release resources... */
author	Takashi Iwai <tiwai@suse.de>	2016-01-12 15:36:27 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2016-01-31 11:23:33 -0800
commit	49c9eb3db86407868a664ade6da041fabeb457f8 (patch)
tree	acdc846f6bfde8401ebb4d598bb355ee4673b421 /sound
parent	9a6003a362acb814fea7422209be344b822b047a (diff)