diff options
| author | Takashi Iwai <tiwai@suse.de> | 2018-11-22 14:36:17 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-12-05 19:32:08 +0100 |
| commit | d8a2dca04064b323e80af1b93b465d64e5befed1 (patch) | |
| tree | a9d89558ab28dcc5cd0a4d90e15486e4f2204d6b /kernel/trace/trace_functions_graph.c | |
| parent | b77c35ef8e38d9c4027f00a333ca139c583f2a18 (diff) | |
ALSA: control: Fix race between adding and removing a user element
commit e1a7bfe3807974e66f971f2589d4e0197ec0fced upstream.
The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element. This was
caught by syzkaller, hitting a KASAN use-after-free error.
This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.
This required a slight code refactoring, too. The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it. The former is called from the
function for adding a user control element inside the controls_rwsem.
One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem. But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.
Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel/trace/trace_functions_graph.c')
0 files changed, 0 insertions, 0 deletions