Skip to content

Commit 3567eb6

Browse files
committed
ALSA: seq: Fix race at timer setup and close
ALSA sequencer code has an open race between the timer setup ioctl and the close of the client. This was triggered by syzkaller fuzzer, and a use-after-free was caught there as a result. This patch papers over it by adding a proper queue->timer_mutex lock around the timer-related calls in the relevant code path. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent 030e2c7 commit 3567eb6

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

Diff for: sound/core/seq/seq_queue.c

+2
Original file line numberDiff line numberDiff line change
@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
142142
static void queue_delete(struct snd_seq_queue *q)
143143
{
144144
/* stop and release the timer */
145+
mutex_lock(&q->timer_mutex);
145146
snd_seq_timer_stop(q->timer);
146147
snd_seq_timer_close(q);
148+
mutex_unlock(&q->timer_mutex);
147149
/* wait until access free */
148150
snd_use_lock_sync(&q->use_lock);
149151
/* release resources... */

0 commit comments

Comments
 (0)