diff options
| author |   Takashi Iwai <tiwai@suse.de> | 2018-11-22 14:36:17 +0100 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2018-11-24 19:57:51 +0100 |
| commit | e1a7bfe3807974e66f971f2589d4e0197ec0fced (patch) | |
| tree | 2b2d423f63b366ea45d9ac665078361b6a3096cb /sound/pci | |
| parent | ALSA: sparc: Fix invalid snd_free_pages() at error path (diff) | |
| download | linux-dev-e1a7bfe3807974e66f971f2589d4e0197ec0fced.tar.xz linux-dev-e1a7bfe3807974e66f971f2589d4e0197ec0fced.zip | |
ALSA: control: Fix race between adding and removing a user element
The procedure for adding a user control element has some window opened
for race against the concurrent removal of a user element. This was
caught by syzkaller, hitting a KASAN use-after-free error.
This patch addresses the bug by wrapping the whole procedure to add a
user control element with the card->controls_rwsem, instead of only
around the increment of card->user_ctl_count.
This required a slight code refactoring, too. The function
snd_ctl_add() is split to two parts: a core function to add the
control element and a part calling it. The former is called from the
function for adding a user control element inside the controls_rwsem.
One change to be noted is that snd_ctl_notify() for adding a control
element gets called inside the controls_rwsem as well while it was
called outside the rwsem. But this should be OK, as snd_ctl_notify()
takes another (finer) rwlock instead of rwsem, and the call of
snd_ctl_notify() inside rwsem is already done in another code path.
Reported-by: syzbot+dc09047bce3820621ba2@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/pci')
0 files changed, 0 insertions, 0 deletions