diff options
| author | Takashi Iwai <tiwai@suse.de> | 2017-02-08 12:35:39 +0100 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2017-02-08 12:42:37 +0100 |
| commit | 4842e98f26dd80be3623c4714a244ba52ea096a8 (patch) | |
| tree | 08e56d4db3d9f4d720fbaf3091d31ff219c5b58e | |
| parent | f3d83317a69e7d658e7c83e24f8b31ac533c39e3 (diff) | |
ALSA: seq: Fix race at creating a queue
When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it. Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.
The fix is to reference the queue object at the right time.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
| -rw-r--r-- | sound/core/seq/seq_queue.c | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c |