Skip to main content

Browse the archive

https://github.com/torvalds/linux
05 April 2024, 19:05:47 UTC
Revision 4842e98f26dd80be3623c4714a244ba52ea096a8 authored by Takashi Iwai on 08 February 2017, 11:35:39 UTC, committed by Takashi Iwai on 08 February 2017, 11:42:37 UTC 
ALSA: seq: Fix race at creating a queue
 
When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it.  Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.

The fix is to reference the queue object at the right time.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent f3d8331
Raw File
Tip revision: 4842e98f26dd80be3623c4714a244ba52ea096a8 authored by Takashi Iwai on 08 February 2017, 11:35:39 UTC
ALSA: seq: Fix race at creating a queue
Tip revision: 4842e98
memory-notifier-error-inject.c 
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/memory.h>

#include "notifier-error-inject.h"

static int priority;
module_param(priority, int, 0);
MODULE_PARM_DESC(priority, "specify memory notifier priority");

static struct notifier_err_inject memory_notifier_err_inject = {
	.actions = {
		{ NOTIFIER_ERR_INJECT_ACTION(MEM_GOING_ONLINE) },
		{ NOTIFIER_ERR_INJECT_ACTION(MEM_GOING_OFFLINE) },
		{}
	}
};

static struct dentry *dir;

static int err_inject_init(void)
{
	int err;

	dir = notifier_err_inject_init("memory", notifier_err_inject_dir,
					&memory_notifier_err_inject, priority);
	if (IS_ERR(dir))
		return PTR_ERR(dir);

	err = register_memory_notifier(&memory_notifier_err_inject.nb);
	if (err)
		debugfs_remove_recursive(dir);

	return err;
}

static void err_inject_exit(void)
{
	unregister_memory_notifier(&memory_notifier_err_inject.nb);
	debugfs_remove_recursive(dir);
}

module_init(err_inject_init);
module_exit(err_inject_exit);

MODULE_DESCRIPTION("memory notifier error injection module");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Akinobu Mita <akinobu.mita@gmail.com>");
back to top