Revision 7e1d90f60a0d501c8503e636942ca704a454d910 authored by Daniel Mentz on 14 August 2017, 21:46:01 UTC, committed by Takashi Iwai on 15 August 2017, 06:02:35 UTC
commit 4842e98f26dd80be3623c4714a244ba52ea096a8 ("ALSA: seq: Fix race at
creating a queue") attempted to fix a race reported by syzkaller. That
fix has been described as follows:
"
When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it. Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.
The fix is to reference the queue object at the right time.
"
Even with that fix in place, syzkaller reported a use-after-free error.
It specifically pointed to the last instruction "return q->queue" in
snd_seq_queue_alloc(). The pointer q is being used after kfree() has
been called on it.
It turned out that there is still a small window where a race can
happen. The window opens at
snd_seq_ioctl_create_queue()->snd_seq_queue_alloc()->queue_list_add()
and closes at
snd_seq_ioctl_create_queue()->queueptr()->snd_use_lock_use(). Between
these two calls, a different thread could delete the queue and possibly
re-create a different queue in the same location in queue_list.
This change prevents this situation by calling snd_use_lock_use() from
snd_seq_queue_alloc() prior to calling queue_list_add(). It is then the
caller's responsibility to call snd_use_lock_free(&q->use_lock).
Fixes: 4842e98f26dd ("ALSA: seq: Fix race at creating a queue")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
1 parent 8df4b00
| File | Mode | Size |
|---|---|---|
| kasan | ||
| Kconfig | -rw-r--r-- | 23.4 KB |
| Kconfig.debug | -rw-r--r-- | 3.8 KB |
| Makefile | -rw-r--r-- | 3.6 KB |
| backing-dev.c | -rw-r--r-- | 27.5 KB |
| balloon_compaction.c | -rw-r--r-- | 4.7 KB |
| bootmem.c | -rw-r--r-- | 20.8 KB |
| cleancache.c | -rw-r--r-- | 9.9 KB |
| cma.c | -rw-r--r-- | 13.5 KB |
| cma.h | -rw-r--r-- | 534 bytes |
| cma_debug.c | -rw-r--r-- | 4.5 KB |
| compaction.c | -rw-r--r-- | 57.9 KB |
| debug.c | -rw-r--r-- | 4.3 KB |
| debug_page_ref.c | -rw-r--r-- | 1.3 KB |
| dmapool.c | -rw-r--r-- | 13.7 KB |
| early_ioremap.c | -rw-r--r-- | 6.2 KB |
| fadvise.c | -rw-r--r-- | 4.3 KB |
| failslab.c | -rw-r--r-- | 1.4 KB |
| filemap.c | -rw-r--r-- | 84.6 KB |
| frame_vector.c | -rw-r--r-- | 6.0 KB |
| frontswap.c | -rw-r--r-- | 14.3 KB |
| gup.c | -rw-r--r-- | 47.4 KB |
| highmem.c | -rw-r--r-- | 11.7 KB |
| huge_memory.c | -rw-r--r-- | 74.5 KB |
| hugetlb.c | -rw-r--r-- | 126.7 KB |
| hugetlb_cgroup.c | -rw-r--r-- | 10.9 KB |
| hwpoison-inject.c | -rw-r--r-- | 3.2 KB |
| init-mm.c | -rw-r--r-- | 680 bytes |
| internal.h | -rw-r--r-- | 16.2 KB |
| interval_tree.c | -rw-r--r-- | 3.1 KB |
| khugepaged.c | -rw-r--r-- | 48.5 KB |
| kmemcheck.c | -rw-r--r-- | 2.9 KB |
| kmemleak-test.c | -rw-r--r-- | 3.2 KB |
| kmemleak.c | -rw-r--r-- | 58.7 KB |
| ksm.c | -rw-r--r-- | 85.5 KB |
| list_lru.c | -rw-r--r-- | 12.6 KB |
| maccess.c | -rw-r--r-- | 3.0 KB |
| madvise.c | -rw-r--r-- | 21.6 KB |
| memblock.c | -rw-r--r-- | 50.5 KB |
| memcontrol.c | -rw-r--r-- | 156.2 KB |
| memory-failure.c | -rw-r--r-- | 47.8 KB |
| memory.c | -rw-r--r-- | 117.6 KB |
| memory_hotplug.c | -rw-r--r-- | 50.1 KB |
| mempolicy.c | -rw-r--r-- | 68.3 KB |
| mempool.c | -rw-r--r-- | 13.9 KB |
| memtest.c | -rw-r--r-- | 2.7 KB |
| migrate.c | -rw-r--r-- | 52.0 KB |
| mincore.c | -rw-r--r-- | 6.7 KB |
| mlock.c | -rw-r--r-- | 22.6 KB |
| mm_init.c | -rw-r--r-- | 4.8 KB |
| mmap.c | -rw-r--r-- | 96.2 KB |
| mmu_context.c | -rw-r--r-- | 1.3 KB |
| mmu_notifier.c | -rw-r--r-- | 11.5 KB |
| mmzone.c | -rw-r--r-- | 2.4 KB |
| mprotect.c | -rw-r--r-- | 13.4 KB |
| mremap.c | -rw-r--r-- | 16.2 KB |
| msync.c | -rw-r--r-- | 2.6 KB |
| nobootmem.c | -rw-r--r-- | 11.1 KB |
| nommu.c | -rw-r--r-- | 48.6 KB |
| oom_kill.c | -rw-r--r-- | 28.8 KB |
| page-writeback.c | -rw-r--r-- | 84.2 KB |
| page_alloc.c | -rw-r--r-- | 212.8 KB |
| page_counter.c | -rw-r--r-- | 4.8 KB |
| page_ext.c | -rw-r--r-- | 11.1 KB |
| page_idle.c | -rw-r--r-- | 5.4 KB |
| page_io.c | -rw-r--r-- | 9.9 KB |
| page_isolation.c | -rw-r--r-- | 8.0 KB |
| page_owner.c | -rw-r--r-- | 14.8 KB |
| page_poison.c | -rw-r--r-- | 2.6 KB |
| page_vma_mapped.c | -rw-r--r-- | 5.8 KB |
| pagewalk.c | -rw-r--r-- | 8.4 KB |
| percpu-internal.h | -rw-r--r-- | 4.1 KB |
| percpu-km.c | -rw-r--r-- | 2.9 KB |
| percpu-stats.c | -rw-r--r-- | 5.0 KB |
| percpu-vm.c | -rw-r--r-- | 10.1 KB |
| percpu.c | -rw-r--r-- | 66.8 KB |
| pgtable-generic.c | -rw-r--r-- | 5.2 KB |
| process_vm_access.c | -rw-r--r-- | 10.1 KB |
| quicklist.c | -rw-r--r-- | 2.4 KB |
| readahead.c | -rw-r--r-- | 16.1 KB |
| rmap.c | -rw-r--r-- | 47.6 KB |
| rodata_test.c | -rw-r--r-- | 1.4 KB |
| shmem.c | -rw-r--r-- | 110.4 KB |
| slab.c | -rw-r--r-- | 110.2 KB |
| slab.h | -rw-r--r-- | 14.4 KB |
| slab_common.c | -rw-r--r-- | 34.3 KB |
| slob.c | -rw-r--r-- | 16.0 KB |
| slub.c | -rw-r--r-- | 140.6 KB |
| sparse-vmemmap.c | -rw-r--r-- | 8.2 KB |
| sparse.c | -rw-r--r-- | 22.8 KB |
| swap.c | -rw-r--r-- | 27.1 KB |
| swap_cgroup.c | -rw-r--r-- | 5.2 KB |
| swap_slots.c | -rw-r--r-- | 9.1 KB |
| swap_state.c | -rw-r--r-- | 14.8 KB |
| swapfile.c | -rw-r--r-- | 88.2 KB |
| truncate.c | -rw-r--r-- | 25.4 KB |
| usercopy.c | -rw-r--r-- | 7.5 KB |
| userfaultfd.c | -rw-r--r-- | 14.3 KB |
| util.c | -rw-r--r-- | 18.4 KB |
| vmacache.c | -rw-r--r-- | 3.2 KB |
| vmalloc.c | -rw-r--r-- | 70.3 KB |
| vmpressure.c | -rw-r--r-- | 14.3 KB |
| vmscan.c | -rw-r--r-- | 115.1 KB |
| vmstat.c | -rw-r--r-- | 47.5 KB |
| workingset.c | -rw-r--r-- | 18.2 KB |
| z3fold.c | -rw-r--r-- | 23.8 KB |
| zbud.c | -rw-r--r-- | 18.2 KB |
| zpool.c | -rw-r--r-- | 10.0 KB |
| zsmalloc.c | -rw-r--r-- | 59.0 KB |
| zswap.c | -rw-r--r-- | 32.8 KB |
Computing file changes ...
