Takashi Iwai a820ccbe21 ALSA: pcm: Fix UAF at PCM release via PCM timer access ... The PCM runtime object is created and freed dynamically at PCM stream open / close time. This is tracked via substream->runtime, and it's cleared at snd_pcm_detach_substream(). The runtime object assignment is protected by PCM open_mutex, so for all PCM operations, it's safely handled. However, each PCM substream provides also an ALSA timer interface, and user-space can access to this while closing a PCM substream. This may eventually lead to a UAF, as snd_pcm_timer_resolution() tries to access the runtime while clearing it in other side. Fortunately, it's the only concurrent access from the PCM timer, and it merely reads runtime->timer_resolution field. So, we can avoid the race by reordering kfree() and wrapping the substream->runtime clearance with the corresponding timer lock. Reported-by: syzbot+8e62ff4e07aa2ce87826@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>		2018-04-03 08:36:40 +02:00
..
ac97	ALSA: ac97: kconfig: Remove select of undefined symbol AC97	2018-02-12 08:16:39 +01:00
aoa
arm
atmel
core	ALSA: pcm: Fix UAF at PCM release via PCM timer access	2018-04-03 08:36:40 +02:00
drivers	ALSA: aloop: Mark paused device as inactive	2018-03-27 08:00:28 +02:00
firewire	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
hda	ALSA: hda: Copying sync power state helper to core	2018-02-12 13:59:39 +01:00
i2c
isa
mips
oss	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
parisc
pci	Merge remote-tracking branch 'asoc/topic/intel' into asoc-next	2018-03-28 10:26:09 +08:00
pcmcia
ppc
sh
soc	Merge remote-tracking branch 'asoc/topic/zx_aud96p22' into asoc-next	2018-03-28 10:32:03 +08:00
sparc
spi
synth
usb	ALSA: usb-audio: silence a static checker warning	2018-03-29 11:08:04 +02:00
x86	ALSA: x86: Fix potential crash at error path	2018-02-28 08:46:00 +01:00
ac97_bus.c
Kconfig
last.c
Makefile
sound_core.c