ALSA: seq: Fix race during FIFO resize
authorTakashi Iwai <tiwai@suse.de>
Fri, 24 Mar 2017 16:07:57 +0000 (17:07 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 8 Apr 2017 07:53:31 +0000 (09:53 +0200)
commita90d7447e4a154ad26e3b9e09a0878680be49339
tree7abe6b2ebecef1310beaed223f042e13461773c8
parent75a03869c93a443ae068eae9aca0c0df8b33dff5
ALSA: seq: Fix race during FIFO resize

commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream.

When a new event is queued while processing to resize the FIFO in
snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
that is being queued gets removed.  For avoiding this race, we need to
close the pool to be deleted and sync its usage before actually
deleting it.

The issue was spotted by syzkaller.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sound/core/seq/seq_fifo.c