www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Sat, 30 Jan 2016 22:09:08 +0000 (23:09 +0100)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Thu, 26 May 2016 22:44:41 +0000 (15:44 -0700)
commit	ca7d0d7cf5a4ef912dfd5a3b76978584636a3630
tree	d15bb6612207539e75f2f39eca7c261ee2f3fdb1	tree
parent	944e097c357c7b126c4219d90287cabc02fcd2af	commit \| diff

ALSA: timer: Fix link corruption due to double start or stop

Orabug: 23330804

[ Upstream commit f784beb75ce82f4136f8a0960d3ee872f7109e09 ]

Although ALSA timer code got hardening for races, it still causes
use-after-free error.  This is however rather a corrupted linked list,
not actually the concurrent accesses.  Namely, when timer start is
triggered twice, list_add_tail() is called twice, too.  This ends
up with the link corruption and triggers KASAN error.

The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly.  So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).

BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit b99c635faf56fa3cbd1cf61632418b06543dc145)

Signed-off-by: Dan Duval <dan.duval@oracle.com>