From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 12 Jan 2016 14:36:27 +0000 (+0100)
Subject: ALSA: seq: Fix race at timer setup and close
X-Git-Tag: v4.1.12-92~150^2~384
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=47deab43356c899781f3e751ff908250066c0593;p=users%2Fjedix%2Flinux-maple.git

ALSA: seq: Fix race at timer setup and close

Orabug: 23330523

commit 3567eb6af614dac436c4b16a8d426f9faed639b3 upstream.

ALSA sequencer code has an open race between the timer setup ioctl and
the close of the client.  This was triggered by syzkaller fuzzer, and
a use-after-free was caught there as a result.

This patch papers over it by adding a proper queue->timer_mutex lock
around the timer-related calls in the relevant code path.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

(cherry picked from commit 49c9eb3db86407868a664ade6da041fabeb457f8)

Signed-off-by: Dan Duval <dan.duval@oracle.com>
---

diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
index a0cda38205b97..77ec214203558 100644
--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
 static void queue_delete(struct snd_seq_queue *q)
 {
 	/* stop and release the timer */
+	mutex_lock(&q->timer_mutex);
 	snd_seq_timer_stop(q->timer);
 	snd_seq_timer_close(q);
+	mutex_unlock(&q->timer_mutex);
 	/* wait until access free */
 	snd_use_lock_sync(&q->use_lock);
 	/* release resources... */