git.baikalelectronics.ru Git - kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Tue, 3 Aug 2021 11:43:12 +0000 (13:43 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 12 Aug 2021 11:20:54 +0000 (13:20 +0200)
commit	169d757717283888c8c1767c138f7c1211736ea7
tree	caf8f17dc0aab2584823d2a340610f14d7244a35	tree \| snapshot
parent	f785c6a4b6510a52031f18d8d2f3f371848c711c	commit \| diff

ALSA: seq: Fix racy deletion of subscriber

commit 97367c97226aab8b298ada954ce12659ee3ad2a4 upstream.

It turned out that the current implementation of the port subscription
is racy.  The subscription contains two linked lists, and we have to
add to or delete from both lists.  Since both connection and
disconnection procedures perform the same order for those two lists
(i.e. src list, then dest list), when a deletion happens during a
connection procedure, the src list may be deleted before the dest list
addition completes, and this may lead to a use-after-free or an Oops,
even though the access to both lists are protected via mutex.

The simple workaround for this race is to change the access order for
the disconnection, namely, dest list, then src list.  This assures
that the connection has been established when disconnecting, and also
the concurrent deletion can be avoided.

Reported-and-tested-by: folkert <folkert@vanheusden.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210801182754.GP890690@belle.intranet.vanheusden.com
Link: https://lore.kernel.org/r/20210803114312.2536-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>