git.baikalelectronics.ru Git - kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Wed, 27 Mar 2019 16:02:40 +0000 (17:02 +0100)
committer	Takashi Iwai <tiwai@suse.de>
	Wed, 27 Mar 2019 16:02:40 +0000 (17:02 +0100)
commit	2387a7a8bab73f6715c0deac76d6f639b27f123c
tree	4f8f84f6136b49e11d4af723d6597898b9c943d8	tree \| snapshot
parent	ce7941162892e2fddf43ff0451b6c13a9ee74941	commit \| diff

ALSA: timer: Make snd_timer_close() really kill pending actions

snd_timer_close() is supposed to close the timer instance and sync
with the deactivation of pending actions.  However, there are still
some overlooked cases:

- It calls snd_timer_stop() at the beginning, but some other might
  re-trigger the timer right after that.

- snd_timer_stop() calls del_timer_sync() only when all belonging
  instances are closed.  If multiple instances were assigned to a
  timer object and one is closed, the timer is still running.  Then
  the pending action assigned to this timer might be left.

Actually either of the above is the likely cause of the reported
syzkaller UAF.

This patch plug these holes by introducing SNDRV_TIMER_IFLG_DEAD
flag.  This is set at the beginning of snd_timer_close(), and the flag
is checked at snd_timer_start*() and else, so that no longer new
action is left after snd_timer_close().

Reported-by: syzbot+d5136d4d3240cbe45a2a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>