This is a note to let you know that I've just added the patch titled
ALSA: seq: Fix race at closing in virmidi driver
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
alsa-seq-fix-race-at-closing-in-virmidi-driver.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@xxxxxxx>
Date: Mon, 1 Feb 2016 12:06:42 +0100
Subject: ALSA: seq: Fix race at closing in virmidi driver
From: Takashi Iwai <tiwai@xxxxxxx>
commit 2d1b5c08366acd46c35a2e9aba5d650cb5bf5c19 upstream.
The virmidi driver has an open race at closing its assigned rawmidi
device, and this may lead to use-after-free in
snd_seq_deliver_single_event().
Plug the hole by properly protecting the linked list deletion and
calling in the right order in snd_virmidi_input_close().
BugLink: http://lkml.kernel.org/r/CACT4Y+Zd66+w12fNN85-425cVQT=K23kWbhnCEcMB8s3us-Frw@xxxxxxxxxxxxxx
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/core/seq/seq_virmidi.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -254,9 +254,13 @@ static int snd_virmidi_output_open(struc
*/
static int snd_virmidi_input_close(struct snd_rawmidi_substream *substream)
{
+ struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
struct snd_virmidi *vmidi = substream->runtime->private_data;
- snd_midi_event_free(vmidi->parser);
+
+ write_lock_irq(&rdev->filelist_lock);
list_del(&vmidi->list);
+ write_unlock_irq(&rdev->filelist_lock);
+ snd_midi_event_free(vmidi->parser);
substream->runtime->private_data = NULL;
kfree(vmidi);
return 0;
Patches currently in stable-queue which might be from tiwai@xxxxxxx are
queue-3.14/alsa-seq-fix-race-at-closing-in-virmidi-driver.patch
queue-3.14/alsa-rawmidi-remove-kernel-warning-for-null-user-space-buffer-check.patch
queue-3.14/alsa-hda-fix-static-checker-warning-in-patch_hdmi.c.patch
queue-3.14/alsa-seq-fix-lockdep-warnings-due-to-double-mutex-locks.patch
queue-3.14/alsa-usb-audio-fix-teac-ud-501-ud-503-nt-503-usb-delay.patch
queue-3.14/alsa-timer-fix-wrong-instance-passed-to-slave-callbacks.patch
queue-3.14/alsa-compress-disable-get_codec_caps-ioctl-for-some-architectures.patch
queue-3.14/alsa-hda-fix-speaker-output-from-vaio-aio-machines.patch
queue-3.14/alsa-dummy-implement-timer-backend-switching-more-safely.patch
queue-3.14/alsa-dummy-disable-switching-timer-backend-via-sysfs.patch
queue-3.14/alsa-seq-fix-incorrect-sanity-check-at-snd_seq_oss_synth_cleanup.patch
queue-3.14/alsa-seq-fix-yet-another-races-among-alsa-timer-accesses.patch
queue-3.14/alsa-usb-audio-avoid-freeing-umidi-object-twice.patch
queue-3.14/alsa-hda-add-fixup-for-mac-mini-7-1-model.patch
queue-3.14/alsa-timer-fix-leftover-link-at-closing.patch
queue-3.14/alsa-rawmidi-fix-race-at-copying-updating-the-position.patch
queue-3.14/alsa-pcm-fix-potential-deadlock-in-oss-emulation.patch
queue-3.14/alsa-timer-fix-link-corruption-due-to-double-start-or-stop.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html