On Thu, Oct 06, 2022 at 10:31:27AM -0700, Zubin Mithra wrote: > From: Takashi Iwai <tiwai@xxxxxxx> > > commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream. > > There is a small race window at snd_pcm_oss_sync() that is called from > OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls > snd_pcm_oss_make_ready() at first, then takes the params_lock mutex > for the rest. When the stream is set up again by another thread > between them, it leads to inconsistency, and may result in unexpected > results such as NULL dereference of OSS buffer as a fuzzer spotted > recently. > > The fix is simply to cover snd_pcm_oss_make_ready() call into the same > params_lock mutex with snd_pcm_oss_make_ready_locked() variant. > > Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@xxxxxxxxx> > Reviewed-by: Jaroslav Kysela <perex@xxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@xxxxxxxxxxxxxx > Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@xxxxxxx > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxx> > --- > Note: > * 8423f0b6d513 is present in linux-5.15.y and linux-5.4.y; missing in > linux-5.10.y. > * Backport addresses conflict due to surrounding context. > * Tests run: build and boot. Now queued up, thanks. greg k-h
