6.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@xxxxxxx>
commit 20c0c49720dc4e205d4c1d64add56a5043c5ec5f upstream.
At the conversion of locking with guard(), I overlooked that kvfree()
must not be called inside the spinlock unlike kfree(), and this was
caught by syzkaller now.
This patch reverts the conversion partially for restoring the kvfree()
call outside the spinlock. It's not trivial to use guard() in this
context, unfortunately.
Fixes: 84bb065b316e ("ALSA: rawmidi: Use guard() for locking")
Reported-by: syzbot+351f8764833934c68836@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Closes: https://lore.kernel.org/6744737b.050a0220.1cc393.007e.GAE@xxxxxxxxxx
Cc: <stable@xxxxxxxxxxxxxxx>
Link: https://patch.msgid.link/20241125142041.16578-1-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/core/rawmidi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 03306be5fa02..348ce1b7725e 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -724,8 +724,9 @@ static int resize_runtime_buffer(struct snd_rawmidi_substream *substream,
newbuf = kvzalloc(params->buffer_size, GFP_KERNEL);
if (!newbuf)
return -ENOMEM;
- guard(spinlock_irq)(&substream->lock);
+ spin_lock_irq(&substream->lock);
if (runtime->buffer_ref) {
+ spin_unlock_irq(&substream->lock);
kvfree(newbuf);
return -EBUSY;
}
@@ -733,6 +734,7 @@ static int resize_runtime_buffer(struct snd_rawmidi_substream *substream,
runtime->buffer = newbuf;
runtime->buffer_size = params->buffer_size;
__reset_runtime_ptrs(runtime, is_input);
+ spin_unlock_irq(&substream->lock);
kvfree(oldbuf);
}
runtime->avail_min = params->avail_min;
--
2.47.1
