mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-02-26 12:08:52 +07:00
8f22e52528
The sequencer virmidi code has an open race at its output trigger callback: namely, virmidi keeps only one event packet for processing while it doesn't protect for concurrent output trigger calls. snd_virmidi_output_trigger() tries to process the previously unfinished event before starting encoding the given MIDI stream, but this is done without any lock. Meanwhile, if another rawmidi stream starts the output trigger, this proceeds further, and overwrites the event package that is being processed in another thread. This eventually corrupts and may lead to the invalid memory access if the event type is like SYSEX. The fix is just to move the spinlock to cover both the pending event and the new stream. The bug was spotted by a new fuzzer, RaceFuzzer. BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr Reported-by: DaeRyong Jeong <threeearcat@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| oss | ||
| Kconfig | ||
| Makefile | ||
| seq_clientmgr.c | ||
| seq_clientmgr.h | ||
| seq_compat.c | ||
| seq_dummy.c | ||
| seq_fifo.c | ||
| seq_fifo.h | ||
| seq_info.c | ||
| seq_info.h | ||
| seq_lock.c | ||
| seq_lock.h | ||
| seq_memory.c | ||
| seq_memory.h | ||
| seq_midi_emul.c | ||
| seq_midi_event.c | ||
| seq_midi.c | ||
| seq_ports.c | ||
| seq_ports.h | ||
| seq_prioq.c | ||
| seq_prioq.h | ||
| seq_queue.c | ||
| seq_queue.h | ||
| seq_system.c | ||
| seq_system.h | ||
| seq_timer.c | ||
| seq_timer.h | ||
| seq_virmidi.c | ||
| seq.c | ||