mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-28 11:18:45 +07:00
d15d662e89
ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. Meanwhile user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound accesses since the function tries to vmalloc / vfree the buffer. A simple fix is to just wrap the snd_seq_pool_init() call with the recently introduced client->ioctl_mutex; as the calls for snd_seq_pool_init() from other side are always protected with this mutex, we can avoid the race. Reported-by: 范龙飞 <long7573@126.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| oss | ||
| seq | ||
| compress_offload.c | ||
| control_compat.c | ||
| control.c | ||
| ctljack.c | ||
| device.c | ||
| hrtimer.c | ||
| hwdep_compat.c | ||
| hwdep.c | ||
| info_oss.c | ||
| info.c | ||
| init.c | ||
| isadma.c | ||
| jack.c | ||
| Kconfig | ||
| Makefile | ||
| memalloc.c | ||
| memory.c | ||
| misc.c | ||
| pcm_compat.c | ||
| pcm_dmaengine.c | ||
| pcm_drm_eld.c | ||
| pcm_iec958.c | ||
| pcm_lib.c | ||
| pcm_local.h | ||
| pcm_memory.c | ||
| pcm_misc.c | ||
| pcm_native.c | ||
| pcm_param_trace.h | ||
| pcm_timer.c | ||
| pcm_trace.h | ||
| pcm.c | ||
| rawmidi_compat.c | ||
| rawmidi.c | ||
| seq_device.c | ||
| sgbuf.c | ||
| sound_oss.c | ||
| sound.c | ||
| timer_compat.c | ||
| timer.c | ||
| vmaster.c | ||