ACK: [precise, trusty, vivid] ALSA: pcm : Call kill_fasync() in stream lock
Colin Ian King
colin.king at canonical.com
Thu Dec 15 11:14:50 UTC 2016
On 15/12/16 11:08, Luis Henriques wrote:
> From: Takashi Iwai <tiwai at suse.de>
>
> Currently kill_fasync() is called outside the stream lock in
> snd_pcm_period_elapsed(). This is potentially racy, since the stream
> may get released even during the irq handler is running. Although
> snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
> guarantee that the irq handler finishes, thus the kill_fasync() call
> outside the stream spin lock may be invoked after the substream is
> detached, as recently reported by KASAN.
>
> As a quick workaround, move kill_fasync() call inside the stream
> lock. The fasync is rarely used interface, so this shouldn't have a
> big impact from the performance POV.
>
> Ideally, we should implement some sync mechanism for the proper finish
> of stream and irq handler. But this oneliner should suffice for most
> cases, so far.
>
> Reported-by: Baozeng Ding <sploving1 at gmail.com>
> Signed-off-by: Takashi Iwai <tiwai at suse.de>
> CVE-2016-9794
> (backported from commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4)
> [ luis: used Takashi's backport for upstream stable 3.12 ]
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> sound/core/pcm_lib.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
> index 7f00d34f0abd..dfbca788fbbc 100644
> --- a/sound/core/pcm_lib.c
> +++ b/sound/core/pcm_lib.c
> @@ -1766,10 +1766,10 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
> if (substream->timer_running)
> snd_timer_interrupt(substream->timer, 1);
> _end:
> + kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
> snd_pcm_stream_unlock_irqrestore(substream, flags);
> if (runtime->transfer_ack_end)
> runtime->transfer_ack_end(substream);
> - kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
> }
>
> EXPORT_SYMBOL(snd_pcm_period_elapsed);
>
Looks sane to me.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list