git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Sun, 29 Oct 2017 10:02:04 +0000 (11:02 +0100)
committer	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Thu, 16 Nov 2017 13:23:31 +0000 (11:23 -0200)
commit	cd1260d3e24bc797b5fb3b174cd7655e2e6435f1
tree	5f179ae3f57dc0fb93f6bfaf16d3f922346233b8	tree
parent	5812676ba30b040d172585944f78e9609503d706	commit \| diff

ALSA: timer: Add missing mutex lock for compat ioctls

BugLink: http://bugs.launchpad.net/bugs/1731971
commit 79fb0518fec8c8b4ea7f1729f54f293724b3dbb0 upstream.

The races among ioctl and other operations were protected by the
commit af368027a49a ("ALSA: timer: Fix race among timer ioctls") and
later fixes, but one code path was forgotten in the scenario: the
32bit compat ioctl. As syzkaller recently spotted, a very similar
use-after-free may happen with the combination of compat ioctls.

The fix is simply to apply the same ioctl_lock to the compat_ioctl
callback, too.

Fixes: af368027a49a ("ALSA: timer: Fix race among timer ioctls")
Reference: http://lkml.kernel.org/r/089e082686ac9b482e055c832617@google.com
Reported-by: syzbot <bot+e5f3c9783e7048a74233054febbe9f1bdf54b6da@syzkaller.appspotmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>