diff options
| author | Takashi Iwai <tiwai@suse.de> | 2019-03-27 17:02:40 +0100 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2019-03-27 17:02:40 +0100 |
| commit | fe1b26c93d430400ac37d820425e2468218ae8b2 (patch) | |
| tree | 4f8f84f6136b49e11d4af723d6597898b9c943d8 /include/sound | |
| parent | a7588c896b05444929ecb3d0115481988720abf6 (diff) | |
ALSA: timer: Make snd_timer_close() really kill pending actions
snd_timer_close() is supposed to close the timer instance and sync
with the deactivation of pending actions. However, there are still
some overlooked cases:
- It calls snd_timer_stop() at the beginning, but some other might
re-trigger the timer right after that.
- snd_timer_stop() calls del_timer_sync() only when all belonging
instances are closed. If multiple instances were assigned to a
timer object and one is closed, the timer is still running. Then
the pending action assigned to this timer might be left.
Actually either of the above is the likely cause of the reported
syzkaller UAF.
This patch plug these holes by introducing SNDRV_TIMER_IFLG_DEAD
flag. This is set at the beginning of snd_timer_close(), and the flag
is checked at snd_timer_start*() and else, so that no longer new
action is left after snd_timer_close().
Reported-by: syzbot+d5136d4d3240cbe45a2a@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'include/sound')
0 files changed, 0 insertions, 0 deletions