• Daniel Rosenberg's avatar
    ANDROID: sound: rawmidi: Hold lock around realloc · 53769980
    Daniel Rosenberg authored
    The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate
    runtime->buffer while other kernel threads are accessing it.  If the
    underlying krealloc() call frees the original buffer, then this can turn
    into a use-after-free.
    
    Most of these accesses happen while the thread is holding runtime->lock,
    and can be fixed by just holding the same lock while replacing
    runtime->buffer, however we can't hold this spinlock while
    snd_rawmidi_kernel_{read1,write1} are copying to/from userspace.  We
    need to add and acquire a new mutex to prevent this from happening
    concurrently with reallocation.  We hold this mutex during the entire
    reallocation process, to also prevent multiple concurrent reallocations
    leading to a double-free.
    Signed-off-by: 's avatarDaniel Rosenberg <drosen@google.com>
    bug: 64315347
    Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded
    53769980
Name
Last commit
Last update
..
aoa Loading commit data...
arm Loading commit data...
atmel Loading commit data...
core Loading commit data...
drivers Loading commit data...
firewire Loading commit data...
i2c Loading commit data...
isa Loading commit data...
mips Loading commit data...
oss Loading commit data...
parisc Loading commit data...
pci Loading commit data...
pcmcia Loading commit data...
ppc Loading commit data...
sh Loading commit data...
soc Loading commit data...
sparc Loading commit data...
spi Loading commit data...
synth Loading commit data...
usb Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
ac97_bus.c Loading commit data...
last.c Loading commit data...
sound_core.c Loading commit data...
sound_firmware.c Loading commit data...