mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-02 07:04:24 +00:00
Code Issues Releases Wiki Activity
No description
721478 commits 105 branches 5103 tags 5.6 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Find a file
Takashi Iwai f536bdb834 ALSA: timer: Fix incorrectly assigned timer instance 
commit e7af6307a8 upstream.

The clean up commit 41672c0c24 ("ALSA: timer: Simplify error path in
snd_timer_open()") unified the error handling code paths with the
standard goto, but it introduced a subtle bug: the timer instance is
stored in snd_timer_open() incorrectly even if it returns an error.
This may eventually lead to UAF, as spotted by fuzzer.

The culprit is the snd_timer_open() code checks the
SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri.
This variable is supposed to be the newly created instance, but we
(ab-)used it for a temporary check before the actual creation of a
timer instance.  After that point, there is another check for the max
number of instances, and it bails out if over the threshold.  Before
the refactoring above, it worked fine because the code returned
directly from that point.  After the refactoring, however, it jumps to
the unified error path that stores the timeri variable in return --
even if it returns an error.  Unfortunately this stored value is kept
in the caller side (snd_timer_user_tselect()) in tu->timeri.  This
causes inconsistency later, as if the timer was successfully
assigned.

In this patch, we fix it by not re-using timeri variable but a
temporary variable for testing the exclusive connection, so timeri
remains NULL at that point.

Fixes: 41672c0c24 ("ALSA: timer: Simplify error path in snd_timer_open()")
Reported-and-tested-by: Tristan Madani <tristmd@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-12 19:17:57 +01:00
arch powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9 2019-11-10 11:25:42 +01:00
block blk-mq: move cancel of requeue_work to the front of blk_exit_queue 2019-10-05 12:47:37 +02:00
certs Replace magic for trusting the secondary keyring with #define 2018-09-09 19:55:54 +02:00
crypto crypto: skcipher - Unmap pages after an external error 2019-10-11 18:18:32 +02:00
Documentation x86/xen: Return from panic notifier 2019-11-06 12:43:13 +01:00
drivers qede: fix NULL pointer deref in __qede_remove() 2019-11-12 19:17:56 +01:00
firmware License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fs cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs 2019-11-10 11:25:19 +01:00
include net: fix data-race in neigh_event_send() 2019-11-12 19:17:51 +01:00
init init: initialize jump labels before command line option parsing 2019-05-16 19:42:23 +02:00
ipc ipc/mqueue.c: only perform resource calculation if user valid 2019-08-06 19:05:24 +02:00
kernel sched/wake_q: Fix wakeup ordering for wake_q 2019-11-10 11:25:38 +01:00
lib kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K 2019-10-07 18:55:15 +02:00
mm hugetlbfs: don't access uninitialized memmaps in pfn_range_valid_gigantic() 2019-10-29 09:17:39 +01:00
net nfc: netlink: fix double device reference drop 2019-11-12 19:17:54 +01:00
samples samples, bpf: fix to change the buffer size for read() 2019-07-21 09:04:17 +02:00
scripts scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks 2019-11-06 12:42:55 +01:00
security ima: always return negative code for error 2019-10-11 18:18:37 +02:00
sound ALSA: timer: Fix incorrectly assigned timer instance 2019-11-12 19:17:57 +01:00
tools selftests/powerpc: Fix compile error on tlbie_test due to newer gcc 2019-11-10 11:25:42 +01:00
usr kbuild: clean compressed initramfs image 2019-10-07 18:55:14 +02:00
virt KVM: coalesced_mmio: add bounds checking 2019-09-21 07:15:28 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore kbuild: rpm-pkg: keep spec file until make mrproper 2018-02-13 10:19:46 +01:00
.mailmap .mailmap: Add Maciej W. Rozycki's Imagination e-mail address 2017-11-10 12:16:15 -08:00
COPYING
CREDITS MAINTAINERS: update TPM driver infrastructure changes 2017-11-09 17:58:40 -08:00
Kbuild License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
MAINTAINERS USB: rio500: Remove Rio 500 kernel driver 2019-10-17 13:43:20 -07:00
Makefile Linux 4.14.153 2019-11-10 11:25:43 +01:00
README README: add a new README file, pointing to the Documentation/ 2016-10-24 08:12:35 -02:00

README 

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.