From: Dmitry Vyukov <dvyukov@google.com>
To: Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
Jie Yang <yang.jie@intel.com>, Mark Brown <broonie@kernel.org>,
alsa-devel@alsa-project.org, LKML <linux-kernel@vger.kernel.org>
Subject: sound: use-after-free in snd_timer_notify1
Date: Sun, 24 Jan 2016 11:10:33 +0100 [thread overview]
Message-ID: <CACT4Y+Z6RzW5MBr-HUdV-8zwg71WQfKTdPpYGvOeS7v4cyurNQ@mail.gmail.com> (raw)
Hello,
The following program causes use-after-free in snd_timer_notify1:
==================================================================
BUG: KASAN: use-after-free in snd_timer_notify1+0x411/0x460 at addr
ffff880035a433e0
Read of size 8 by task syz-executor/11116
=============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in snd_timer_instance_new+0x52/0x3a0 age=1 cpu=1 pid=11106
[< inline >] kzalloc include/linux/slab.h:607
[< none >] snd_timer_instance_new+0x52/0x3a0 sound/core/timer.c:105
[< none >] snd_timer_open+0x522/0xce0 sound/core/timer.c:288
[< none >] snd_seq_timer_open+0x223/0x560
sound/core/seq/seq_timer.c:279
[< none >] snd_seq_queue_use+0x147/0x230
sound/core/seq/seq_queue.c:528
[< none >] snd_seq_queue_alloc+0x36a/0x4d0
sound/core/seq/seq_queue.c:199
[< none >] snd_seq_ioctl_create_queue+0xdb/0x2b0
sound/core/seq/seq_clientmgr.c:1536
[< none >] snd_seq_do_ioctl+0x19d/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[< none >] snd_seq_ioctl+0x54/0xa0 sound/core/seq/seq_clientmgr.c:2224
[< inline >] vfs_ioctl fs/ioctl.c:43
[< none >] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[< none >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in snd_timer_close+0x3a8/0x700 age=19 cpu=3 pid=11114
[< none >] kfree+0x2b7/0x2e0 mm/slub.c:3664
[< none >] snd_timer_close+0x3a8/0x700 sound/core/timer.c:368
[< none >] snd_seq_timer_close+0x97/0x130
sound/core/seq/seq_timer.c:312
[< none >] snd_seq_queue_timer_close+0x28/0x50
sound/core/seq/seq_queue.c:475
[< none >] snd_seq_ioctl_set_queue_timer+0x159/0x300
sound/core/seq/seq_clientmgr.c:1809
[< none >] snd_seq_do_ioctl+0x19d/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[< none >] snd_seq_ioctl+0x54/0xa0 sound/core/seq/seq_clientmgr.c:2224
[< inline >] vfs_ioctl fs/ioctl.c:43
[< none >] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[< none >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Slab 0xffffea0000d69000 objects=22 used=16 fp=0xffff880035a42d80
flags=0x1fffc0000004080
INFO: Object 0xffff880035a43330 @offset=13104 fp=0xffff880064ccee20
CPU: 0 PID: 11116 Comm: syz-executor Tainted: G B 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff880064bcf560 ffffffff82999e2d ffff88003e807000
ffff880035a43330 ffff880035a40000 ffff880064bcf590 ffffffff81757354
ffff88003e807000 ffffea0000d69000 ffff880035a43330 ffff880064bcf718
Call Trace:
[<ffffffff817609ee>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:295
[<ffffffff84f40da1>] snd_timer_notify1+0x411/0x460 sound/core/timer.c:416
[<ffffffff84f41025>] _snd_timer_stop+0x235/0x5c0 sound/core/timer.c:524
[<ffffffff84f41d3a>] snd_timer_pause+0x1a/0x20 sound/core/timer.c:583
[< inline >] snd_seq_timer_stop sound/core/seq/seq_timer.c:325
[<ffffffff84fc1658>] snd_seq_timer_start+0x148/0x1a0
sound/core/seq/seq_timer.c:366
[< inline >] snd_seq_queue_process_event sound/core/seq/seq_queue.c:687
[<ffffffff84fbc344>] snd_seq_control_queue+0x304/0x8b0
sound/core/seq/seq_queue.c:748
[<ffffffff84fc1da5>] event_input_timer+0x25/0x30
sound/core/seq/seq_system.c:118
[<ffffffff84fb4c14>]
snd_seq_deliver_single_event.constprop.11+0x3f4/0x740
sound/core/seq/seq_clientmgr.c:634
[<ffffffff84fb5082>] snd_seq_deliver_event+0x122/0x800
sound/core/seq/seq_clientmgr.c:828
[<ffffffff84fb65a9>] snd_seq_dispatch_event+0xf9/0x510
sound/core/seq/seq_clientmgr.c:902
[<ffffffff84fba85b>] snd_seq_check_queue+0x3fb/0x560
sound/core/seq/seq_queue.c:293
[<ffffffff84fbac0d>] snd_seq_enqueue_event+0x24d/0x400
sound/core/seq/seq_queue.c:357
[<ffffffff84fb5974>] snd_seq_client_enqueue_event+0x214/0x430
sound/core/seq/seq_clientmgr.c:961
[<ffffffff84fb5e7f>] snd_seq_write+0x2ef/0x570
sound/core/seq/seq_clientmgr.c:1075
[<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
[<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
[< inline >] SYSC_write fs/read_write.c:624
[<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
long r[254];
int main()
{
memset(r, -1, sizeof(r));
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1c000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
r[2] = open("/dev/snd/seq", 0x1ul, 0, 0, 0);
*(uint32_t*)0x20006000 = (uint32_t)0xffffffffffffffff;
*(uint32_t*)0x20006004 = (uint32_t)0x10000;
*(uint32_t*)0x20006008 = (uint32_t)0x2;
*(uint8_t*)0x2000600c = (uint8_t)0x7;
*(uint8_t*)0x2000600d = (uint8_t)0x2;
*(uint8_t*)0x2000600e = (uint8_t)0xec0;
*(uint8_t*)0x2000600f = (uint8_t)0x4;
*(uint8_t*)0x20006010 = (uint8_t)0x7;
*(uint8_t*)0x20006011 = (uint8_t)0x9;
*(uint8_t*)0x20006012 = (uint8_t)0x80000000;
*(uint8_t*)0x20006013 = (uint8_t)0x2;
*(uint8_t*)0x20006014 = (uint8_t)0x2;
*(uint8_t*)0x20006015 = (uint8_t)0x3;
*(uint8_t*)0x20006016 = (uint8_t)0x8;
*(uint8_t*)0x20006017 = (uint8_t)0x9;
*(uint8_t*)0x20006018 = (uint8_t)0x4;
*(uint8_t*)0x20006019 = (uint8_t)0xffffffffffffff5c;
*(uint8_t*)0x2000601a = (uint8_t)0x5ab;
*(uint8_t*)0x2000601b = (uint8_t)0x4;
*(uint8_t*)0x2000601c = (uint8_t)0x0;
*(uint8_t*)0x2000601d = (uint8_t)0x38;
*(uint8_t*)0x2000601e = (uint8_t)0x9d;
*(uint8_t*)0x2000601f = (uint8_t)0x8;
*(uint8_t*)0x20006020 = (uint8_t)0x3;
*(uint8_t*)0x20006021 = (uint8_t)0x47221059;
*(uint8_t*)0x20006022 = (uint8_t)0x400;
*(uint8_t*)0x20006023 = (uint8_t)0x1000;
*(uint8_t*)0x20006024 = (uint8_t)0x2;
*(uint8_t*)0x20006025 = (uint8_t)0x3;
*(uint8_t*)0x20006026 = (uint8_t)0x3;
*(uint8_t*)0x20006027 = (uint8_t)0x80000000;
*(uint8_t*)0x20006028 = (uint8_t)0x5;
*(uint8_t*)0x20006029 = (uint8_t)0x200;
*(uint8_t*)0x2000602a = (uint8_t)0x1;
*(uint8_t*)0x2000602b = (uint8_t)0x30;
*(uint8_t*)0x2000602c = (uint8_t)0x4;
*(uint8_t*)0x2000602d = (uint8_t)0x0;
*(uint8_t*)0x2000602e = (uint8_t)0x3;
*(uint8_t*)0x2000602f = (uint8_t)0xffffffff8a5c645b;
*(uint8_t*)0x20006030 = (uint8_t)0x4;
*(uint8_t*)0x20006031 = (uint8_t)0x1;
*(uint8_t*)0x20006032 = (uint8_t)0x3ff;
*(uint8_t*)0x20006033 = (uint8_t)0x200;
*(uint8_t*)0x20006034 = (uint8_t)0x3;
*(uint8_t*)0x20006035 = (uint8_t)0xea3e;
*(uint8_t*)0x20006036 = (uint8_t)0x9;
*(uint8_t*)0x20006037 = (uint8_t)0x200;
*(uint8_t*)0x20006038 = (uint8_t)0x0;
*(uint8_t*)0x20006039 = (uint8_t)0x5;
*(uint8_t*)0x2000603a = (uint8_t)0xfdc;
*(uint8_t*)0x2000603b = (uint8_t)0x1000;
*(uint8_t*)0x2000603c = (uint8_t)0x467;
*(uint8_t*)0x2000603d = (uint8_t)0xea;
*(uint8_t*)0x2000603e = (uint8_t)0x40;
*(uint8_t*)0x2000603f = (uint8_t)0x9e98;
*(uint8_t*)0x20006040 = (uint8_t)0x7;
*(uint8_t*)0x20006041 = (uint8_t)0x7;
*(uint8_t*)0x20006042 = (uint8_t)0x0;
*(uint8_t*)0x20006043 = (uint8_t)0x20;
*(uint8_t*)0x20006044 = (uint8_t)0x1;
*(uint8_t*)0x20006045 = (uint8_t)0x4;
*(uint8_t*)0x20006046 = (uint8_t)0x2;
*(uint8_t*)0x20006047 = (uint8_t)0x9;
*(uint8_t*)0x20006048 = (uint8_t)0x5;
*(uint8_t*)0x20006049 = (uint8_t)0x6;
*(uint8_t*)0x2000604a = (uint8_t)0x8f2;
*(uint8_t*)0x2000604b = (uint8_t)0x0;
*(uint32_t*)0x2000604c = (uint32_t)0x6;
*(uint8_t*)0x20006050 = (uint8_t)0x0;
*(uint8_t*)0x20006051 = (uint8_t)0x0;
*(uint8_t*)0x20006052 = (uint8_t)0x0;
*(uint8_t*)0x20006053 = (uint8_t)0x0;
*(uint8_t*)0x20006054 = (uint8_t)0x0;
*(uint8_t*)0x20006055 = (uint8_t)0x0;
*(uint8_t*)0x20006056 = (uint8_t)0x0;
*(uint8_t*)0x20006057 = (uint8_t)0x0;
*(uint8_t*)0x20006058 = (uint8_t)0x0;
*(uint8_t*)0x20006059 = (uint8_t)0x0;
*(uint8_t*)0x2000605a = (uint8_t)0x0;
*(uint8_t*)0x2000605b = (uint8_t)0x0;
*(uint8_t*)0x2000605c = (uint8_t)0x0;
*(uint8_t*)0x2000605d = (uint8_t)0x0;
*(uint8_t*)0x2000605e = (uint8_t)0x0;
*(uint8_t*)0x2000605f = (uint8_t)0x0;
*(uint8_t*)0x20006060 = (uint8_t)0x0;
*(uint8_t*)0x20006061 = (uint8_t)0x0;
*(uint8_t*)0x20006062 = (uint8_t)0x0;
*(uint8_t*)0x20006063 = (uint8_t)0x0;
*(uint8_t*)0x20006064 = (uint8_t)0x0;
*(uint8_t*)0x20006065 = (uint8_t)0x0;
*(uint8_t*)0x20006066 = (uint8_t)0x0;
*(uint8_t*)0x20006067 = (uint8_t)0x0;
*(uint8_t*)0x20006068 = (uint8_t)0x0;
*(uint8_t*)0x20006069 = (uint8_t)0x0;
*(uint8_t*)0x2000606a = (uint8_t)0x0;
*(uint8_t*)0x2000606b = (uint8_t)0x0;
*(uint8_t*)0x2000606c = (uint8_t)0x0;
*(uint8_t*)0x2000606d = (uint8_t)0x0;
*(uint8_t*)0x2000606e = (uint8_t)0x0;
*(uint8_t*)0x2000606f = (uint8_t)0x0;
*(uint8_t*)0x20006070 = (uint8_t)0x0;
*(uint8_t*)0x20006071 = (uint8_t)0x0;
*(uint8_t*)0x20006072 = (uint8_t)0x0;
*(uint8_t*)0x20006073 = (uint8_t)0x0;
*(uint8_t*)0x20006074 = (uint8_t)0x0;
*(uint8_t*)0x20006075 = (uint8_t)0x0;
*(uint8_t*)0x20006076 = (uint8_t)0x0;
*(uint8_t*)0x20006077 = (uint8_t)0x0;
*(uint8_t*)0x20006078 = (uint8_t)0x0;
*(uint8_t*)0x20006079 = (uint8_t)0x0;
*(uint8_t*)0x2000607a = (uint8_t)0x0;
*(uint8_t*)0x2000607b = (uint8_t)0x0;
*(uint8_t*)0x2000607c = (uint8_t)0x0;
*(uint8_t*)0x2000607d = (uint8_t)0x0;
*(uint8_t*)0x2000607e = (uint8_t)0x0;
*(uint8_t*)0x2000607f = (uint8_t)0x0;
*(uint8_t*)0x20006080 = (uint8_t)0x0;
*(uint8_t*)0x20006081 = (uint8_t)0x0;
*(uint8_t*)0x20006082 = (uint8_t)0x0;
*(uint8_t*)0x20006083 = (uint8_t)0x0;
*(uint8_t*)0x20006084 = (uint8_t)0x0;
*(uint8_t*)0x20006085 = (uint8_t)0x0;
*(uint8_t*)0x20006086 = (uint8_t)0x0;
*(uint8_t*)0x20006087 = (uint8_t)0x0;
*(uint8_t*)0x20006088 = (uint8_t)0x0;
*(uint8_t*)0x20006089 = (uint8_t)0x0;
*(uint8_t*)0x2000608a = (uint8_t)0x0;
*(uint8_t*)0x2000608b = (uint8_t)0x0;
r[131] =
syscall(SYS_ioctl, r[2], 0xc08c5332ul, 0x20006000ul, 0, 0, 0);
*(uint32_t*)0x20006fd7 = (uint32_t)0x0;
*(uint32_t*)0x20006fdb = (uint32_t)0x0;
*(uint32_t*)0x20006fdf = (uint32_t)0x6;
*(uint32_t*)0x20006fe3 = (uint32_t)0x81;
*(uint32_t*)0x20006fe7 = (uint32_t)0x7;
*(uint32_t*)0x20006feb = (uint32_t)0x9;
*(uint32_t*)0x20006fef = (uint32_t)0x401;
*(uint8_t*)0x20006ff3 = (uint8_t)0x0;
*(uint8_t*)0x20006ff4 = (uint8_t)0x0;
*(uint8_t*)0x20006ff5 = (uint8_t)0x0;
*(uint8_t*)0x20006ff6 = (uint8_t)0x0;
*(uint8_t*)0x20006ff7 = (uint8_t)0x0;
*(uint8_t*)0x20006ff8 = (uint8_t)0x0;
*(uint8_t*)0x20006ff9 = (uint8_t)0x0;
*(uint8_t*)0x20006ffa = (uint8_t)0x0;
*(uint8_t*)0x20006ffb = (uint8_t)0x0;
*(uint8_t*)0x20006ffc = (uint8_t)0x0;
*(uint8_t*)0x20006ffd = (uint8_t)0x0;
*(uint8_t*)0x20006ffe = (uint8_t)0x0;
*(uint8_t*)0x20006fff = (uint8_t)0x0;
*(uint8_t*)0x20007000 = (uint8_t)0x0;
*(uint8_t*)0x20007001 = (uint8_t)0x0;
*(uint8_t*)0x20007002 = (uint8_t)0x0;
*(uint8_t*)0x20007003 = (uint8_t)0x0;
*(uint8_t*)0x20007004 = (uint8_t)0x0;
*(uint8_t*)0x20007005 = (uint8_t)0x0;
*(uint8_t*)0x20007006 = (uint8_t)0x0;
*(uint8_t*)0x20007007 = (uint8_t)0x0;
*(uint8_t*)0x20007008 = (uint8_t)0x0;
*(uint8_t*)0x20007009 = (uint8_t)0x0;
*(uint8_t*)0x2000700a = (uint8_t)0x0;
*(uint8_t*)0x2000700b = (uint8_t)0x0;
*(uint8_t*)0x2000700c = (uint8_t)0x0;
*(uint8_t*)0x2000700d = (uint8_t)0x0;
*(uint8_t*)0x2000700e = (uint8_t)0x0;
*(uint8_t*)0x2000700f = (uint8_t)0x0;
*(uint8_t*)0x20007010 = (uint8_t)0x0;
*(uint8_t*)0x20007011 = (uint8_t)0x0;
*(uint8_t*)0x20007012 = (uint8_t)0x0;
*(uint8_t*)0x20007013 = (uint8_t)0x0;
*(uint8_t*)0x20007014 = (uint8_t)0x0;
*(uint8_t*)0x20007015 = (uint8_t)0x0;
*(uint8_t*)0x20007016 = (uint8_t)0x0;
*(uint8_t*)0x20007017 = (uint8_t)0x0;
*(uint8_t*)0x20007018 = (uint8_t)0x0;
*(uint8_t*)0x20007019 = (uint8_t)0x0;
*(uint8_t*)0x2000701a = (uint8_t)0x0;
*(uint8_t*)0x2000701b = (uint8_t)0x0;
*(uint8_t*)0x2000701c = (uint8_t)0x0;
*(uint8_t*)0x2000701d = (uint8_t)0x0;
*(uint8_t*)0x2000701e = (uint8_t)0x0;
*(uint8_t*)0x2000701f = (uint8_t)0x0;
*(uint8_t*)0x20007020 = (uint8_t)0x0;
*(uint8_t*)0x20007021 = (uint8_t)0x0;
*(uint8_t*)0x20007022 = (uint8_t)0x0;
*(uint8_t*)0x20007023 = (uint8_t)0x0;
*(uint8_t*)0x20007024 = (uint8_t)0x0;
*(uint8_t*)0x20007025 = (uint8_t)0x0;
*(uint8_t*)0x20007026 = (uint8_t)0x0;
*(uint8_t*)0x20007027 = (uint8_t)0x0;
*(uint8_t*)0x20007028 = (uint8_t)0x0;
*(uint8_t*)0x20007029 = (uint8_t)0x0;
*(uint8_t*)0x2000702a = (uint8_t)0x0;
*(uint8_t*)0x2000702b = (uint8_t)0x0;
*(uint8_t*)0x2000702c = (uint8_t)0x0;
*(uint8_t*)0x2000702d = (uint8_t)0x0;
*(uint8_t*)0x2000702e = (uint8_t)0x0;
*(uint8_t*)0x2000702f = (uint8_t)0x0;
*(uint8_t*)0x20007030 = (uint8_t)0x0;
*(uint8_t*)0x20007031 = (uint8_t)0x0;
*(uint8_t*)0x20007032 = (uint8_t)0x0;
r[203] =
syscall(SYS_ioctl, r[2], 0x40605346ul, 0x20006fd7ul, 0, 0, 0);
*(uint8_t*)0x20005000 = (uint8_t)0x3ff;
*(uint8_t*)0x20005001 = (uint8_t)0x2e;
*(uint8_t*)0x20005002 = (uint8_t)0x1;
*(uint8_t*)0x20005003 = (uint8_t)0x8;
*(uint32_t*)0x2000500c = (uint32_t)0x4;
*(uint8_t*)0x20005010 = (uint8_t)0x8001;
*(uint8_t*)0x20005011 = (uint8_t)0x2;
*(uint8_t*)0x20005012 = (uint8_t)0xfffffffffffffffa;
*(uint8_t*)0x20005013 = (uint8_t)0xffff;
*(uint8_t*)0x2000501c = (uint8_t)0x5;
*(uint8_t*)0x2000501d = (uint8_t)0x2;
*(uint8_t*)0x2000501e = (uint8_t)0x5;
*(uint8_t*)0x2000501f = (uint8_t)0x0;
*(uint8_t*)0x20005020 = (uint8_t)0x5;
*(uint8_t*)0x20005021 = (uint8_t)0x100000000;
*(uint8_t*)0x20005022 = (uint8_t)0x7;
*(uint8_t*)0x20005023 = (uint8_t)0xfffffffffffff2fb;
*(uint32_t*)0x2000502c = (uint32_t)0x8;
*(uint8_t*)0x20005030 = (uint8_t)0x80;
*(uint8_t*)0x20005031 = (uint8_t)0x485;
*(uint8_t*)0x20005032 = (uint8_t)0x4;
*(uint8_t*)0x20005033 = (uint8_t)0x4;
*(uint8_t*)0x2000503c = (uint8_t)0x9;
*(uint8_t*)0x2000503d = (uint8_t)0x7;
*(uint8_t*)0x2000503e = (uint8_t)0x20;
*(uint8_t*)0x2000503f = (uint8_t)0x0;
*(uint8_t*)0x20005040 = (uint8_t)0x20;
*(uint8_t*)0x20005041 = (uint8_t)0x9;
*(uint8_t*)0x20005042 = (uint8_t)0x2;
*(uint8_t*)0x20005043 = (uint8_t)0x2;
*(uint64_t*)0x20005058 = (uint64_t)0x0;
*(uint64_t*)0x20005060 = (uint64_t)0x0;
*(uint8_t*)0x20005068 = (uint8_t)0x1c8;
*(uint8_t*)0x20005069 = (uint8_t)0xfffffffffffffff7;
*(uint8_t*)0x2000506a = (uint8_t)0x1ff;
*(uint8_t*)0x2000506b = (uint8_t)0x9f9f;
*(uint32_t*)0x2000507c = (uint32_t)0x90;
*(uint32_t*)0x20005080 = (uint32_t)0x40;
*(uint32_t*)0x20005084 = (uint32_t)0x0;
*(uint8_t*)0x20005088 = (uint8_t)0x0;
*(uint8_t*)0x20005089 = (uint8_t)0x4;
*(uint8_t*)0x2000508a = (uint8_t)0x1;
*(uint8_t*)0x2000508b = (uint8_t)0xffffffff80000001;
*(uint32_t*)0x20005094 = (uint32_t)0x9;
*(uint8_t*)0x20005098 = (uint8_t)0x8;
*(uint8_t*)0x20005099 = (uint8_t)0x7;
*(uint8_t*)0x2000509a = (uint8_t)0xfff;
*(uint8_t*)0x2000509b = (uint8_t)0x8;
*(uint32_t*)0x200050a8 = (uint32_t)0xbd1e;
r[253] = syscall(SYS_write, r[2], 0x20005000ul, 0x95cul, 0, 0, 0);
return 0;
}
I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20) + the
following pending patch from Takashi:
diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
index f845ecf..656d9a9 100644
--- a/sound/core/hrtimer.c
+++ b/sound/core/hrtimer.c
@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
struct snd_hrtimer *stime = t->private_data;
atomic_set(&stime->running, 0);
- hrtimer_cancel(&stime->hrt);
+ hrtimer_try_to_cancel(&stime->hrt);
hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
HRTIMER_MODE_REL);
atomic_set(&stime->running, 1);
@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
{
struct snd_hrtimer *stime = t->private_data;
atomic_set(&stime->running, 0);
+ hrtimer_try_to_cancel(&stime->hrt);
return 0;
}
next reply other threads:[~2016-01-24 10:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-24 10:10 Dmitry Vyukov [this message]
2016-01-31 11:11 ` sound: use-after-free in snd_timer_notify1 Takashi Iwai
2016-01-31 11:11 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+Z6RzW5MBr-HUdV-8zwg71WQfKTdPpYGvOeS7v4cyurNQ@mail.gmail.com \
--to=dvyukov@google.com \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
--cc=yang.jie@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.