Takashi Iwai d15d662e89 ALSA: seq: Fix racy pool initializations ... ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. Meanwhile user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound accesses since the function tries to vmalloc / vfree the buffer. A simple fix is to just wrap the snd_seq_pool_init() call with the recently introduced client->ioctl_mutex; as the calls for snd_seq_pool_init() from other side are always protected with this mutex, we can avoid the race. Reported-by: 范龙飞 <long7573@126.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>		2018-02-14 10:39:08 +01:00
..
oss	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
seq	ALSA: seq: Fix racy pool initializations	2018-02-14 10:39:08 +01:00
compress_offload.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
control_compat.c
control.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
ctljack.c
device.c
hrtimer.c
hwdep_compat.c
hwdep.c
info_oss.c
info.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
init.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
isadma.c
jack.c
Kconfig
Makefile
memalloc.c
memory.c
misc.c
pcm_compat.c
pcm_dmaengine.c
pcm_drm_eld.c
pcm_iec958.c
pcm_lib.c
pcm_local.h
pcm_memory.c
pcm_misc.c
pcm_native.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
pcm_param_trace.h
pcm_timer.c
pcm_trace.h
pcm.c
rawmidi_compat.c
rawmidi.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
seq_device.c
sgbuf.c
sound_oss.c
sound.c
timer_compat.c
timer.c	vfs: do bulk POLL* -> EPOLL* replacement	2018-02-11 14:34:03 -08:00
vmaster.c