ANDROID: sound: rawmidi: Hold lock around realloc - xavi/android_kernel_m2note - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Daniel Rosenberg <drosen@google.com>	2017-10-31 16:55:26 -0700
committer	Moyster <oysterized@gmail.com>	2018-05-16 13:59:09 +0200
commit	d6a5b2bb21682c4b2c634af20ba3d1210ac834de (patch)
tree	30c73e5af798560f13293558888711e4cc758eeb /drivers
parent	ad781944055a2b79c3cfb6c5231ab2d5fd0c9a6b (diff)

ANDROID: sound: rawmidi: Hold lock around realloc

The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate runtime->buffer while other kernel threads are accessing it. If the underlying krealloc() call frees the original buffer, then this can turn into a use-after-free. Most of these accesses happen while the thread is holding runtime->lock, and can be fixed by just holding the same lock while replacing runtime->buffer, however we can't hold this spinlock while snd_rawmidi_kernel_{read1,write1} are copying to/from userspace. We need to add and acquire a new mutex to prevent this from happening concurrently with reallocation. We hold this mutex during the entire reallocation process, to also prevent multiple concurrent reallocations leading to a double-free. Signed-off-by: Daniel Rosenberg <drosen@google.com> bug: 64315347 Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded

Diffstat (limited to 'drivers')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: