From d6a5b2bb21682c4b2c634af20ba3d1210ac834de Mon Sep 17 00:00:00 2001 From: Daniel Rosenberg Date: Tue, 31 Oct 2017 16:55:26 -0700 Subject: ANDROID: sound: rawmidi: Hold lock around realloc The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate runtime->buffer while other kernel threads are accessing it. If the underlying krealloc() call frees the original buffer, then this can turn into a use-after-free. Most of these accesses happen while the thread is holding runtime->lock, and can be fixed by just holding the same lock while replacing runtime->buffer, however we can't hold this spinlock while snd_rawmidi_kernel_{read1,write1} are copying to/from userspace. We need to add and acquire a new mutex to prevent this from happening concurrently with reallocation. We hold this mutex during the entire reallocation process, to also prevent multiple concurrent reallocations leading to a double-free. Signed-off-by: Daniel Rosenberg bug: 64315347 Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded --- include/sound/rawmidi.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/sound/rawmidi.h b/include/sound/rawmidi.h index adf088515..76ef2a447 100644 --- a/include/sound/rawmidi.h +++ b/include/sound/rawmidi.h @@ -77,6 +77,7 @@ struct snd_rawmidi_runtime { size_t xruns; /* over/underruns counter */ /* misc */ spinlock_t lock; + struct mutex realloc_mutex; wait_queue_head_t sleep; /* event handler (new bytes, input only) */ void (*event)(struct snd_rawmidi_substream *substream); -- cgit v1.2.3