4842e98f26
When a sequencer queue is created in snd_seq_queue_alloc(),it adds the new queue element to the public list before referencing it. Thus the queue might be deleted before the call of snd_seq_queue_use(), and it results in the use-after-free error, as spotted by syzkaller. The fix is to reference the queue object at the right time. Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| oss | ||
| seq | ||
| Kconfig | ||
| Makefile | ||
| compress_offload.c | ||
| control.c | ||
| control_compat.c | ||
| ctljack.c | ||
| device.c | ||
| hrtimer.c | ||
| hwdep.c | ||
| hwdep_compat.c | ||
| info.c | ||
| info_oss.c | ||
| init.c | ||
| isadma.c | ||
| jack.c | ||
| memalloc.c | ||
| memory.c | ||
| misc.c | ||
| pcm.c | ||
| pcm_compat.c | ||
| pcm_dmaengine.c | ||
| pcm_drm_eld.c | ||
| pcm_iec958.c | ||
| pcm_lib.c | ||
| pcm_memory.c | ||
| pcm_misc.c | ||
| pcm_native.c | ||
| pcm_timer.c | ||
| pcm_trace.h | ||
| rawmidi.c | ||
| rawmidi_compat.c | ||
| sgbuf.c | ||
| sound.c | ||
| sound_oss.c | ||
| timer.c | ||
| timer_compat.c | ||
| vmaster.c | ||