| From 0125de38122f0f66bf61336158d12a1aabfe6425 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Wed, 25 May 2022 15:12:03 +0200 |
| Subject: [PATCH] ALSA: usb-audio: Cancel pending work at closing a MIDI substream |
| Git-commit: 0125de38122f0f66bf61336158d12a1aabfe6425 |
| Patch-mainline: v5.19-rc1 |
| References: CVE-2022-49545 bsc#1238729 |
| |
| [ backport note: handle tasklet instead of work in this old kernel |
| release -- tiwai ] |
| |
| At closing a USB MIDI output substream, there might be still a pending |
| work, which would eventually access the rawmidi runtime object that is |
| being released. For fixing the race, make sure to cancel the pending |
| work at closing. |
| |
| Reported-by: syzbot+6912c9592caca7ca0e7d@syzkaller.appspotmail.com |
| Cc: <stable@vger.kernel.org> |
| Link: https://lore.kernel.org/r/000000000000e7e75005dfd07cf6@google.com |
| Link: https://lore.kernel.org/r/20220525131203.11299-1-tiwai@suse.de |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| |
| |
| sound/usb/midi.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| |
| |
| @@ -1161,6 +1161,9 @@ static int snd_usbmidi_output_open(struc |
| |
| static int snd_usbmidi_output_close(struct snd_rawmidi_substream *substream) |
| { |
| + struct usbmidi_out_port *port = substream->runtime->private_data; |
| + |
| + tasklet_kill(&port->ep->tasklet); |
| return substream_open(substream, 0, 0); |
| } |
| |