diff options
| author | Takashi Iwai <tiwai@suse.de> | 2016-02-08 17:36:25 +0100 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2016-03-12 14:25:47 +0100 |
| commit | df6d49137eef1114b91fd13763499f5714b9e738 (patch) | |
| tree | 5247e644abd6aec342f39eff2ab18fb380d306eb | |
| parent | 589d174aeeb2993ce149e1b1c0534914d06a7f38 (diff) | |
| download | lwn-df6d49137eef1114b91fd13763499f5714b9e738.tar.gz lwn-df6d49137eef1114b91fd13763499f5714b9e738.zip | |
ALSA: timer: Fix wrong instance passed to slave callbacks
commit 117159f0b9d392fb433a7871426fad50317f06f7 upstream.
In snd_timer_notify1(), the wrong timer instance was passed for slave
ccallback function. This leads to the access to the wrong data when
an incompatible master is handled (e.g. the master is the sequencer
timer and the slave is a user timer), as spotted by syzkaller fuzzer.
This patch fixes that wrong assignment.
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | sound/core/timer.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/core/timer.c b/sound/core/timer.c index a0c2684269b0..3141ddae0a66 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -409,7 +409,7 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) spin_lock_irqsave(&timer->lock, flags); list_for_each_entry(ts, &ti->slave_active_head, active_list) if (ts->ccallback) - ts->ccallback(ti, event + 100, &tstamp, resolution); + ts->ccallback(ts, event + 100, &tstamp, resolution); spin_unlock_irqrestore(&timer->lock, flags); } |