summaryrefslogtreecommitdiff
path: root/sound
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2024-11-25 15:20:25 +0100
committerTakashi Iwai <tiwai@suse.de>2024-11-25 15:48:05 +0100
commit20c0c49720dc4e205d4c1d64add56a5043c5ec5f (patch)
tree8370d88e83f945befd02af2a09d34a65dc72df36 /sound
parent5ebe792a5139f1ce6e4aed22bef12e7e2660df96 (diff)
ALSA: rawmidi: Fix kvfree() call in spinlock
At the conversion of locking with guard(), I overlooked that kvfree() must not be called inside the spinlock unlike kfree(), and this was caught by syzkaller now. This patch reverts the conversion partially for restoring the kvfree() call outside the spinlock. It's not trivial to use guard() in this context, unfortunately. Fixes: 84bb065b316e ("ALSA: rawmidi: Use guard() for locking") Reported-by: syzbot+351f8764833934c68836@syzkaller.appspotmail.com Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Closes: https://lore.kernel.org/6744737b.050a0220.1cc393.007e.GAE@google.com Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20241125142041.16578-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
-rw-r--r--sound/core/rawmidi.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 03306be5fa02..348ce1b7725e 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -724,8 +724,9 @@ static int resize_runtime_buffer(struct snd_rawmidi_substream *substream,
newbuf = kvzalloc(params->buffer_size, GFP_KERNEL);
if (!newbuf)
return -ENOMEM;
- guard(spinlock_irq)(&substream->lock);
+ spin_lock_irq(&substream->lock);
if (runtime->buffer_ref) {
+ spin_unlock_irq(&substream->lock);
kvfree(newbuf);
return -EBUSY;
}
@@ -733,6 +734,7 @@ static int resize_runtime_buffer(struct snd_rawmidi_substream *substream,
runtime->buffer = newbuf;
runtime->buffer_size = params->buffer_size;
__reset_runtime_ptrs(runtime, is_input);
+ spin_unlock_irq(&substream->lock);
kvfree(oldbuf);
}
runtime->avail_min = params->avail_min;