On Tue, 05 Dec 2017 20:29:07 +0100, Kees Cook wrote: > > On Tue, Dec 5, 2017 at 11:14 AM, Takashi Iwai <ti...@suse.de> wrote: > > On Tue, 05 Dec 2017 18:16:55 +0100, > > Nick Desaulniers wrote: > >> > >> From: Robb Glasser <rglas...@google.com> > >> > >> When the device descriptor is closed, the `substream->runtime` pointer > >> is freed. But another thread may be in the ioctl handler, case > >> SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which > >> calls snd_pcm_info() which accesses the now freed `substream->runtime`. > >> > >> Signed-off-by: Robb Glasser <rglas...@google.com> > >> Signed-off-by: Nick Desaulniers <ndesaulni...@google.com> > > > > Looks reasonable. Applied with Cc to stable now. > > FWIW, this was assigned CVE-2017-0861. (Best to get it into the commit > log if possible.)
OK, I updated the changelog. Thanks for information. Takashi
