git: ea2275e72cda - stable/14 - sound: Drain buffer selinfo in sndbuf_free()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 12 Apr 2024 01:10:14 UTC
The branch stable/14 has been updated by christos:
URL: https://cgit.FreeBSD.org/src/commit/?id=ea2275e72cdae3672f3aabde18e3ff55ea101a0a
commit ea2275e72cdae3672f3aabde18e3ff55ea101a0a
Author: Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2024-03-29 15:29:23 +0000
Commit: Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2024-04-12 01:09:51 +0000
sound: Drain buffer selinfo in sndbuf_free()
Prevent a use-after-free in kern_poll() by making sure the buffer's
selinfo is drained. This is required for a subsequent patch that
implements asynchronous audio device detach.
Reported by: KASAN
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44544
(cherry picked from commit fba54d0179aabb3d94211ca80f94fe5b98ac6d3b)
---
sys/dev/sound/pcm/buffer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/dev/sound/pcm/buffer.c b/sys/dev/sound/pcm/buffer.c
index 915c9110f107..afb4b95e357a 100644
--- a/sys/dev/sound/pcm/buffer.c
+++ b/sys/dev/sound/pcm/buffer.c
@@ -147,6 +147,7 @@ sndbuf_free(struct snd_dbuf *b)
} else
free(b->buf, M_DEVBUF);
}
+ seldrain(sndbuf_getsel(b));
b->tmpbuf = NULL;
b->shadbuf = NULL;