[alsa-devel] sound: use-after-free in snd_timer_notify1

Dmitry Vyukov dvyukov at google.com
Sun Jan 24 11:10:33 CET 2016


Hello,

The following program causes use-after-free in snd_timer_notify1:

==================================================================
BUG: KASAN: use-after-free in snd_timer_notify1+0x411/0x460 at addr
ffff880035a433e0
Read of size 8 by task syz-executor/11116
=============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in snd_timer_instance_new+0x52/0x3a0 age=1 cpu=1 pid=11106
[<     inline     >] kzalloc include/linux/slab.h:607
[<      none      >] snd_timer_instance_new+0x52/0x3a0 sound/core/timer.c:105
[<      none      >] snd_timer_open+0x522/0xce0 sound/core/timer.c:288
[<      none      >] snd_seq_timer_open+0x223/0x560
sound/core/seq/seq_timer.c:279
[<      none      >] snd_seq_queue_use+0x147/0x230
sound/core/seq/seq_queue.c:528
[<      none      >] snd_seq_queue_alloc+0x36a/0x4d0
sound/core/seq/seq_queue.c:199
[<      none      >] snd_seq_ioctl_create_queue+0xdb/0x2b0
sound/core/seq/seq_clientmgr.c:1536
[<      none      >] snd_seq_do_ioctl+0x19d/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[<      none      >] snd_seq_ioctl+0x54/0xa0 sound/core/seq/seq_clientmgr.c:2224
[<     inline     >] vfs_ioctl fs/ioctl.c:43
[<      none      >] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[<     inline     >] SYSC_ioctl fs/ioctl.c:689
[<      none      >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Freed in snd_timer_close+0x3a8/0x700 age=19 cpu=3 pid=11114
[<      none      >] kfree+0x2b7/0x2e0 mm/slub.c:3664
[<      none      >] snd_timer_close+0x3a8/0x700 sound/core/timer.c:368
[<      none      >] snd_seq_timer_close+0x97/0x130
sound/core/seq/seq_timer.c:312
[<      none      >] snd_seq_queue_timer_close+0x28/0x50
sound/core/seq/seq_queue.c:475
[<      none      >] snd_seq_ioctl_set_queue_timer+0x159/0x300
sound/core/seq/seq_clientmgr.c:1809
[<      none      >] snd_seq_do_ioctl+0x19d/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[<      none      >] snd_seq_ioctl+0x54/0xa0 sound/core/seq/seq_clientmgr.c:2224
[<     inline     >] vfs_ioctl fs/ioctl.c:43
[<      none      >] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[<     inline     >] SYSC_ioctl fs/ioctl.c:689
[<      none      >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185

INFO: Slab 0xffffea0000d69000 objects=22 used=16 fp=0xffff880035a42d80
flags=0x1fffc0000004080
INFO: Object 0xffff880035a43330 @offset=13104 fp=0xffff880064ccee20
CPU: 0 PID: 11116 Comm: syz-executor Tainted: G    B           4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff880064bcf560 ffffffff82999e2d ffff88003e807000
 ffff880035a43330 ffff880035a40000 ffff880064bcf590 ffffffff81757354
 ffff88003e807000 ffffea0000d69000 ffff880035a43330 ffff880064bcf718

Call Trace:
 [<ffffffff817609ee>] __asan_report_load8_noabort+0x3e/0x40
mm/kasan/report.c:295
 [<ffffffff84f40da1>] snd_timer_notify1+0x411/0x460 sound/core/timer.c:416
 [<ffffffff84f41025>] _snd_timer_stop+0x235/0x5c0 sound/core/timer.c:524
 [<ffffffff84f41d3a>] snd_timer_pause+0x1a/0x20 sound/core/timer.c:583
 [<     inline     >] snd_seq_timer_stop sound/core/seq/seq_timer.c:325
 [<ffffffff84fc1658>] snd_seq_timer_start+0x148/0x1a0
sound/core/seq/seq_timer.c:366
 [<     inline     >] snd_seq_queue_process_event sound/core/seq/seq_queue.c:687
 [<ffffffff84fbc344>] snd_seq_control_queue+0x304/0x8b0
sound/core/seq/seq_queue.c:748
 [<ffffffff84fc1da5>] event_input_timer+0x25/0x30
sound/core/seq/seq_system.c:118
 [<ffffffff84fb4c14>]
snd_seq_deliver_single_event.constprop.11+0x3f4/0x740
sound/core/seq/seq_clientmgr.c:634
 [<ffffffff84fb5082>] snd_seq_deliver_event+0x122/0x800
sound/core/seq/seq_clientmgr.c:828
 [<ffffffff84fb65a9>] snd_seq_dispatch_event+0xf9/0x510
sound/core/seq/seq_clientmgr.c:902
 [<ffffffff84fba85b>] snd_seq_check_queue+0x3fb/0x560
sound/core/seq/seq_queue.c:293
 [<ffffffff84fbac0d>] snd_seq_enqueue_event+0x24d/0x400
sound/core/seq/seq_queue.c:357
 [<ffffffff84fb5974>] snd_seq_client_enqueue_event+0x214/0x430
sound/core/seq/seq_clientmgr.c:961
 [<ffffffff84fb5e7f>] snd_seq_write+0x2ef/0x570
sound/core/seq/seq_clientmgr.c:1075
 [<ffffffff817b0323>] __vfs_write+0x113/0x480 fs/read_write.c:528
 [<ffffffff817b1db7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
 [<     inline     >] SYSC_write fs/read_write.c:624
 [<ffffffff817b50a1>] SyS_write+0x111/0x220 fs/read_write.c:616
 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
==================================================================



// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

long r[254];

int main()
{
  memset(r, -1, sizeof(r));
  r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1c000ul, 0x3ul, 0x32ul,
                 0xfffffffffffffffful, 0x0ul);
  r[2] = open("/dev/snd/seq", 0x1ul, 0, 0, 0);
  *(uint32_t*)0x20006000 = (uint32_t)0xffffffffffffffff;
  *(uint32_t*)0x20006004 = (uint32_t)0x10000;
  *(uint32_t*)0x20006008 = (uint32_t)0x2;
  *(uint8_t*)0x2000600c = (uint8_t)0x7;
  *(uint8_t*)0x2000600d = (uint8_t)0x2;
  *(uint8_t*)0x2000600e = (uint8_t)0xec0;
  *(uint8_t*)0x2000600f = (uint8_t)0x4;
  *(uint8_t*)0x20006010 = (uint8_t)0x7;
  *(uint8_t*)0x20006011 = (uint8_t)0x9;
  *(uint8_t*)0x20006012 = (uint8_t)0x80000000;
  *(uint8_t*)0x20006013 = (uint8_t)0x2;
  *(uint8_t*)0x20006014 = (uint8_t)0x2;
  *(uint8_t*)0x20006015 = (uint8_t)0x3;
  *(uint8_t*)0x20006016 = (uint8_t)0x8;
  *(uint8_t*)0x20006017 = (uint8_t)0x9;
  *(uint8_t*)0x20006018 = (uint8_t)0x4;
  *(uint8_t*)0x20006019 = (uint8_t)0xffffffffffffff5c;
  *(uint8_t*)0x2000601a = (uint8_t)0x5ab;
  *(uint8_t*)0x2000601b = (uint8_t)0x4;
  *(uint8_t*)0x2000601c = (uint8_t)0x0;
  *(uint8_t*)0x2000601d = (uint8_t)0x38;
  *(uint8_t*)0x2000601e = (uint8_t)0x9d;
  *(uint8_t*)0x2000601f = (uint8_t)0x8;
  *(uint8_t*)0x20006020 = (uint8_t)0x3;
  *(uint8_t*)0x20006021 = (uint8_t)0x47221059;
  *(uint8_t*)0x20006022 = (uint8_t)0x400;
  *(uint8_t*)0x20006023 = (uint8_t)0x1000;
  *(uint8_t*)0x20006024 = (uint8_t)0x2;
  *(uint8_t*)0x20006025 = (uint8_t)0x3;
  *(uint8_t*)0x20006026 = (uint8_t)0x3;
  *(uint8_t*)0x20006027 = (uint8_t)0x80000000;
  *(uint8_t*)0x20006028 = (uint8_t)0x5;
  *(uint8_t*)0x20006029 = (uint8_t)0x200;
  *(uint8_t*)0x2000602a = (uint8_t)0x1;
  *(uint8_t*)0x2000602b = (uint8_t)0x30;
  *(uint8_t*)0x2000602c = (uint8_t)0x4;
  *(uint8_t*)0x2000602d = (uint8_t)0x0;
  *(uint8_t*)0x2000602e = (uint8_t)0x3;
  *(uint8_t*)0x2000602f = (uint8_t)0xffffffff8a5c645b;
  *(uint8_t*)0x20006030 = (uint8_t)0x4;
  *(uint8_t*)0x20006031 = (uint8_t)0x1;
  *(uint8_t*)0x20006032 = (uint8_t)0x3ff;
  *(uint8_t*)0x20006033 = (uint8_t)0x200;
  *(uint8_t*)0x20006034 = (uint8_t)0x3;
  *(uint8_t*)0x20006035 = (uint8_t)0xea3e;
  *(uint8_t*)0x20006036 = (uint8_t)0x9;
  *(uint8_t*)0x20006037 = (uint8_t)0x200;
  *(uint8_t*)0x20006038 = (uint8_t)0x0;
  *(uint8_t*)0x20006039 = (uint8_t)0x5;
  *(uint8_t*)0x2000603a = (uint8_t)0xfdc;
  *(uint8_t*)0x2000603b = (uint8_t)0x1000;
  *(uint8_t*)0x2000603c = (uint8_t)0x467;
  *(uint8_t*)0x2000603d = (uint8_t)0xea;
  *(uint8_t*)0x2000603e = (uint8_t)0x40;
  *(uint8_t*)0x2000603f = (uint8_t)0x9e98;
  *(uint8_t*)0x20006040 = (uint8_t)0x7;
  *(uint8_t*)0x20006041 = (uint8_t)0x7;
  *(uint8_t*)0x20006042 = (uint8_t)0x0;
  *(uint8_t*)0x20006043 = (uint8_t)0x20;
  *(uint8_t*)0x20006044 = (uint8_t)0x1;
  *(uint8_t*)0x20006045 = (uint8_t)0x4;
  *(uint8_t*)0x20006046 = (uint8_t)0x2;
  *(uint8_t*)0x20006047 = (uint8_t)0x9;
  *(uint8_t*)0x20006048 = (uint8_t)0x5;
  *(uint8_t*)0x20006049 = (uint8_t)0x6;
  *(uint8_t*)0x2000604a = (uint8_t)0x8f2;
  *(uint8_t*)0x2000604b = (uint8_t)0x0;
  *(uint32_t*)0x2000604c = (uint32_t)0x6;
  *(uint8_t*)0x20006050 = (uint8_t)0x0;
  *(uint8_t*)0x20006051 = (uint8_t)0x0;
  *(uint8_t*)0x20006052 = (uint8_t)0x0;
  *(uint8_t*)0x20006053 = (uint8_t)0x0;
  *(uint8_t*)0x20006054 = (uint8_t)0x0;
  *(uint8_t*)0x20006055 = (uint8_t)0x0;
  *(uint8_t*)0x20006056 = (uint8_t)0x0;
  *(uint8_t*)0x20006057 = (uint8_t)0x0;
  *(uint8_t*)0x20006058 = (uint8_t)0x0;
  *(uint8_t*)0x20006059 = (uint8_t)0x0;
  *(uint8_t*)0x2000605a = (uint8_t)0x0;
  *(uint8_t*)0x2000605b = (uint8_t)0x0;
  *(uint8_t*)0x2000605c = (uint8_t)0x0;
  *(uint8_t*)0x2000605d = (uint8_t)0x0;
  *(uint8_t*)0x2000605e = (uint8_t)0x0;
  *(uint8_t*)0x2000605f = (uint8_t)0x0;
  *(uint8_t*)0x20006060 = (uint8_t)0x0;
  *(uint8_t*)0x20006061 = (uint8_t)0x0;
  *(uint8_t*)0x20006062 = (uint8_t)0x0;
  *(uint8_t*)0x20006063 = (uint8_t)0x0;
  *(uint8_t*)0x20006064 = (uint8_t)0x0;
  *(uint8_t*)0x20006065 = (uint8_t)0x0;
  *(uint8_t*)0x20006066 = (uint8_t)0x0;
  *(uint8_t*)0x20006067 = (uint8_t)0x0;
  *(uint8_t*)0x20006068 = (uint8_t)0x0;
  *(uint8_t*)0x20006069 = (uint8_t)0x0;
  *(uint8_t*)0x2000606a = (uint8_t)0x0;
  *(uint8_t*)0x2000606b = (uint8_t)0x0;
  *(uint8_t*)0x2000606c = (uint8_t)0x0;
  *(uint8_t*)0x2000606d = (uint8_t)0x0;
  *(uint8_t*)0x2000606e = (uint8_t)0x0;
  *(uint8_t*)0x2000606f = (uint8_t)0x0;
  *(uint8_t*)0x20006070 = (uint8_t)0x0;
  *(uint8_t*)0x20006071 = (uint8_t)0x0;
  *(uint8_t*)0x20006072 = (uint8_t)0x0;
  *(uint8_t*)0x20006073 = (uint8_t)0x0;
  *(uint8_t*)0x20006074 = (uint8_t)0x0;
  *(uint8_t*)0x20006075 = (uint8_t)0x0;
  *(uint8_t*)0x20006076 = (uint8_t)0x0;
  *(uint8_t*)0x20006077 = (uint8_t)0x0;
  *(uint8_t*)0x20006078 = (uint8_t)0x0;
  *(uint8_t*)0x20006079 = (uint8_t)0x0;
  *(uint8_t*)0x2000607a = (uint8_t)0x0;
  *(uint8_t*)0x2000607b = (uint8_t)0x0;
  *(uint8_t*)0x2000607c = (uint8_t)0x0;
  *(uint8_t*)0x2000607d = (uint8_t)0x0;
  *(uint8_t*)0x2000607e = (uint8_t)0x0;
  *(uint8_t*)0x2000607f = (uint8_t)0x0;
  *(uint8_t*)0x20006080 = (uint8_t)0x0;
  *(uint8_t*)0x20006081 = (uint8_t)0x0;
  *(uint8_t*)0x20006082 = (uint8_t)0x0;
  *(uint8_t*)0x20006083 = (uint8_t)0x0;
  *(uint8_t*)0x20006084 = (uint8_t)0x0;
  *(uint8_t*)0x20006085 = (uint8_t)0x0;
  *(uint8_t*)0x20006086 = (uint8_t)0x0;
  *(uint8_t*)0x20006087 = (uint8_t)0x0;
  *(uint8_t*)0x20006088 = (uint8_t)0x0;
  *(uint8_t*)0x20006089 = (uint8_t)0x0;
  *(uint8_t*)0x2000608a = (uint8_t)0x0;
  *(uint8_t*)0x2000608b = (uint8_t)0x0;
  r[131] =
      syscall(SYS_ioctl, r[2], 0xc08c5332ul, 0x20006000ul, 0, 0, 0);
  *(uint32_t*)0x20006fd7 = (uint32_t)0x0;
  *(uint32_t*)0x20006fdb = (uint32_t)0x0;
  *(uint32_t*)0x20006fdf = (uint32_t)0x6;
  *(uint32_t*)0x20006fe3 = (uint32_t)0x81;
  *(uint32_t*)0x20006fe7 = (uint32_t)0x7;
  *(uint32_t*)0x20006feb = (uint32_t)0x9;
  *(uint32_t*)0x20006fef = (uint32_t)0x401;
  *(uint8_t*)0x20006ff3 = (uint8_t)0x0;
  *(uint8_t*)0x20006ff4 = (uint8_t)0x0;
  *(uint8_t*)0x20006ff5 = (uint8_t)0x0;
  *(uint8_t*)0x20006ff6 = (uint8_t)0x0;
  *(uint8_t*)0x20006ff7 = (uint8_t)0x0;
  *(uint8_t*)0x20006ff8 = (uint8_t)0x0;
  *(uint8_t*)0x20006ff9 = (uint8_t)0x0;
  *(uint8_t*)0x20006ffa = (uint8_t)0x0;
  *(uint8_t*)0x20006ffb = (uint8_t)0x0;
  *(uint8_t*)0x20006ffc = (uint8_t)0x0;
  *(uint8_t*)0x20006ffd = (uint8_t)0x0;
  *(uint8_t*)0x20006ffe = (uint8_t)0x0;
  *(uint8_t*)0x20006fff = (uint8_t)0x0;
  *(uint8_t*)0x20007000 = (uint8_t)0x0;
  *(uint8_t*)0x20007001 = (uint8_t)0x0;
  *(uint8_t*)0x20007002 = (uint8_t)0x0;
  *(uint8_t*)0x20007003 = (uint8_t)0x0;
  *(uint8_t*)0x20007004 = (uint8_t)0x0;
  *(uint8_t*)0x20007005 = (uint8_t)0x0;
  *(uint8_t*)0x20007006 = (uint8_t)0x0;
  *(uint8_t*)0x20007007 = (uint8_t)0x0;
  *(uint8_t*)0x20007008 = (uint8_t)0x0;
  *(uint8_t*)0x20007009 = (uint8_t)0x0;
  *(uint8_t*)0x2000700a = (uint8_t)0x0;
  *(uint8_t*)0x2000700b = (uint8_t)0x0;
  *(uint8_t*)0x2000700c = (uint8_t)0x0;
  *(uint8_t*)0x2000700d = (uint8_t)0x0;
  *(uint8_t*)0x2000700e = (uint8_t)0x0;
  *(uint8_t*)0x2000700f = (uint8_t)0x0;
  *(uint8_t*)0x20007010 = (uint8_t)0x0;
  *(uint8_t*)0x20007011 = (uint8_t)0x0;
  *(uint8_t*)0x20007012 = (uint8_t)0x0;
  *(uint8_t*)0x20007013 = (uint8_t)0x0;
  *(uint8_t*)0x20007014 = (uint8_t)0x0;
  *(uint8_t*)0x20007015 = (uint8_t)0x0;
  *(uint8_t*)0x20007016 = (uint8_t)0x0;
  *(uint8_t*)0x20007017 = (uint8_t)0x0;
  *(uint8_t*)0x20007018 = (uint8_t)0x0;
  *(uint8_t*)0x20007019 = (uint8_t)0x0;
  *(uint8_t*)0x2000701a = (uint8_t)0x0;
  *(uint8_t*)0x2000701b = (uint8_t)0x0;
  *(uint8_t*)0x2000701c = (uint8_t)0x0;
  *(uint8_t*)0x2000701d = (uint8_t)0x0;
  *(uint8_t*)0x2000701e = (uint8_t)0x0;
  *(uint8_t*)0x2000701f = (uint8_t)0x0;
  *(uint8_t*)0x20007020 = (uint8_t)0x0;
  *(uint8_t*)0x20007021 = (uint8_t)0x0;
  *(uint8_t*)0x20007022 = (uint8_t)0x0;
  *(uint8_t*)0x20007023 = (uint8_t)0x0;
  *(uint8_t*)0x20007024 = (uint8_t)0x0;
  *(uint8_t*)0x20007025 = (uint8_t)0x0;
  *(uint8_t*)0x20007026 = (uint8_t)0x0;
  *(uint8_t*)0x20007027 = (uint8_t)0x0;
  *(uint8_t*)0x20007028 = (uint8_t)0x0;
  *(uint8_t*)0x20007029 = (uint8_t)0x0;
  *(uint8_t*)0x2000702a = (uint8_t)0x0;
  *(uint8_t*)0x2000702b = (uint8_t)0x0;
  *(uint8_t*)0x2000702c = (uint8_t)0x0;
  *(uint8_t*)0x2000702d = (uint8_t)0x0;
  *(uint8_t*)0x2000702e = (uint8_t)0x0;
  *(uint8_t*)0x2000702f = (uint8_t)0x0;
  *(uint8_t*)0x20007030 = (uint8_t)0x0;
  *(uint8_t*)0x20007031 = (uint8_t)0x0;
  *(uint8_t*)0x20007032 = (uint8_t)0x0;
  r[203] =
      syscall(SYS_ioctl, r[2], 0x40605346ul, 0x20006fd7ul, 0, 0, 0);
  *(uint8_t*)0x20005000 = (uint8_t)0x3ff;
  *(uint8_t*)0x20005001 = (uint8_t)0x2e;
  *(uint8_t*)0x20005002 = (uint8_t)0x1;
  *(uint8_t*)0x20005003 = (uint8_t)0x8;
  *(uint32_t*)0x2000500c = (uint32_t)0x4;
  *(uint8_t*)0x20005010 = (uint8_t)0x8001;
  *(uint8_t*)0x20005011 = (uint8_t)0x2;
  *(uint8_t*)0x20005012 = (uint8_t)0xfffffffffffffffa;
  *(uint8_t*)0x20005013 = (uint8_t)0xffff;
  *(uint8_t*)0x2000501c = (uint8_t)0x5;
  *(uint8_t*)0x2000501d = (uint8_t)0x2;
  *(uint8_t*)0x2000501e = (uint8_t)0x5;
  *(uint8_t*)0x2000501f = (uint8_t)0x0;
  *(uint8_t*)0x20005020 = (uint8_t)0x5;
  *(uint8_t*)0x20005021 = (uint8_t)0x100000000;
  *(uint8_t*)0x20005022 = (uint8_t)0x7;
  *(uint8_t*)0x20005023 = (uint8_t)0xfffffffffffff2fb;
  *(uint32_t*)0x2000502c = (uint32_t)0x8;
  *(uint8_t*)0x20005030 = (uint8_t)0x80;
  *(uint8_t*)0x20005031 = (uint8_t)0x485;
  *(uint8_t*)0x20005032 = (uint8_t)0x4;
  *(uint8_t*)0x20005033 = (uint8_t)0x4;
  *(uint8_t*)0x2000503c = (uint8_t)0x9;
  *(uint8_t*)0x2000503d = (uint8_t)0x7;
  *(uint8_t*)0x2000503e = (uint8_t)0x20;
  *(uint8_t*)0x2000503f = (uint8_t)0x0;
  *(uint8_t*)0x20005040 = (uint8_t)0x20;
  *(uint8_t*)0x20005041 = (uint8_t)0x9;
  *(uint8_t*)0x20005042 = (uint8_t)0x2;
  *(uint8_t*)0x20005043 = (uint8_t)0x2;
  *(uint64_t*)0x20005058 = (uint64_t)0x0;
  *(uint64_t*)0x20005060 = (uint64_t)0x0;
  *(uint8_t*)0x20005068 = (uint8_t)0x1c8;
  *(uint8_t*)0x20005069 = (uint8_t)0xfffffffffffffff7;
  *(uint8_t*)0x2000506a = (uint8_t)0x1ff;
  *(uint8_t*)0x2000506b = (uint8_t)0x9f9f;
  *(uint32_t*)0x2000507c = (uint32_t)0x90;
  *(uint32_t*)0x20005080 = (uint32_t)0x40;
  *(uint32_t*)0x20005084 = (uint32_t)0x0;
  *(uint8_t*)0x20005088 = (uint8_t)0x0;
  *(uint8_t*)0x20005089 = (uint8_t)0x4;
  *(uint8_t*)0x2000508a = (uint8_t)0x1;
  *(uint8_t*)0x2000508b = (uint8_t)0xffffffff80000001;
  *(uint32_t*)0x20005094 = (uint32_t)0x9;
  *(uint8_t*)0x20005098 = (uint8_t)0x8;
  *(uint8_t*)0x20005099 = (uint8_t)0x7;
  *(uint8_t*)0x2000509a = (uint8_t)0xfff;
  *(uint8_t*)0x2000509b = (uint8_t)0x8;
  *(uint32_t*)0x200050a8 = (uint32_t)0xbd1e;
  r[253] = syscall(SYS_write, r[2], 0x20005000ul, 0x95cul, 0, 0, 0);
  return 0;
}


I am on commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20) + the
following pending patch from Takashi:

diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
index f845ecf..656d9a9 100644
--- a/sound/core/hrtimer.c
+++ b/sound/core/hrtimer.c
@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
        struct snd_hrtimer *stime = t->private_data;

        atomic_set(&stime->running, 0);
-       hrtimer_cancel(&stime->hrt);
+       hrtimer_try_to_cancel(&stime->hrt);
        hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
                      HRTIMER_MODE_REL);
        atomic_set(&stime->running, 1);
@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
 {
        struct snd_hrtimer *stime = t->private_data;
        atomic_set(&stime->running, 0);
+       hrtimer_try_to_cancel(&stime->hrt);
        return 0;
 }


More information about the Alsa-devel mailing list