refs/tags/android-wear-8.0.0_r0.21 - kernel/msm

tag	ff7adfd60f5362ae1a82dc70dcd212cae93b7bd8
tagger	The Android Open Source Project <initial-contribution@android.com>	Wed Mar 28 16:54:30 2018 -0700
object	2dbf7df6996e5f0b00131dd1da3ee0e922f8120c

Android Wear 8.0.0 Release 0.21 (OWDE.180215.020,sawshark_sw)

commit	2dbf7df6996e5f0b00131dd1da3ee0e922f8120c	[log] [tgz]
author	y00230200 <yanghongliang.yang@huawei.com>	Thu Jan 18 17:08:24 2018 +0800
committer	Hongliang Yang <yanghongliang.yang@huawei.com>	Sat Jan 27 09:09:03 2018 +0000
tree	0c471177ccbd3b1e95a2795fc345f4c9a5c3642d
parent	fc750ea71a597c6426ff563a9caf47db9cf090a4 [diff]

ALSA: seq: Fix use-after-free at creating a port

CVE-2017-15265

There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.

sound/core/seq/seq_clientmgr.c[diff]
sound/core/seq/seq_ports.c[diff]

2 files changed

tree: 0c471177ccbd3b1e95a2795fc345f4c9a5c3642d