ALSA: seq: Cover unsubscribe_port() in list_mutex

commit 7c32ae35fbf9cffb7aa3736f44dec10c944ca18e upstream.

The call of unsubscribe_port() which manages the group count and
module refcount from delete_and_unsubscribe_port() looks racy; it's
not covered by the group list lock, and it's likely a cause of the
reported unbalance at port deletion.  Let's move the call inside the
group list_mutex to plug the hole.

Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
index f04714d70bf7c4fbb436c09b85438e637d93a031..a42e2ce4a726a62787f42d46a3e6c61811b96fab 100644 (file)
--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -550,10 +550,10 @@ static void delete_and_unsubscribe_port(struct snd_seq_client *client,
                list_del_init(list);
        grp->exclusive = 0;
        write_unlock_irq(&grp->list_lock);
-       up_write(&grp->list_mutex);
 
        if (!empty)
                unsubscribe_port(client, port, grp, &subs->info, ack);
+       up_write(&grp->list_mutex);
 }
 
 /* connect two ports */