A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5a663aa426f4884c71cd8580adae73f33570f0d External references: http://marc.info/?l=linux-kernel&m=145269654327048 https://gist.githubusercontent.com/dvyukov/e833610757b098956b50/raw/d819cd13b466e4adbe3dd825ee481e4512e77633/gistfile1.txt CVE-ID request and assignment: http://seclists.org/oss-sec/2016/q1/133 http://seclists.org/oss-sec/2016/q1/410
This was fixed in 4.3.5 with: commit ea7f3d59628930dc29482a292e2a55c81cac52a4 Author: Takashi Iwai <tiwai> Date: Thu Jan 14 16:30:58 2016 +0100 ALSA: timer: Harden slave timer list handling commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream. and in 4.4.1 with: commit 8eff3aa0a9bbb593dce0ec0344ec1961318e44c8 Author: Takashi Iwai <tiwai> Date: Thu Jan 14 16:30:58 2016 +0100 ALSA: timer: Harden slave timer list handling commit b5a663aa426f4884c71cd8580adae73f33570f0d upstream. All Fedora branches are on those or newer. This issue is fixed in Fedora.
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2, as the flaw was already fixed in the products listed.
*** Bug 1311568 has been marked as a duplicate of this bug. ***