DragonFlyBSD/src 30a075bsys/dev/sound/midi midi.c

kernel - Rejigger midistat functions to close a race

* Make sure lock has full coverage across midistat_open() and
  midistat_read().  The temporary drop of the lock in midistat_read()
  lead to a race which allows one to read kernel memory beyond the
  end of the sbuf buffer.

* Rejigger the code to remove the global offset and just use
  uio_offset, which also fixes the same race (but leave the
  lock coverage in place regardless).

Taken-From:     FreeBSD
Security:       CVE-2019-5612
DeltaFile
+14-18sys/dev/sound/midi/midi.c
+14-181 files

UnifiedSplitRaw