| From: Bo Chen <chenbo@pdx.edu> |
| Date: Thu, 31 May 2018 15:35:18 -0700 |
| Subject: ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() |
| |
| commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream. |
| |
| When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is |
| created without setting its operators via 'snd_pcm_set_ops()'. Following |
| operations on the new pcm instance can trigger kernel null pointer dereferences |
| and cause kernel oops. |
| |
| This bug was found with my work on building a gray-box fault-injection tool for |
| linux-kernel-module binaries. A kernel null pointer dereference was confirmed |
| from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in |
| file 'sound/core/pcm_native.c'. |
| |
| This patch fixes the bug by calling 'snd_device_free()' in the error handling |
| path of 'kzalloc()', which removes the new pcm instance from the snd card before |
| returns with an error code. |
| |
| Signed-off-by: Bo Chen <chenbo@pdx.edu> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| sound/pci/hda/hda_controller.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/sound/pci/hda/hda_controller.c |
| +++ b/sound/pci/hda/hda_controller.c |
| @@ -998,8 +998,10 @@ static int azx_attach_pcm_stream(struct |
| return err; |
| strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); |
| apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); |
| - if (apcm == NULL) |
| + if (apcm == NULL) { |
| + snd_device_free(chip->card, pcm); |
| return -ENOMEM; |
| + } |
| apcm->chip = chip; |
| apcm->pcm = pcm; |
| apcm->codec = codec; |
