| From 7e8a47a8776a465e8823d3785c2532cd2f8b3aff Mon Sep 17 00:00:00 2001 |
| From: Clemens Ladisch <clemens@ladisch.de> |
| Date: Fri, 15 Oct 2010 12:06:18 +0200 |
| Subject: [PATCH] ALSA: rawmidi: fix oops (use after free) when unloading a driver module |
| |
| commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream. |
| |
| When a driver module is unloaded and the last still open file is a raw |
| MIDI device, the card and its devices will be actually freed in the |
| snd_card_file_remove() call when that file is closed. Afterwards, rmidi |
| and rmidi->card point into freed memory, so the module pointer is likely |
| to be garbage. |
| (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) |
| |
| Signed-off-by: Clemens Ladisch <clemens@ladisch.de> |
| Reported-by: Krzysztof Foltman <wdev@foltman.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| sound/core/rawmidi.c | 4 +++- |
| 1 files changed, 3 insertions(+), 1 deletions(-) |
| |
| diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c |
| index 0f5a194..5fac1a3 100644 |
| --- a/sound/core/rawmidi.c |
| +++ b/sound/core/rawmidi.c |
| @@ -531,13 +531,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file) |
| { |
| struct snd_rawmidi_file *rfile; |
| struct snd_rawmidi *rmidi; |
| + struct module *module; |
| |
| rfile = file->private_data; |
| rmidi = rfile->rmidi; |
| rawmidi_release_priv(rfile); |
| kfree(rfile); |
| + module = rmidi->card->module; |
| snd_card_file_remove(rmidi->card, file); |
| - module_put(rmidi->card->module); |
| + module_put(module); |
| return 0; |
| } |
| |
| -- |
| 1.7.0.4 |
| |
