lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1479082460.44285641@decadent.org.uk>
Date:   Mon, 14 Nov 2016 00:14:20 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org,
        "Laxminath Kasam" <b_lkasam@...eaurora.org>,
        "Takashi Iwai" <tiwai@...e.de>
Subject: [PATCH 3.16 049/346] ALSA: pcm: Free chmap at PCM free callback, too

3.16.39-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@...e.de>

commit a8ff48cb70835f48de5703052760312019afea55 upstream.

The chmap ctls assigned to PCM streams are freed in the PCM disconnect
callback.  However, since the disconnect callback isn't called when
the card gets freed before registering, the chmap ctls may still be
left assigned.  They are eventually freed together with other ctls,
but it may cause an Oops at pcm_chmap_ctl_private_free(), as the
function refers to the assigned PCM stream, while the PCM objects have
been already freed beforehand.

The fix is to free the chmap ctls also at PCM free callback, not only
at PCM disconnect.

Reported-by: Laxminath Kasam <b_lkasam@...eaurora.org>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 sound/core/pcm.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -806,6 +806,14 @@ int snd_pcm_new_internal(struct snd_card
 }
 EXPORT_SYMBOL(snd_pcm_new_internal);
 
+static void free_chmap(struct snd_pcm_str *pstr)
+{
+	if (pstr->chmap_kctl) {
+		snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl);
+		pstr->chmap_kctl = NULL;
+	}
+}
+
 static void snd_pcm_free_stream(struct snd_pcm_str * pstr)
 {
 	struct snd_pcm_substream *substream, *substream_next;
@@ -828,6 +836,7 @@ static void snd_pcm_free_stream(struct s
 		kfree(setup);
 	}
 #endif
+	free_chmap(pstr);
 }
 
 static int snd_pcm_free(struct snd_pcm *pcm)
@@ -1142,10 +1151,7 @@ static int snd_pcm_dev_disconnect(struct
 			break;
 		}
 		snd_unregister_device(devtype, pcm->card, pcm->device);
-		if (pcm->streams[cidx].chmap_kctl) {
-			snd_ctl_remove(pcm->card, pcm->streams[cidx].chmap_kctl);
-			pcm->streams[cidx].chmap_kctl = NULL;
-		}
+		free_chmap(&pcm->streams[cidx]);
 	}
 	mutex_unlock(&pcm->open_mutex);
  unlock:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ