Commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8
Committed by
Takashi Iwai
Takashi Iwai
1 parent
cd07202cc8
ALSA: rawmidi: fix oops (use after free) when unloading a driver module
When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Reported-by: Krzysztof Foltman <wdev@foltman.com> Cc: 2.6.30-2.6.35 <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Showing 1 changed file with 3 additions and 1 deletions Side-by-side Diff
sound/core/rawmidi.c
| ... | ... | @@ -535,13 +535,15 @@ |
| 535 | 535 | { |
| 536 | 536 | struct snd_rawmidi_file *rfile; |
| 537 | 537 | struct snd_rawmidi *rmidi; |
| 538 | + struct module *module; | |
| 538 | 539 | |
| 539 | 540 | rfile = file->private_data; |
| 540 | 541 | rmidi = rfile->rmidi; |
| 541 | 542 | rawmidi_release_priv(rfile); |
| 542 | 543 | kfree(rfile); |
| 544 | + module = rmidi->card->module; | |
| 543 | 545 | snd_card_file_remove(rmidi->card, file); |
| 544 | - module_put(rmidi->card->module); | |
| 546 | + module_put(module); | |
| 545 | 547 | return 0; |
| 546 | 548 | } |
| 547 | 549 |