ALSA: control: Don't access controls outside of protected regions

A control that is visible on the card->controls list can be freed at any time. This means we must not access any of its memory while not holding the controls_rw_lock. Otherwise we risk a use after free access. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Acked-by: Jaroslav Kysela <perex@perex.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
author: Lars-Peter Clausen <lars@metafoo.de> 2014-06-18 07:32:33 -0400
committer: Takashi Iwai <tiwai@suse.de> 2014-06-18 09:13:07 -0400
commit: fd9f26e4eca5d08a27d12c0933fceef76ed9663d (patch)
tree: 1b68c534f868ec086cf78e864888c99bdb70f5b5 /sound/core/control.c
parent: 82262a46627bebb0febcc26664746c25cef08563 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/sound/core/control.c b/sound/core/control.c
index 1f413c286511..5c49f976fc7b 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -330,6 +330,7 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
 {
        struct snd_ctl_elem_id id;
        unsigned int idx;
+        unsigned int count;
        int err = -EINVAL;
        if (! kcontrol)
@@ -358,8 +359,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
        card->controls_count += kcontrol->count;
        kcontrol->id.numid = card->last_numid + 1;
        card->last_numid += kcontrol->count;
+        count = kcontrol->count;
        up_write(&card->controls_rwsem);
-        for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
+        for (idx = 0; idx < count; idx++, id.index++, id.numid++)
                snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
        return 0;
@@ -388,6 +390,7 @@ int snd_ctl_replace(struct snd_card *card, struct snd_kcontrol *kcontrol,
                    bool add_on_replace)
 {
        struct snd_ctl_elem_id id;
+        unsigned int count;
        unsigned int idx;
        struct snd_kcontrol *old;
        int ret;
@@ -423,8 +426,9 @@ add:
        card->controls_count += kcontrol->count;
        kcontrol->id.numid = card->last_numid + 1;
        card->last_numid += kcontrol->count;
+        count = kcontrol->count;
        up_write(&card->controls_rwsem);
-        for (idx = 0; idx < kcontrol->count; idx++, id.index++, id.numid++)
+        for (idx = 0; idx < count; idx++, id.index++, id.numid++)
                snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
        return 0;
@@ -897,9 +901,9 @@ static int snd_ctl_elem_write(struct snd_card *card, struct snd_ctl_file *file,
                        result = kctl->put(kctl, control);
                }
                if (result > 0) {
+                        struct snd_ctl_elem_id id = control->id;
                        up_read(&card->controls_rwsem);
-                        snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE,
+                        snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_VALUE, &id);
-                                       &control->id);
                        return 0;
                }
        }
@@ -1333,8 +1337,9 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
                }
                err = kctl->tlv.c(kctl, op_flag, tlv.length, _tlv->tlv);
                if (err > 0) {
+                        struct snd_ctl_elem_id id = kctl->id;
                        up_read(&card->controls_rwsem);
-                        snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &kctl->id);
+                        snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_TLV, &id);
                        return 0;
                }
        } else {
author	Lars-Peter Clausen <lars@metafoo.de>	2014-06-18 07:32:33 -0400
committer	Takashi Iwai <tiwai@suse.de>	2014-06-18 09:13:07 -0400
commit	fd9f26e4eca5d08a27d12c0933fceef76ed9663d (patch)
tree	1b68c534f868ec086cf78e864888c99bdb70f5b5 /sound/core/control.c
parent	82262a46627bebb0febcc26664746c25cef08563 (diff)