aboutsummaryrefslogtreecommitdiffstats
path: root/sound/pci
diff options
context:
space:
mode:
authorJulia Lawall <julia@diku.dk>2010-11-09 17:00:41 -0500
committerTakashi Iwai <tiwai@suse.de>2010-11-10 20:03:00 -0500
commitfa2b30af84e84129b8d4cf955890ad167cc20cf0 (patch)
tree2268c3f9d81b2065fd51a881f4f01c75126d9acc /sound/pci
parente9161512017f11050ef2b826cbb10be1673554c6 (diff)
ALSA: sound/pci/ctxfi/ctpcm.c: Remove potential for use after free
In each function, the value apcm is stored in the private_data field of runtime. At the same time the function ct_atc_pcm_free_substream is stored in the private_free field of the same structure. ct_atc_pcm_free_substream dereferences and ultimately frees the value in the private_data field. But each function can exit in an error case with apcm having been freed, in which case a subsequent call to the private_free function would perform a dereference after free. On the other hand, if the private_free field is not initialized, it is NULL, and not invoked (see snd_pcm_detach_substream in sound/core/pcm.c). To avoid the introduction of a dangling pointer, the initializations of the private_data and private_free fields are moved to the end of the function, past any possible free of apcm. This is safe because the previous calls to snd_pcm_hw_constraint_integer and snd_pcm_hw_constraint_minmax, which take runtime as an argument, do not refer to either of these fields. In each function, there is one error case where apcm needs to be freed, and a call to kfree is added. The sematic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression e,e1,e2,e3; identifier f,free1,free2; expression a; @@ *e->f = a ... when != e->f = e1 when any if (...) { ... when != free1(...,e,...) when != e->f = e2 * kfree(a) ... when != free2(...,e,...) when != e->f = e3 } // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/pci')
-rw-r--r--sound/pci/ctxfi/ctpcm.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/sound/pci/ctxfi/ctpcm.c b/sound/pci/ctxfi/ctpcm.c
index 85ab43e89212..457d21189b0d 100644
--- a/sound/pci/ctxfi/ctpcm.c
+++ b/sound/pci/ctxfi/ctpcm.c
@@ -129,8 +129,6 @@ static int ct_pcm_playback_open(struct snd_pcm_substream *substream)
129 129
130 apcm->substream = substream; 130 apcm->substream = substream;
131 apcm->interrupt = ct_atc_pcm_interrupt; 131 apcm->interrupt = ct_atc_pcm_interrupt;
132 runtime->private_data = apcm;
133 runtime->private_free = ct_atc_pcm_free_substream;
134 if (IEC958 == substream->pcm->device) { 132 if (IEC958 == substream->pcm->device) {
135 runtime->hw = ct_spdif_passthru_playback_hw; 133 runtime->hw = ct_spdif_passthru_playback_hw;
136 atc->spdif_out_passthru(atc, 1); 134 atc->spdif_out_passthru(atc, 1);
@@ -155,8 +153,12 @@ static int ct_pcm_playback_open(struct snd_pcm_substream *substream)
155 } 153 }
156 154
157 apcm->timer = ct_timer_instance_new(atc->timer, apcm); 155 apcm->timer = ct_timer_instance_new(atc->timer, apcm);
158 if (!apcm->timer) 156 if (!apcm->timer) {
157 kfree(apcm);
159 return -ENOMEM; 158 return -ENOMEM;
159 }
160 runtime->private_data = apcm;
161 runtime->private_free = ct_atc_pcm_free_substream;
160 162
161 return 0; 163 return 0;
162} 164}
@@ -278,8 +280,6 @@ static int ct_pcm_capture_open(struct snd_pcm_substream *substream)
278 apcm->started = 0; 280 apcm->started = 0;
279 apcm->substream = substream; 281 apcm->substream = substream;
280 apcm->interrupt = ct_atc_pcm_interrupt; 282 apcm->interrupt = ct_atc_pcm_interrupt;
281 runtime->private_data = apcm;
282 runtime->private_free = ct_atc_pcm_free_substream;
283 runtime->hw = ct_pcm_capture_hw; 283 runtime->hw = ct_pcm_capture_hw;
284 runtime->hw.rate_max = atc->rsr * atc->msr; 284 runtime->hw.rate_max = atc->rsr * atc->msr;
285 285
@@ -298,8 +298,12 @@ static int ct_pcm_capture_open(struct snd_pcm_substream *substream)
298 } 298 }
299 299
300 apcm->timer = ct_timer_instance_new(atc->timer, apcm); 300 apcm->timer = ct_timer_instance_new(atc->timer, apcm);
301 if (!apcm->timer) 301 if (!apcm->timer) {
302 kfree(apcm);
302 return -ENOMEM; 303 return -ENOMEM;
304 }
305 runtime->private_data = apcm;
306 runtime->private_free = ct_atc_pcm_free_substream;
303 307
304 return 0; 308 return 0;
305} 309}