aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorClemens Ladisch <clemens@ladisch.de>2010-10-15 06:06:18 -0400
committerTakashi Iwai <tiwai@suse.de>2010-10-17 04:11:40 -0400
commitaa73aec6c385e2c797ac25cc7ccf0318031de7c8 (patch)
tree97ab3c6e917c2592f2c432c703a058ac0cebc574
parentcd07202cc8262e1669edff0d97715f3dd9260917 (diff)
ALSA: rawmidi: fix oops (use after free) when unloading a driver module
When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Reported-by: Krzysztof Foltman <wdev@foltman.com> Cc: 2.6.30-2.6.35 <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-rw-r--r--sound/core/rawmidi.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index a7868ad4d53..cbbed0db9e5 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -535,13 +535,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file)
535{ 535{
536 struct snd_rawmidi_file *rfile; 536 struct snd_rawmidi_file *rfile;
537 struct snd_rawmidi *rmidi; 537 struct snd_rawmidi *rmidi;
538 struct module *module;
538 539
539 rfile = file->private_data; 540 rfile = file->private_data;
540 rmidi = rfile->rmidi; 541 rmidi = rfile->rmidi;
541 rawmidi_release_priv(rfile); 542 rawmidi_release_priv(rfile);
542 kfree(rfile); 543 kfree(rfile);
544 module = rmidi->card->module;
543 snd_card_file_remove(rmidi->card, file); 545 snd_card_file_remove(rmidi->card, file);
544 module_put(rmidi->card->module); 546 module_put(module);
545 return 0; 547 return 0;
546} 548}
547 549