diff options
author | Clemens Ladisch <clemens@ladisch.de> | 2010-10-15 06:06:18 -0400 |
---|---|---|
committer | Takashi Iwai <tiwai@suse.de> | 2010-10-17 04:11:40 -0400 |
commit | aa73aec6c385e2c797ac25cc7ccf0318031de7c8 (patch) | |
tree | 97ab3c6e917c2592f2c432c703a058ac0cebc574 /sound/core | |
parent | cd07202cc8262e1669edff0d97715f3dd9260917 (diff) |
ALSA: rawmidi: fix oops (use after free) when unloading a driver module
When a driver module is unloaded and the last still open file is a raw
MIDI device, the card and its devices will be actually freed in the
snd_card_file_remove() call when that file is closed. Afterwards, rmidi
and rmidi->card point into freed memory, so the module pointer is likely
to be garbage.
(This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.)
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Reported-by: Krzysztof Foltman <wdev@foltman.com>
Cc: 2.6.30-2.6.35 <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/core')
-rw-r--r-- | sound/core/rawmidi.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c index a7868ad4d530..cbbed0db9e56 100644 --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c | |||
@@ -535,13 +535,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file) | |||
535 | { | 535 | { |
536 | struct snd_rawmidi_file *rfile; | 536 | struct snd_rawmidi_file *rfile; |
537 | struct snd_rawmidi *rmidi; | 537 | struct snd_rawmidi *rmidi; |
538 | struct module *module; | ||
538 | 539 | ||
539 | rfile = file->private_data; | 540 | rfile = file->private_data; |
540 | rmidi = rfile->rmidi; | 541 | rmidi = rfile->rmidi; |
541 | rawmidi_release_priv(rfile); | 542 | rawmidi_release_priv(rfile); |
542 | kfree(rfile); | 543 | kfree(rfile); |
544 | module = rmidi->card->module; | ||
543 | snd_card_file_remove(rmidi->card, file); | 545 | snd_card_file_remove(rmidi->card, file); |
544 | module_put(rmidi->card->module); | 546 | module_put(module); |
545 | return 0; | 547 | return 0; |
546 | } | 548 | } |
547 | 549 | ||