From: Clemens Ladisch Date: Fri, 15 Oct 2010 10:06:18 +0000 (+0200) Subject: ALSA: rawmidi: fix oops (use after free) when unloading a driver module X-Git-Tag: firefly_0821_release~7613^2~3758^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=aa73aec6c385e2c797ac25cc7ccf0318031de7c8;p=firefly-linux-kernel-4.4.55.git ALSA: rawmidi: fix oops (use after free) when unloading a driver module When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch Reported-by: Krzysztof Foltman Cc: 2.6.30-2.6.35 Signed-off-by: Takashi Iwai --- diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c index a7868ad4d530..cbbed0db9e56 100644 --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c @@ -535,13 +535,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file) { struct snd_rawmidi_file *rfile; struct snd_rawmidi *rmidi; + struct module *module; rfile = file->private_data; rmidi = rfile->rmidi; rawmidi_release_priv(rfile); kfree(rfile); + module = rmidi->card->module; snd_card_file_remove(rmidi->card, file); - module_put(rmidi->card->module); + module_put(module); return 0; }