dd3f048315
commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream.
John Keeping reported and posted a patch for a potential UAF in
rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be
called after the associated rawmidi object got already freed.
After a deeper look, it turned out that the bug is rather the
incorrect private_free call order for a snd_seq_device. The
snd_seq_device private_free gets called at the release callback of the
sequencer device object, while this was rather expected to be executed
at the snd_device call chains that runs at the beginning of the whole
card-free procedure. It's been broken since the rewrite of
sequencer-device binding (although it hasn't surfaced because the
sequencer device release happens usually right along with the card
device release).
This patch corrects the private_free call to be done in the right
place, at snd_seq_device_dev_free().
Fixes:
|
||
|---|---|---|
| .. | ||
| oss | ||
| seq | ||
| compress_offload.c | ||
| control_compat.c | ||
| control.c | ||
| ctljack.c | ||
| device.c | ||
| hrtimer.c | ||
| hwdep_compat.c | ||
| hwdep.c | ||
| info_oss.c | ||
| info.c | ||
| init.c | ||
| isadma.c | ||
| jack.c | ||
| Kconfig | ||
| Makefile | ||
| memalloc.c | ||
| memory.c | ||
| misc.c | ||
| pcm_compat.c | ||
| pcm_dmaengine.c | ||
| pcm_drm_eld.c | ||
| pcm_iec958.c | ||
| pcm_lib.c | ||
| pcm_local.h | ||
| pcm_memory.c | ||
| pcm_misc.c | ||
| pcm_native.c | ||
| pcm_param_trace.h | ||
| pcm_timer.c | ||
| pcm_trace.h | ||
| pcm.c | ||
| rawmidi_compat.c | ||
| rawmidi.c | ||
| seq_device.c | ||
| sgbuf.c | ||
| sound_oss.c | ||
| sound.c | ||
| timer_compat.c | ||
| timer.c | ||
| vmaster.c | ||