Commit aa73aec6 authored Oct 15, 2010 by Clemens Ladisch Committed by Takashi Iwai Oct 17, 2010

ALSA: rawmidi: fix oops (use after free) when unloading a driver module



When a driver module is unloaded and the last still open file is a raw
MIDI device, the card and its devices will be actually freed in the
snd_card_file_remove() call when that file is closed.  Afterwards, rmidi
and rmidi->card point into freed memory, so the module pointer is likely
to be garbage.
(This was introduced by commit 9a1b64ca.)

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Reported-by: Krzysztof Foltman <wdev@foltman.com>
Cc: 2.6.30-2.6.35 <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

parent cd07202c

sound/core/rawmidi.c

+3 −1

Original line number	Original line	Diff line number	Diff line
	@@ -535,13 +535,15 @@ static int snd_rawmidi_release(struct inode inode, struct file file)
	{		{
	struct snd_rawmidi_file *rfile;		struct snd_rawmidi_file *rfile;
	struct snd_rawmidi *rmidi;		struct snd_rawmidi *rmidi;
			struct module *module;

	rfile = file->private_data;		rfile = file->private_data;
	rmidi = rfile->rmidi;		rmidi = rfile->rmidi;
	rawmidi_release_priv(rfile);		rawmidi_release_priv(rfile);
	kfree(rfile);		kfree(rfile);
			module = rmidi->card->module;
	snd_card_file_remove(rmidi->card, file);		snd_card_file_remove(rmidi->card, file);
	module_put(rmidi->card->module);		module_put(module);
	return 0;		return 0;
	}		}