ALSA: rawmidi: fix oops (use after free) when unloading a driver module

commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream. When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Reported-by: Krzysztof Foltman <wdev@foltman.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
author: Clemens Ladisch <clemens@ladisch.de> 2010-10-15 12:06:18 +0200
committer: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-01-06 18:08:06 -0500
commit: 777e779591d10f4908361a439f4822aa0143470b (patch)
tree: 90bfa892ac2e71ddb58b4fe9b30015b6fce673ae /sound
parent: be6ccb1263467bc1ff2f56de2d5db5288cc9c36d (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 0f5a194695d..5fac1a3158d 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -531,13 +531,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file)
 {
 	struct snd_rawmidi_file *rfile;
 	struct snd_rawmidi *rmidi;
+	struct module *module;
 
 	rfile = file->private_data;
 	rmidi = rfile->rmidi;
 	rawmidi_release_priv(rfile);
 	kfree(rfile);
+	module = rmidi->card->module;
 	snd_card_file_remove(rmidi->card, file);
-	module_put(rmidi->card->module);
+	module_put(module);
 	return 0;
 }
author	Clemens Ladisch <clemens@ladisch.de>	2010-10-15 12:06:18 +0200
committer	Paul Gortmaker <paul.gortmaker@windriver.com>	2011-01-06 18:08:06 -0500
commit	777e779591d10f4908361a439f4822aa0143470b (patch)
tree	90bfa892ac2e71ddb58b4fe9b30015b6fce673ae /sound
parent	be6ccb1263467bc1ff2f56de2d5db5288cc9c36d (diff)