aboutsummaryrefslogtreecommitdiff
path: root/sound
diff options
context:
space:
mode:
authorClemens Ladisch <clemens@ladisch.de>2010-10-15 12:06:18 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>2010-10-28 21:43:53 -0700
commit28b4c9130be4377517c171f34cb9f0ba9f213f23 (patch)
tree9e9589ae2d657b56c7d01de1bbecded9d5f6e6a5 /sound
parent08f00ae28f93b85bd7dccdd3ace606939a970833 (diff)
ALSA: rawmidi: fix oops (use after free) when unloading a driver module
commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream. When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Reported-by: Krzysztof Foltman <wdev@foltman.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'sound')
-rw-r--r--sound/core/rawmidi.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 70d6f25ba52..e4c12a1ee30 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -530,13 +530,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file)
{
struct snd_rawmidi_file *rfile;
struct snd_rawmidi *rmidi;
+ struct module *module;
rfile = file->private_data;
rmidi = rfile->rmidi;
rawmidi_release_priv(rfile);
kfree(rfile);
+ module = rmidi->card->module;
snd_card_file_remove(rmidi->card, file);
- module_put(rmidi->card->module);
+ module_put(module);
return 0;
}