From patchwork Tue May 9 09:07:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 13236546 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C247FC7EE22 for ; Wed, 10 May 2023 06:35:06 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 6B4BC1046; Wed, 10 May 2023 08:34:14 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 6B4BC1046 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1683700504; bh=N6+9eSRuDcM+2LktAXFA6WrQd6lk1RtZMVvU2vNTpB0=; h=Date:From:To:Subject:CC:List-Id:List-Archive:List-Help:List-Owner: List-Post:List-Subscribe:List-Unsubscribe:From; b=K9zb4IJxMrcl/zCcxa95xpGNauTQLqPmo7c97bffwNHXQMHRp8UEwR9MXrOEGA1Zh N5VcCAtM2R+6iQC0MC/7fb2sEPdY5t94ctqJCsd6upF39xA4CpBhfcJXe13aOm7/6j /DZm7uuqkJxj+V837YKXkM7aQT4gTMbLh11SPusY= Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org [10.254.200.10]) by alsa1.perex.cz (Postfix) with ESMTP id C9E37F8057F; Wed, 10 May 2023 08:32:29 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 544AFF8032D; Tue, 9 May 2023 11:07:24 +0200 (CEST) Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id F2F1EF8014C for ; Tue, 9 May 2023 11:07:18 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz F2F1EF8014C Authentication-Results: alsa1.perex.cz; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=LB5O02tN Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-3f1950f5628so55622505e9.3 for ; Tue, 09 May 2023 02:07:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1683623237; x=1686215237; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=VlZTPdckZBfMkSfDWWxdgwam/c6cJ1kKCtZOHi20Sao=; b=LB5O02tNG4cpJDDD+nlRElHlkqW+EMQGIds7DI/MTS0bU1Dkx8aV4GMXjkuyuydSsx 9oELVaBsmpYmj3A/h8W0JHgDaaj9tXA0yF/NU69dRpY623lsw/n1EUgMDOtRCMqTubdz I8Rm9K/1448M+PIqkzbqF1KKIUImxWR1siubAyxdJkQG/nASj/UwEiTkHsM9d/xlIwwx aYSuxL+837ZEcxhTWlBYig6CLB8M4COQFh4KEsYKRR0y2wFKAkKsq33WJRKX2Amjb4w/ 9hYymrm+sz/fYdsWvBo/kLISjbJLsKGieEjV/82yE1W5a7eKKalc4AigKHOP39BO9XW1 xreA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683623237; x=1686215237; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VlZTPdckZBfMkSfDWWxdgwam/c6cJ1kKCtZOHi20Sao=; b=kREa4IVZlcVJwYhtno/7HQwB62NA6rTJEeFHhZQT70abOfVbUj3NNenhV841efP7DB KvhBDHS7Na5R1dI/2yq3YKPwbfp6cH2D24iA6XyAwutDfESt8RzLlf2xGZZPh30kTFSP aqBV85RX0GAVg8CPwELm72yIq83KfHQ4zoogKzQvGq+pEI6YIV6BdWhtszqFK0b0eaB/ /FnbVGPXI8iP2D4ptcHc8Q/tTJjhF4vsdmEseaq4bn7ZTnI4ixoxLqpCtrmJwbjZ5TxM XHrpSuKpid6GtsiLXFKa7FMIZOLnpimAERBrE1dwss2Ro0AiOWKokYXCxcidzHMJfLix rQxw== X-Gm-Message-State: AC+VfDwHbJOiw4J1/EjHMVpy5vPoTkQDrAzb4UmnyqeLgJ1OmzC5Pkor JdoKfl3FgagHFb5ZhgLsmUTR2Q== X-Google-Smtp-Source: ACHHUZ7iJXBAdt8ysM3IiR8hzOEKnnYDA8+73kBAPfQIC0Q88i49UGx4gyd+FA0kAyPxAnLxdCb6/Q== X-Received: by 2002:a1c:f202:0:b0:3f2:5be3:cd6a with SMTP id s2-20020a1cf202000000b003f25be3cd6amr9406111wmc.4.1683623237391; Tue, 09 May 2023 02:07:17 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id y21-20020a05600c365500b003f42cc3262asm762152wmq.34.2023.05.09.02.07.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 02:07:16 -0700 (PDT) Date: Tue, 9 May 2023 12:07:11 +0300 From: Dan Carpenter To: Takashi Sakamoto Subject: [PATCH] ALSA: firewire-digi00x: prevent potential use after free Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-MailFrom: dan.carpenter@linaro.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-alsa-devel.alsa-project.org-0; header-match-alsa-devel.alsa-project.org-1 Message-ID-Hash: 2WZM7TZS4JPO4H3UMU7ZJ6ZWDPRQRMNX X-Message-ID-Hash: 2WZM7TZS4JPO4H3UMU7ZJ6ZWDPRQRMNX X-Mailman-Approved-At: Wed, 10 May 2023 06:32:17 +0000 CC: Clemens Ladisch , Takashi Iwai , alsa-devel@alsa-project.org, kernel-janitors@vger.kernel.org X-Mailman-Version: 3.3.8 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This code was supposed to return an error code if init_stream() failed, but it instead freed dg00x->rx_stream and returned success. This potentially leads to a use after free. Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain") Signed-off-by: Dan Carpenter Acked-by: Takashi Sakamoto --- sound/firewire/digi00x/digi00x-stream.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c index a15f55b0dce3..295163bb8abb 100644 --- a/sound/firewire/digi00x/digi00x-stream.c +++ b/sound/firewire/digi00x/digi00x-stream.c @@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x) return err; err = init_stream(dg00x, &dg00x->tx_stream); - if (err < 0) + if (err < 0) { destroy_stream(dg00x, &dg00x->rx_stream); + return err; + } err = amdtp_domain_init(&dg00x->domain); if (err < 0) {