On Mon, 26 Apr 2021 15:11:29 +0200, Lv Yunlong wrote: > > Our code analyzer reported a uaf. > > In snd_emu8000_create_mixer, the callee snd_ctl_add(..,emu->controls[i]) > calls snd_ctl_add_replace(.., kcontrol,..). Inside snd_ctl_add_replace(), > if error happens, kcontrol will be freed by snd_ctl_free_one(kcontrol). > Then emu->controls[i] points to a freed memory, and the execution comes > to __error branch of snd_emu8000_create_mixer. The freed emu->controls[i] > is used in snd_ctl_remove(card, emu->controls[i]). > > My patch set emu->controls[i] to NULL if snd_ctl_add() failed to avoid > the uaf. > > Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx> Thanks, applied now. The bug was hard to be seen due to the coding style, so we'd need a cleanup, but it's a different story... Takashi