On Fri, 15 Jul 2022 03:05:15 +0200,
Zheyu Ma wrote:
>
> When the driver fails in snd_card_register() at probe time, it will free
> the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
>
> The following log can reveal it:
>
> [ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
> [ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
> [ 50.729530] Call Trace:
> [ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
>
> Fix this by adding usb_kill_urb() before usb_free_urb().
>
> Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device")
> Signed-off-by: Zheyu Ma <zheyuma97@xxxxxxxxx>
Thanks, applied.
Takashi
