This is a note to let you know that I've just added the patch titled
ALSA: seq: Fix a potential UAF by wrong private_free call order
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 1f8763c59c4ec6254d629fe77c0a52220bd907aa Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@xxxxxxx>
Date: Thu, 30 Sep 2021 13:41:14 +0200
Subject: ALSA: seq: Fix a potential UAF by wrong private_free call order
From: Takashi Iwai <tiwai@xxxxxxx>
commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream.
John Keeping reported and posted a patch for a potential UAF in
rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be
called after the associated rawmidi object got already freed.
After a deeper look, it turned out that the bug is rather the
incorrect private_free call order for a snd_seq_device. The
snd_seq_device private_free gets called at the release callback of the
sequencer device object, while this was rather expected to be executed
at the snd_device call chains that runs at the beginning of the whole
card-free procedure. It's been broken since the rewrite of
sequencer-device binding (although it hasn't surfaced because the
sequencer device release happens usually right along with the card
device release).
This patch corrects the private_free call to be done in the right
place, at snd_seq_device_dev_free().
Fixes: 7c37ae5c625a ("ALSA: seq: Rewrite sequencer device binding with standard bus")
Reported-and-tested-by: John Keeping <john@xxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20210930114114.8645-1-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/core/seq_device.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/sound/core/seq_device.c
+++ b/sound/core/seq_device.c
@@ -147,6 +147,8 @@ static int snd_seq_device_dev_free(struc
struct snd_seq_device *dev = device->device_data;
cancel_autoload_drivers();
+ if (dev->private_free)
+ dev->private_free(dev);
put_device(&dev->dev);
return 0;
}
@@ -174,11 +176,7 @@ static int snd_seq_device_dev_disconnect
static void snd_seq_dev_release(struct device *dev)
{
- struct snd_seq_device *sdev = to_seq_dev(dev);
-
- if (sdev->private_free)
- sdev->private_free(sdev);
- kfree(sdev);
+ kfree(to_seq_dev(dev));
}
/*
Patches currently in stable-queue which might be from tiwai@xxxxxxx are
queue-5.4/alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch
queue-5.4/alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch
queue-5.4/alsa-hda-realtek-alc236-headset-mic-recording-issue.patch
queue-5.4/alsa-usb-audio-add-quirk-for-vf0770.patch
queue-5.4/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
queue-5.4/alsa-hda-realtek-complete-partial-device-name-to-avoid-ambiguity.patch
