From: Florin Malita <fmalita@gmail.com>
Date: Mon, 16 Oct 2006 12:43:43 +0000 (+0200)
Subject: [PATCH] ALSA: Dereference after free in snd_hwdep_release()
X-Git-Tag: v2.6.18.2~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0cd3e38de139be4929fe8b18d85da585580420b;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] ALSA: Dereference after free in snd_hwdep_release()

snd_card_file_remove() may free hw->card so we can't dereference
hw->card->module after that.

Coverity ID 1420.

This bug actually causes an Oops at usb-disconnection, especially
with CONFIG_PREEMPT.

From: Florin Malita <fmalita@gmail.com>
Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
index 8bd0dcc93eba9..a562f96f30102 100644
--- a/sound/core/hwdep.c
+++ b/sound/core/hwdep.c
@@ -158,6 +158,7 @@ static int snd_hwdep_release(struct inode *inode, struct file * file)
 {
 	int err = -ENXIO;
 	struct snd_hwdep *hw = file->private_data;
+	struct module *mod = hw->card->module;
 	mutex_lock(&hw->open_mutex);
 	if (hw->ops.release) {
 		err = hw->ops.release(hw, file);
@@ -167,7 +168,7 @@ static int snd_hwdep_release(struct inode *inode, struct file * file)
 		hw->used--;
 	snd_card_file_remove(hw->card, file);
 	mutex_unlock(&hw->open_mutex);
-	module_put(hw->card->module);
+	module_put(mod);
 	return err;
 }