--- /dev/null
+From 1f8763c59c4ec6254d629fe77c0a52220bd907aa Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Sep 2021 13:41:14 +0200
+Subject: ALSA: seq: Fix a potential UAF by wrong private_free call order
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream.
+
+John Keeping reported and posted a patch for a potential UAF in
+rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be
+called after the associated rawmidi object got already freed.
+After a deeper look, it turned out that the bug is rather the
+incorrect private_free call order for a snd_seq_device. The
+snd_seq_device private_free gets called at the release callback of the
+sequencer device object, while this was rather expected to be executed
+at the snd_device call chains that runs at the beginning of the whole
+card-free procedure. It's been broken since the rewrite of
+sequencer-device binding (although it hasn't surfaced because the
+sequencer device release happens usually right along with the card
+device release).
+
+This patch corrects the private_free call to be done in the right
+place, at snd_seq_device_dev_free().
+
+Fixes: 7c37ae5c625a ("ALSA: seq: Rewrite sequencer device binding with standard bus")
+Reported-and-tested-by: John Keeping <john@metanate.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210930114114.8645-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq/seq_device.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/sound/core/seq/seq_device.c
++++ b/sound/core/seq/seq_device.c
+@@ -162,6 +162,8 @@ static int snd_seq_device_dev_free(struc
+ struct snd_seq_device *dev = device->device_data;
+
+ cancel_autoload_drivers();
++ if (dev->private_free)
++ dev->private_free(dev);
+ put_device(&dev->dev);
+ return 0;
+ }
+@@ -189,11 +191,7 @@ static int snd_seq_device_dev_disconnect
+
+ static void snd_seq_dev_release(struct device *dev)
+ {
+- struct snd_seq_device *sdev = to_seq_dev(dev);
+-
+- if (sdev->private_free)
+- sdev->private_free(sdev);
+- kfree(sdev);
++ kfree(to_seq_dev(dev));
+ }
+
+ /*
--- /dev/null
+alsa-usb-audio-add-quirk-for-vf0770.patch
+alsa-pcm-workaround-for-a-wrong-offset-in-sync_ptr-compat-ioctl.patch
+alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
+alsa-hda-realtek-enable-4-speaker-output-for-dell-precision-5560-laptop.patch
+alsa-hda-enable-headphone-mic-on-dell-latitude-laptops-with-alc3254.patch
+alsa-hda-realtek-complete-partial-device-name-to-avoid-ambiguity.patch
+alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch
+alsa-hda-realtek-alc236-headset-mic-recording-issue.patch
+alsa-hda-realtek-add-quirk-for-tongfang-phxtxx1.patch
+alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.patch
+alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch
--- /dev/null
+alsa-usb-audio-add-quirk-for-vf0770.patch
+alsa-pcm-workaround-for-a-wrong-offset-in-sync_ptr-compat-ioctl.patch
+alsa-usb-audio-fix-a-missing-error-check-in-scarlett-gen2-mixer.patch
+alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
+alsa-hda-realtek-enable-4-speaker-output-for-dell-precision-5560-laptop.patch
+alsa-hda-enable-headphone-mic-on-dell-latitude-laptops-with-alc3254.patch
+alsa-hda-realtek-complete-partial-device-name-to-avoid-ambiguity.patch
+alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch
+alsa-hda-realtek-alc236-headset-mic-recording-issue.patch
+alsa-hda-realtek-add-quirk-for-tongfang-phxtxx1.patch
+alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.patch
+alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
