From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 17 Oct 2021 10:24:55 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.14.252~50
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27c8db09cd88068725362f2725e178e895093906;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
---

diff --git a/queue-4.14/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch b/queue-4.14/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
new file mode 100644
index 00000000000..baa354f12fb
--- /dev/null
+++ b/queue-4.14/alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch
@@ -0,0 +1,59 @@
+From 1f8763c59c4ec6254d629fe77c0a52220bd907aa Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Sep 2021 13:41:14 +0200
+Subject: ALSA: seq: Fix a potential UAF by wrong private_free call order
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1f8763c59c4ec6254d629fe77c0a52220bd907aa upstream.
+
+John Keeping reported and posted a patch for a potential UAF in
+rawmidi sequencer destruction: the snd_rawmidi_dev_seq_free() may be
+called after the associated rawmidi object got already freed.
+After a deeper look, it turned out that the bug is rather the
+incorrect private_free call order for a snd_seq_device.  The
+snd_seq_device private_free gets called at the release callback of the
+sequencer device object, while this was rather expected to be executed
+at the snd_device call chains that runs at the beginning of the whole
+card-free procedure.  It's been broken since the rewrite of
+sequencer-device binding (although it hasn't surfaced because the
+sequencer device release happens usually right along with the card
+device release).
+
+This patch corrects the private_free call to be done in the right
+place, at snd_seq_device_dev_free().
+
+Fixes: 7c37ae5c625a ("ALSA: seq: Rewrite sequencer device binding with standard bus")
+Reported-and-tested-by: John Keeping <john@metanate.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210930114114.8645-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq_device.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/sound/core/seq_device.c
++++ b/sound/core/seq_device.c
+@@ -162,6 +162,8 @@ static int snd_seq_device_dev_free(struc
+ 	struct snd_seq_device *dev = device->device_data;
+ 
+ 	cancel_autoload_drivers();
++	if (dev->private_free)
++		dev->private_free(dev);
+ 	put_device(&dev->dev);
+ 	return 0;
+ }
+@@ -189,11 +191,7 @@ static int snd_seq_device_dev_disconnect
+ 
+ static void snd_seq_dev_release(struct device *dev)
+ {
+-	struct snd_seq_device *sdev = to_seq_dev(dev);
+-
+-	if (sdev->private_free)
+-		sdev->private_free(sdev);
+-	kfree(sdev);
++	kfree(to_seq_dev(dev));
+ }
+ 
+ /*
diff --git a/queue-4.14/series b/queue-4.14/series
index 90f7b387433..1494aab854e 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -1 +1,2 @@
 stable-clamp-sublevel-in-4.14.patch
+alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch