Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2964790imm; Sun, 1 Jul 2018 09:17:16 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLnm+2u9OuG9WpruCSrvRPQ3Y/71B5m7RvV3JeHeF/7yP7sI6GWLoBK1rTe6u39engtcq4A X-Received: by 2002:a63:384c:: with SMTP id h12-v6mr18912029pgn.230.1530461836164; Sun, 01 Jul 2018 09:17:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530461836; cv=none; d=google.com; s=arc-20160816; b=gkjlTgaRxlYmqiufLEXOv2k+NAlVrFJo1Ja7AI+OuE1ZQR/ARI+P2MW3EeQoUt9bqA /82u+fv03ugxYT26cnLd4sMnpDIu3RI47LzYXTnGB0g5Ld/FCpHUV482Sml12k+/wkfv hNqTNPcsGklv1J3dlWoZdW5GOU4Gstmps8A2/GNFm2wl2MmXv5i/sgsU2qkxMh2Fn0xo knejEs8vKvXvyZlK0tAsqyIk97FamnDhAEpWpUqXxoUBsfCY1lAW0mXRv/sWl3e/YEsI ebbCMWocDBR048en8crwT0b0QT4QQaDjAMSctXeIUhtj7LwfwmlrycFSyFW0fxmOHQu/ WVfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=qJMMfXc7jnBKpBirExX/K6Jp9vuhg9EX/J9PRM9GhTA=; b=GIStaYJeOlaD0GjAPvOpPhDvjK9JNCpmLgb91gMlfLp0bTSpWb7V4iyJFK0aSWHceT aizWGJrnNVlovd6Co3W9jwXXFnO5HtiBCWUwOXuNWSuHo2l0lflFJ9IOzMrwoSNA6bga QDbxo1G1Qq3+FHTm5dMFhUR6A32wjZzz1GZEQXatfzmnmo6EAE6fcqp6EvAH2yGmep6G sdNpryCosYhuaIiXrwhwnrt2aA05JoOT2XbUENHoqZxDXrYjFLMp9HyDdqhPZ+WplHmS sn4dDwcZWl+IQZS6wdaGMwbzZVlvnhUCH+1J03RTUm8BmdhTmK7qCv8TiR3j3zjcUsoi 6v9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i62-v6si13657848pfc.255.2018.07.01.09.17.02; Sun, 01 Jul 2018 09:17:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933108AbeGAQPk (ORCPT + 99 others); Sun, 1 Jul 2018 12:15:40 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60592 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933048AbeGAQPd (ORCPT ); Sun, 1 Jul 2018 12:15:33 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D19DE86D; Sun, 1 Jul 2018 16:15:32 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bo Chen , Takashi Iwai Subject: [PATCH 4.4 017/105] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Date: Sun, 1 Jul 2018 18:01:27 +0200 Message-Id: <20180701153150.667405618@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701153149.382300170@linuxfoundation.org> References: <20180701153149.382300170@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bo Chen commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream. When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is created without setting its operators via 'snd_pcm_set_ops()'. Following operations on the new pcm instance can trigger kernel null pointer dereferences and cause kernel oops. This bug was found with my work on building a gray-box fault-injection tool for linux-kernel-module binaries. A kernel null pointer dereference was confirmed from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in file 'sound/core/pcm_native.c'. This patch fixes the bug by calling 'snd_device_free()' in the error handling path of 'kzalloc()', which removes the new pcm instance from the snd card before returns with an error code. Signed-off-by: Bo Chen Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/pci/hda/hda_controller.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/sound/pci/hda/hda_controller.c +++ b/sound/pci/hda/hda_controller.c @@ -547,8 +547,10 @@ int snd_hda_attach_pcm_stream(struct hda return err; strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); - if (apcm == NULL) + if (apcm == NULL) { + snd_device_free(chip->card, pcm); return -ENOMEM; + } apcm->chip = chip; apcm->pcm = pcm; apcm->codec = codec;