Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp3079284imm; Sun, 1 Jul 2018 11:47:18 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKTd7vUsSJo52qFdSXFbs5FBXQnWLwf9cB/v3Ho107m1AjAu3IjYvCmcI/Xda70S75K/5ky X-Received: by 2002:a17:902:422:: with SMTP id 31-v6mr22913306ple.320.1530470838827; Sun, 01 Jul 2018 11:47:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530470838; cv=none; d=google.com; s=arc-20160816; b=X7VXpYk12el64sBZ+2cHq6rgL0vBlqET8FJOgzUEV3EvVMmnmMgmXATj3KKeaMaVeH ozHcTDzKegGQYRpdZzauljnkfrfgG3PlwTJwPm8bzI5dgPzgVuUxuBPuampAqnp63M4U Qkhd1+DpQ5rkkp+xEQbkX2UZOb/U1Vdcs/Sdo5qjBVJunHS09IryhhFpu9Ms6GttsdyO oG04lAfJ4ml3QVuQ4PMsCRzW9zR4hAjUwRhB1840xUKHCmmjyAoho0xbkuDxth/eY9+G tbOeu7SZA0Kgu64d7dyA+ts82XDE4CKiTewt+NcvMhmPaEr6aJi0eVwLa9Bh4Uyem8Sa ofBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=8tOOHHOee+UgVYyCA8XQKaPlfOKrLD80/WTrywaHtNw=; b=BrPQA878Rb0yukh0CBc4zMTkR3YdMMuz1ZJtrfRvvhxFO2SXtvlLO/Qze7MFg4LBhe Uq9G9MuugJbajE/mywPlzS0C+ClOBURP+tDProNgYqzHW5XkdPKm5oP0NaCkUQq7swFq OEimvo+6aaLZtNgl8fKuUxySDCnI57EFlG3FO8r4yGoF2Qu0H98zWkyVWuhurGbaB2OP 5v0qoQgerxfvlkxuFZ2CTA4njxTiLgaO+6YVqojAXY6BzZL57OdW1uDPKOXXXEBnbwnp XsY4+pxHwxGTebZYRkTfdzWHp3nLuRuWzKK5u/l89XYZ2IwkTV/4r88TRjPReztN7CiI uPhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s2-v6si12542407pgd.357.2018.07.01.11.47.04; Sun, 01 Jul 2018 11:47:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932187AbeGAQMt (ORCPT + 99 others); Sun, 1 Jul 2018 12:12:49 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59980 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932083AbeGAQMk (ORCPT ); Sun, 1 Jul 2018 12:12:40 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 5797E86A; Sun, 1 Jul 2018 16:12:39 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bo Chen , Takashi Iwai Subject: [PATCH 3.18 41/85] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Date: Sun, 1 Jul 2018 18:01:59 +0200 Message-Id: <20180701153123.997484161@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701153122.365061142@linuxfoundation.org> References: <20180701153122.365061142@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bo Chen commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream. When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is created without setting its operators via 'snd_pcm_set_ops()'. Following operations on the new pcm instance can trigger kernel null pointer dereferences and cause kernel oops. This bug was found with my work on building a gray-box fault-injection tool for linux-kernel-module binaries. A kernel null pointer dereference was confirmed from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in file 'sound/core/pcm_native.c'. This patch fixes the bug by calling 'snd_device_free()' in the error handling path of 'kzalloc()', which removes the new pcm instance from the snd card before returns with an error code. Signed-off-by: Bo Chen Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/pci/hda/hda_controller.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/sound/pci/hda/hda_controller.c +++ b/sound/pci/hda/hda_controller.c @@ -915,8 +915,10 @@ static int azx_attach_pcm_stream(struct return err; strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); - if (apcm == NULL) + if (apcm == NULL) { + snd_device_free(chip->card, pcm); return -ENOMEM; + } apcm->chip = chip; apcm->pcm = pcm; apcm->codec = codec;