Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3317214imu; Sun, 11 Nov 2018 12:13:53 -0800 (PST) X-Google-Smtp-Source: AJdET5fCUufr4EEYE2x04VqFfp2EA787meafHkM4Uh0O5mH/YIz68mace9tfqiVrtH+JzWicAZZZ X-Received: by 2002:a63:d34a:: with SMTP id u10mr15407336pgi.301.1541967233112; Sun, 11 Nov 2018 12:13:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541967233; cv=none; d=google.com; s=arc-20160816; b=YSCHnGB1nT0fKLUWwIzmrP08+5T4NuRY+jGOHEEpZE7bhyFhsL/q08lkqyuuT0Wcwz Ae9uQtYx20CcX3+cj/+LbmYgRZruszUzXklt3WkAYhPGgUAeziqTvTmheeLBFuBoB4Wh HRaFIUjXQTJTPZvbLXxQlemGS26v0gBrqJ0sz8Rab36jU5J3FZhRroMFVg5a4ZrK+yny Xvefkfa556owvTpSBT6DwoKO66/c60UT1dluORLX1y98KAPyRFB+Ny0mWy4BfXtNKlq0 HI1gy9Lyiufu3YJl7ImY3giOKzMd6ebBJto9GsFU6ZgrjTu/GL9qD6+BMAIBeP0izJtO rAYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=hzl0BTtCDzyN3CBuQGIP6Gi5Sal2qiWLGJfTtrFmfeA=; b=VzWG6RiHmVI+9Vjm0xXhHlPFDqHFB3blAUZd8Re7OKeHYERGlSKZwa7IaYkK9COzSv swKiPitbOZBGAkoV5Fo8fplgBkDUTK4zGeUTRiI0qYxJmN7f7ZF2LrmCvHewf+Ln+gw7 sQMQdmFHlmpeasoP7OsS3pXis88QyytNHYfCt8LtTrdCE1vd0OQMK+NRqbTfXU0dy0lo 9ynBa2cXCPY17PmTqKuxbF0EQ6Zi8lTJkPdgu6KKvB3QmWf/yj0mqfTv6ds5nDDztfOm p2mQDPH5OO9p+X7ZPXf7uY8bGDjlkbw5Zad5haY4U0CjeAm6tB445X/iJXVqRCpUNjR5 r3/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p6-v6si14196691plk.429.2018.11.11.12.13.37; Sun, 11 Nov 2018 12:13:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731563AbeKLGCf (ORCPT + 99 others); Mon, 12 Nov 2018 01:02:35 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:52674 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726709AbeKLGCe (ORCPT ); Mon, 12 Nov 2018 01:02:34 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvt6-0000l4-1J; Sun, 11 Nov 2018 19:59:16 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsQ-0001V8-Rk; Sun, 11 Nov 2018 19:58:34 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Bo Chen" , "Takashi Iwai" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 104/366] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Bo Chen commit a3aa60d511746bd6c0d0366d4eb90a7998bcde8b upstream. When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is created without setting its operators via 'snd_pcm_set_ops()'. Following operations on the new pcm instance can trigger kernel null pointer dereferences and cause kernel oops. This bug was found with my work on building a gray-box fault-injection tool for linux-kernel-module binaries. A kernel null pointer dereference was confirmed from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in file 'sound/core/pcm_native.c'. This patch fixes the bug by calling 'snd_device_free()' in the error handling path of 'kzalloc()', which removes the new pcm instance from the snd card before returns with an error code. Signed-off-by: Bo Chen Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/pci/hda/hda_controller.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/sound/pci/hda/hda_controller.c +++ b/sound/pci/hda/hda_controller.c @@ -998,8 +998,10 @@ static int azx_attach_pcm_stream(struct return err; strlcpy(pcm->name, cpcm->name, sizeof(pcm->name)); apcm = kzalloc(sizeof(*apcm), GFP_KERNEL); - if (apcm == NULL) + if (apcm == NULL) { + snd_device_free(chip->card, pcm); return -ENOMEM; + } apcm->chip = chip; apcm->pcm = pcm; apcm->codec = codec;