Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3526942pxf; Mon, 15 Mar 2021 11:31:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhznSY23Lm/XORyxsXrK/8fztmH6qXoxD7o4nHSCkJXAFtGyhwF4XGYdwjrIuS+bpREim3 X-Received: by 2002:a17:906:4146:: with SMTP id l6mr25796239ejk.295.1615833119521; Mon, 15 Mar 2021 11:31:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615833119; cv=none; d=google.com; s=arc-20160816; b=liHazv7kDG5zYhcNDmDz1ovgGtNgLZXeip/PQswiGwSuKqRzoK8QWnKWqXWrlCjDsZ U64EUErJZKbKhhxxuobPb1X0FUT1phIdBNKPMS534L35NA2F0eItNPjUa3X87aHaGUBu 58DkgdB87JcCWo8p2E4WqGNjNKpFDPy8T8VFcNtZlCRTcJ3EELqF1yo/lwLVFUTXHDbz 4EC5SN/MlB4PNWRfGUAtOH/5vo3ngnkwURqBIxpJQlweZcKtmsrcGgPCx6i796Ubww26 TTyVHFhaOElAGAafwgaCPbK0rCDiJ+e69hPPJ+jnoC/5v9MV1PEO917Di6+CacfRpN9F BWqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hzoMT8HA7XPPAKa7DHMGNcyP6cEHZUFdUg3W5DC3XhM=; b=pYPaa0BGazS/8P7Ibi/UEZJKjjh/mUGmPU63SR88fAPR+TH097p7Qoy8GRL3jIob34 x6O2FN+bnA2LVY90Fizwck6VpZ7tXZn/YUliuqZJ6Gh+TczpFzP3wjRcKbCHOZSSWqE9 Iqv2qTlrAiTHYDPI00pmnazpDGdn2edysfIaUSmqrxJVw3GMIilY16HbAoILvmPNCju2 sJLFVRWeC8W3nDLVS0Iv/flPxPUQC+sd6a+8jw4uR2Kqf/vbinyNjncDt7wiqV6aRCPD Mlk8FaJU9Sb3+49TgA0RGdVZ9kga8a85lgIFDnZV5VJexWwXTfi1tSJizY7ifGt1uCp3 ItyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Y8LPKTvy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id de11si11819716edb.15.2021.03.15.11.31.37; Mon, 15 Mar 2021 11:31:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Y8LPKTvy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237244AbhCOOgu (ORCPT + 99 others); Mon, 15 Mar 2021 10:36:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:36788 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233403AbhCOOBi (ORCPT ); Mon, 15 Mar 2021 10:01:38 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 96A1264E83; Mon, 15 Mar 2021 14:01:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1615816871; bh=vCs1U2AmFboxs0iFffCrRcjuElUJSTmBrNiv0m68wJ4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Y8LPKTvyCdDw2Ipz//63mhwlVbAPJgcuaVRQykm7npwXZ6DUQ5mnWCPGfYq5CfMdT UPs62y08FWEuxF1LiY60rNcv+fBNB0ar5XpmUtBTFxBFwEbONYIedwjn/p8WZleBG/ a9qsY7MGWOm9Ssn593hOgEyQAxooMq8jHVjsFmGo= From: gregkh@linuxfoundation.org To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Skripkin , Takashi Iwai Subject: [PATCH 5.11 175/306] ALSA: usb-audio: fix use after free in usb_audio_disconnect Date: Mon, 15 Mar 2021 14:53:58 +0100 Message-Id: <20210315135513.530255442@linuxfoundation.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210315135507.611436477@linuxfoundation.org> References: <20210315135507.611436477@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Greg Kroah-Hartman From: Pavel Skripkin commit c5aa956eaeb05fe87e33433d7fd9f5e4d23c7416 upstream. The problem was in wrong "if" placement. chip->quirk_type is freed in snd_card_free_when_closed(), but inside if statement it's accesed. Fixes: 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend()") Signed-off-by: Pavel Skripkin Cc: Link: https://lore.kernel.org/r/16da19126ff461e5e64a9aec648cce28fb8ed73e.1615242183.git.paskripkin@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/card.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -908,6 +908,9 @@ static void usb_audio_disconnect(struct } } + if (chip->quirk_type & QUIRK_SETUP_DISABLE_AUTOSUSPEND) + usb_enable_autosuspend(interface_to_usbdev(intf)); + chip->num_interfaces--; if (chip->num_interfaces <= 0) { usb_chip[chip->index] = NULL; @@ -916,9 +919,6 @@ static void usb_audio_disconnect(struct } else { mutex_unlock(®ister_mutex); } - - if (chip->quirk_type & QUIRK_SETUP_DISABLE_AUTOSUSPEND) - usb_enable_autosuspend(interface_to_usbdev(intf)); } /* lock the shutdown (disconnect) task and autoresume */