Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1147493pxv; Fri, 9 Jul 2021 19:31:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxCmqrakUkfjkd+zTMFuI4SaUmcgWu2bLJqjIj6CZZJ7amksHfpelZX0piu3VlIhFFvRz1I X-Received: by 2002:a17:907:d28:: with SMTP id gn40mr36103391ejc.175.1625884294947; Fri, 09 Jul 2021 19:31:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625884294; cv=none; d=google.com; s=arc-20160816; b=VHBOnLpB1E9Zw2zbHV5rguoHCMTi9MJlHhwRQg3/m6u9mVlLJJJd8YDI+9e7rT/XZ3 gi6HcePf6aWh1rgnUR4smHYjm1l7ZDtJprUvmxqQWxwP6s0HKPC7Y0rJz6w09PvUWeV5 NF9uXT76eCKQ0SZRYgGxTSU0JWfUY4unJjM6JifjdNYftmeNWv1wRY9qUxZJOLwwk/LL XkTDuqaqC+oRD6OolPojCc2wKg6VhLO7xxuBXELdIVI9JQ4Ham6SFGLV0fRDAzMR8Zzx RaxSeOKJXR+XkF/e8ormIWt8wU3Xm+ZLxOdBFXA6gRn/GLZ6nW7zJ/eaFimJt3HHWRne w3ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=JEKLUm8zufWVyW9PSAfney1EjcIks4960BKG2iknfmc=; b=IYbKo805rIrLKj2YBU2AwI7fjxJTrO13EhfEaiLYvfwQp5Ip/Oktj/x7vrYkrTujr4 Qr6PRdLqIS0Qxk5H9Fhg6ik0mJRqA2Bnps8eOAE3+/xnKNffiOJNaUr6doBQF0S9erfn svk0GfsSiOzcaXh6j/03km9yjTRb2lhtcdtaC6qnHBm1lJZy61pjnQp/9GrCGJNOM2v4 weTCUMd63wU8fRdl83nQeZa/WPzneRnJktbzyelSK11qSzGQ8vUXwrzV2sQ8UvnkXgwq Y5DPuUjsN/9IAugDyHPKvrWYvrUYnklJsDMi74T3sTLM0UQRc4qa8I2j8xav77QUso1W u/4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RnMQMxED; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o3si9956421edc.246.2021.07.09.19.31.11; Fri, 09 Jul 2021 19:31:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RnMQMxED; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234544AbhGJCdG (ORCPT + 99 others); Fri, 9 Jul 2021 22:33:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:42616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234208AbhGJC3Q (ORCPT ); Fri, 9 Jul 2021 22:29:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 381D0613D1; Sat, 10 Jul 2021 02:25:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625883939; bh=6dhkOTtgfdcdhxD2ZprguMLZIVnF8Y6WHZsOVdLQsy4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RnMQMxED+3lOOhfcGAtiDotokPlxQXRa7A4U8muIDOVs5SJAimSUgI0HDyAW7YekW AMae7GIHmgwfQkcksZ0YwlNtMQZ1yz69sE0yX1ZCujMJwzp0EMAJhZnJSdTcmY99YC tI5zvymXAAub9958tds9znyzMaq+Y3ElGtEzVLOjBwIMyxrVdCvPc/d1f36RwN0Azn 6/9EpgXnUXvnjQXSFh5sgUOF+3QlpDOH46YUgPdZnIXHdhYaw/Y5qDNIKobBVj+F61 B3CFI36uyw0DNdkN5HW57keLtceuu+/nb5Bd6H+DIMbPX8k2o7Uo4+To3Uk5jMLubt mk/gYNrY4vxfw== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Takashi Iwai , Sasha Levin , alsa-devel@alsa-project.org Subject: [PATCH AUTOSEL 5.10 54/93] ALSA: sb: Fix potential double-free of CSP mixer elements Date: Fri, 9 Jul 2021 22:23:48 -0400 Message-Id: <20210710022428.3169839-54-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210710022428.3169839-1-sashal@kernel.org> References: <20210710022428.3169839-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai [ Upstream commit c305366a37441c2ac90b08711cb6f032b43672f2 ] snd_sb_qsound_destroy() contains the calls of removing the previously created mixer controls, but it doesn't clear the pointers. As snd_sb_qsound_destroy() itself may be repeatedly called via ioctl, this could lead to double-free potentially. Fix it by clearing the struct fields properly afterwards. Link: https://lore.kernel.org/r/20210608140540.17885-4-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/isa/sb/sb16_csp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sound/isa/sb/sb16_csp.c b/sound/isa/sb/sb16_csp.c index 1528e04a4d28..dbcd9ab2c2b7 100644 --- a/sound/isa/sb/sb16_csp.c +++ b/sound/isa/sb/sb16_csp.c @@ -1072,10 +1072,14 @@ static void snd_sb_qsound_destroy(struct snd_sb_csp * p) card = p->chip->card; down_write(&card->controls_rwsem); - if (p->qsound_switch) + if (p->qsound_switch) { snd_ctl_remove(card, p->qsound_switch); - if (p->qsound_space) + p->qsound_switch = NULL; + } + if (p->qsound_space) { snd_ctl_remove(card, p->qsound_space); + p->qsound_space = NULL; + } up_write(&card->controls_rwsem); /* cancel pending transfer of QSound parameters */ -- 2.30.2