blob: 23fb8982548de9c2719cc729ef09cb22fc1d548a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From 1ea63b629c9c53af6cdde4daf166b3d31b3e9cfe Mon Sep 17 00:00:00 2001
From: Andrey Konovalov <andreyknvl@gmail.com>
Date: Sat, 13 Feb 2016 11:08:06 +0300
Subject: ALSA: usb-audio: avoid freeing umidi object twice
[ Upstream commit 07d86ca93db7e5cdf4743564d98292042ec21af7 ]
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.
Found by KASAN.
CVE: CVE-2016-2384
Upstream-Status: Backport
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
sound/usb/midi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index bec63e0..f059326 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -2451,7 +2451,6 @@ int snd_usbmidi_create(struct snd_card *card,
else
err = snd_usbmidi_create_endpoints(umidi, endpoints);
if (err < 0) {
- snd_usbmidi_free(umidi);
return err;
}
--
cgit v0.12
|
