forked from luck/tmp_suning_uos_patched
a3aa60d511
When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is created without setting its operators via 'snd_pcm_set_ops()'. Following operations on the new pcm instance can trigger kernel null pointer dereferences and cause kernel oops. This bug was found with my work on building a gray-box fault-injection tool for linux-kernel-module binaries. A kernel null pointer dereference was confirmed from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in file 'sound/core/pcm_native.c'. This patch fixes the bug by calling 'snd_device_free()' in the error handling path of 'kzalloc()', which removes the new pcm instance from the snd card before returns with an error code. Signed-off-by: Bo Chen <chenbo@pdx.edu> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> |
||
|---|---|---|
| .. | ||
| ac97 | ||
| ali5451 | ||
| asihpi | ||
| au88x0 | ||
| aw2 | ||
| ca0106 | ||
| cs46xx | ||
| cs5535audio | ||
| ctxfi | ||
| echoaudio | ||
| emu10k1 | ||
| hda | ||
| ice1712 | ||
| korg1212 | ||
| lola | ||
| lx6464es | ||
| mixart | ||
| nm256 | ||
| oxygen | ||
| pcxhr | ||
| riptide | ||
| rme9652 | ||
| trident | ||
| vx222 | ||
| ymfpci | ||
| ad1889.c | ||
| ad1889.h | ||
| ak4531_codec.c | ||
| als300.c | ||
| als4000.c | ||
| atiixp_modem.c | ||
| atiixp.c | ||
| azt3328.c | ||
| azt3328.h | ||
| bt87x.c | ||
| cmipci.c | ||
| cs4281.c | ||
| cs5530.c | ||
| ens1370.c | ||
| ens1371.c | ||
| es1938.c | ||
| es1968.c | ||
| fm801.c | ||
| intel8x0.c | ||
| intel8x0m.c | ||
| Kconfig | ||
| maestro3.c | ||
| Makefile | ||
| rme32.c | ||
| rme96.c | ||
| sis7019.c | ||
| sis7019.h | ||
| sonicvibes.c | ||
| via82xx_modem.c | ||
| via82xx.c | ||