Use refmem allocation for the PCM object that holds two PCM devices (for playback and capture). This fixes the UAF bug by the delayed kobj release.
Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/core/pcm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/core/pcm.c b/sound/core/pcm.c index 461a10cc0db9..1e96437f3f0e 100644 --- a/sound/core/pcm.c +++ b/sound/core/pcm.c @@ -650,7 +650,7 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count) if (!substream_count) return 0;
- snd_device_initialize(&pstr->dev, pcm->card, NULL); + snd_device_initialize(&pstr->dev, pcm->card, pcm); pstr->dev.groups = pcm_dev_attr_groups; pstr->dev.type = &pcm_dev_type; dev_set_name(&pstr->dev, "pcmC%iD%i%c", pcm->card->number, pcm->device, @@ -721,7 +721,7 @@ static int _snd_pcm_new(struct snd_card *card, const char *id, int device, return -ENXIO; if (rpcm) *rpcm = NULL; - pcm = kzalloc(sizeof(*pcm), GFP_KERNEL); + pcm = snd_refmem_alloc(sizeof(*pcm), card); if (!pcm) return -ENOMEM; pcm->card = card; @@ -872,7 +872,7 @@ static int snd_pcm_free(struct snd_pcm *pcm) snd_pcm_lib_preallocate_free_for_all(pcm); snd_pcm_free_stream(&pcm->streams[SNDRV_PCM_STREAM_PLAYBACK]); snd_pcm_free_stream(&pcm->streams[SNDRV_PCM_STREAM_CAPTURE]); - kfree(pcm); + snd_refmem_put(pcm); return 0; }