linux/sound/core
Clemens Ladisch aa73aec6c3 ALSA: rawmidi: fix oops (use after free) when unloading a driver module
When a driver module is unloaded and the last still open file is a raw
MIDI device, the card and its devices will be actually freed in the
snd_card_file_remove() call when that file is closed.  Afterwards, rmidi
and rmidi->card point into freed memory, so the module pointer is likely
to be garbage.
(This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.)

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Reported-by: Krzysztof Foltman <wdev@foltman.com>
Cc: 2.6.30-2.6.35 <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-10-17 10:11:40 +02:00
..
oss ALSA: core - Define llseek fops 2010-04-13 12:01:21 +02:00
seq ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() 2010-09-08 10:45:34 +02:00
control_compat.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
control.c ALSA: prevent heap corruption in snd_ctl_new() 2010-09-28 21:33:16 +02:00
device.c ALSA: Print function symbol in the error messages 2008-10-16 16:17:30 +02:00
hrtimer.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
hwdep_compat.c [PATCH] hwdep_compat missed __user annotations 2006-10-10 15:37:21 -07:00
hwdep.c ALSA: hwdep - Make open callback optional 2009-02-05 09:10:20 +01:00
info_oss.c ALSA: Kill snd_assert() in sound/core/* 2008-08-13 11:46:35 +02:00
info.c ALSA: info - Implement common llseek for binary mode 2010-04-13 12:01:20 +02:00
init.c ALSA: Remove struct snd_monitor_file from public sound/core.h 2009-09-07 15:50:18 +02:00
isadma.c ALSA: snd_dma_pointer workaround for chipsets with buggy DMA 2009-10-11 18:03:13 +02:00
jack.c Merge branch 'topic/jack' into for-linus 2010-05-20 11:59:37 +02:00
Kconfig ALSA: sound/core/pcm_timer.c: use lib/gcd.c 2009-12-22 08:24:35 +01:00
Makefile ALSA: Fix SG-buffer DMA with non-coherent architectures 2009-07-08 14:20:20 +02:00
memalloc.c ALSA: Fix SG-buffer DMA with non-coherent architectures 2009-07-08 14:20:20 +02:00
memory.c [ALSA] Remove sound/driver.h 2008-01-31 17:29:48 +01:00
misc.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_compat.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_lib.c ALSA: pcm core - add a safe check to the silence filling function 2010-07-19 16:47:01 +02:00
pcm_memory.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
pcm_misc.c ALSA: pcm: Define G723 3-bit and 5-bit formats 2010-05-31 09:10:03 +02:00
pcm_native.c ALSA: pcm - Fix unbalanced pm_qos_request 2010-09-16 23:04:38 +02:00
pcm_timer.c ALSA: sound/core/pcm_timer.c: use lib/gcd.c 2009-12-22 08:24:35 +01:00
pcm.c ALSA: pcm - Fix race with proc files 2010-09-16 23:06:50 +02:00
rawmidi_compat.c
rawmidi.c ALSA: rawmidi: fix oops (use after free) when unloading a driver module 2010-10-17 10:11:40 +02:00
rtctimer.c ALSA: hda - Convert from takslet_hi_schedule() to tasklet_schedule() 2008-12-18 12:17:55 +01:00
sgbuf.c ALSA: Fix vunmap and free order in snd_free_sgbuf_pages() 2009-03-18 08:04:01 +01:00
sound_oss.c ALSA: Remove warning message for invalid OSS minor ranges 2010-01-18 14:18:55 +01:00
sound.c ALSA: Remove BKL from open multiplexer 2010-04-09 10:28:36 +02:00
timer_compat.c ALSA: Kill snd_assert() in sound/core/* 2008-08-13 11:46:35 +02:00
timer.c Merge branch 'topic/core-cleanup' into for-linus 2010-05-20 11:58:57 +02:00
vmaster.c ALSA: Add new TLV types for dBwith min/max 2009-06-17 10:56:53 +02:00