linux

History

Julia Lawall fa2b30af84 ALSA: sound/pci/ctxfi/ctpcm.c: Remove potential for use after free In each function, the value apcm is stored in the private_data field of runtime. At the same time the function ct_atc_pcm_free_substream is stored in the private_free field of the same structure. ct_atc_pcm_free_substream dereferences and ultimately frees the value in the private_data field. But each function can exit in an error case with apcm having been freed, in which case a subsequent call to the private_free function would perform a dereference after free. On the other hand, if the private_free field is not initialized, it is NULL, and not invoked (see snd_pcm_detach_substream in sound/core/pcm.c). To avoid the introduction of a dangling pointer, the initializations of the private_data and private_free fields are moved to the end of the function, past any possible free of apcm. This is safe because the previous calls to snd_pcm_hw_constraint_integer and snd_pcm_hw_constraint_minmax, which take runtime as an argument, do not refer to either of these fields. In each function, there is one error case where apcm needs to be freed, and a call to kfree is added. The sematic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression e,e1,e2,e3; identifier f,free1,free2; expression a; @@ e->f = a ... when != e->f = e1 when any if (...) { ... when != free1(...,e,...) when != e->f = e2 kfree(a) ... when != free2(...,e,...) when != e->f = e3 } // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Takashi Iwai <tiwai@suse.de>		2010-11-11 02:03:00 +01:00
..
ct20k1reg.h	ALSA: ctxfi - Use native timer interrupt on emu20k1	2009-06-05 16:44:13 +02:00
ct20k2reg.h	ALSA: ctxfi - Native timer support for emu20k2	2009-07-20 13:41:35 +02:00
ctamixer.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
ctamixer.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
ctatc.c	include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h	2010-03-30 22:02:32 +09:00
ctatc.h	ALSA: ctxfi - Add subsystem option	2010-01-14 09:23:10 +01:00
ctdaio.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
ctdaio.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
cthardware.c	ALSA: ctxfi - Clean up probe routines	2009-06-08 18:10:32 +02:00
cthardware.h	ALSA: ctxfi - Add PM support	2009-06-22 14:53:51 +02:00
cthw20k1.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
cthw20k1.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
cthw20k2.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
cthw20k2.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
ctimap.c	ALSA: ctxfi - Remove useless initializations and cast	2009-06-08 14:57:57 +02:00
ctimap.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
ctmixer.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
ctmixer.h	ALSA: ctxfi - Add PM support	2009-06-22 14:53:51 +02:00
ctpcm.c	ALSA: sound/pci/ctxfi/ctpcm.c: Remove potential for use after free	2010-11-11 02:03:00 +01:00
ctpcm.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
ctresource.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
ctresource.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
ctsrc.c	ALSA: ctxfi - Simple code clean up	2009-07-22 17:12:34 +02:00
ctsrc.h	ALSA: SB X-Fi driver merge	2009-05-14 08:24:10 +02:00
cttimer.c	ALSA: ctxfi - Fix deadlock with xfi-timer	2009-06-15 14:52:55 +02:00
cttimer.h	ALSA: ctxfi - Use native timer interrupt on emu20k1	2009-06-05 16:44:13 +02:00
ctvmem.c	ALSA: ctxfi - fix PTP address initialization	2010-02-04 21:48:00 +01:00
ctvmem.h	ALSA: ctxfi - fix PTP address initialization	2010-02-04 21:48:00 +01:00
Makefile	ALSA: ctxfi - Use native timer interrupt on emu20k1	2009-06-05 16:44:13 +02:00
xfi.c	sound: use DEFINE_PCI_DEVICE_TABLE	2010-02-09 11:08:33 +01:00