diff options
| author | Takashi Iwai <tiwai@suse.de> | 2021-05-18 10:39:39 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-05-26 11:48:32 +0200 |
| commit | fe6ca009bf3343826d90833fbfc6fdccecae28a4 (patch) | |
| tree | d89397a5dd459ff68c0897812f2479f85530aaf3 | |
| parent | c9e99de7ca83776c883a6fcc8399f05505912691 (diff) | |
| download | linux-stable-fe6ca009bf3343826d90833fbfc6fdccecae28a4.tar.gz linux-stable-fe6ca009bf3343826d90833fbfc6fdccecae28a4.tar.bz2 linux-stable-fe6ca009bf3343826d90833fbfc6fdccecae28a4.zip | |
ALSA: line6: Fix racy initialization of LINE6 MIDI
commit 05ca447630334c323c9e2b788b61133ab75d60d3 upstream.
The initialization of MIDI devices that are found on some LINE6
drivers are currently done in a racy way; namely, the MIDI buffer
instance is allocated and initialized in each private_init callback
while the communication with the interface is already started via
line6_init_cap_control() call before that point. This may lead to
Oops in line6_data_received() when a spurious event is received, as
reported by syzkaller.
This patch moves the MIDI initialization to line6_init_cap_control()
as well instead of the too-lately-called private_init for avoiding the
race. Also this reduces slightly more lines, so it's a win-win
change.
Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com
Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com
Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo
Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | sound/usb/line6/driver.c | 4 | ||||
| -rw-r--r-- | sound/usb/line6/pod.c | 5 | ||||
| -rw-r--r-- | sound/usb/line6/variax.c | 6 |
3 files changed, 4 insertions, 11 deletions
diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c index 18b436e7a2cc..2163fd6dce66 100644 --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -705,6 +705,10 @@ static int line6_init_cap_control(struct usb_line6 *line6) line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); if (!line6->buffer_message) return -ENOMEM; + + ret = line6_init_midi(line6); + if (ret < 0) + return ret; } else { ret = line6_hwdep_init(line6); if (ret < 0) diff --git a/sound/usb/line6/pod.c b/sound/usb/line6/pod.c index 020c81818951..dff8e7d5f305 100644 --- a/sound/usb/line6/pod.c +++ b/sound/usb/line6/pod.c @@ -420,11 +420,6 @@ static int pod_init(struct usb_line6 *line6, if (err < 0) return err; - /* initialize MIDI subsystem: */ - err = line6_init_midi(line6); - if (err < 0) - return err; - /* initialize PCM subsystem: */ err = line6_init_pcm(line6, &pod_pcm_properties); if (err < 0) diff --git a/sound/usb/line6/variax.c b/sound/usb/line6/variax.c index e8c852b2ce35..163a08a8244d 100644 --- a/sound/usb/line6/variax.c +++ b/sound/usb/line6/variax.c @@ -217,7 +217,6 @@ static int variax_init(struct usb_line6 *line6, const struct usb_device_id *id) { struct usb_line6_variax *variax = (struct usb_line6_variax *) line6; - int err; line6->process_message = line6_variax_process_message; line6->disconnect = line6_variax_disconnect; @@ -233,11 +232,6 @@ static int variax_init(struct usb_line6 *line6, if (variax->buffer_activate == NULL) return -ENOMEM; - /* initialize MIDI subsystem: */ - err = line6_init_midi(&variax->line6); - if (err < 0) - return err; - /* initiate startup procedure: */ variax_startup1(variax); return 0; |