summaryrefslogtreecommitdiff
path: root/sound/usb
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2023-08-16 18:02:45 +0200
committerTakashi Iwai <tiwai@suse.de>2023-08-17 09:23:30 +0200
commit6a66b01de48855d92450904ccfafda9d692efbb9 (patch)
treefb71a8695685b90362ee203b8b281e53e31fae29 /sound/usb
parent7f018db19bf7cb5ba3e39ed9e51c8c5f2488dfb0 (diff)
downloadlwn-6a66b01de48855d92450904ccfafda9d692efbb9.tar.gz
lwn-6a66b01de48855d92450904ccfafda9d692efbb9.zip
ALSA: control: Don't embed ctl_dev
Embedding the ctl_dev in the snd_card object may result in UAF when the delayed kobj release is used; at the delayed kobj release, it still accesses the struct device itself while the card memory (that embeds the struct device) may be already gone. As a workaround, detach the struct device from the card object by allocating via the new snd_device_alloc() helper. The rest are just replacing ctl_dev access to the pointer. This is based on the fix Curtis posted initially. In this patch, the changes are split and use the new helper function instead. Link: https://lore.kernel.org/r/20230801171928.1460120-1-cujomalainey@chromium.org Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Curtis Malainey <cujomalainey@chromium.org> Tested-by: Curtis Malainey <cujomalainey@chromium.org> Link: https://lore.kernel.org/r/20230816160252.23396-3-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/usb')
-rw-r--r--sound/usb/media.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/sound/usb/media.c b/sound/usb/media.c
index 840f42cb9272..6d11fedb4632 100644
--- a/sound/usb/media.c
+++ b/sound/usb/media.c
@@ -163,7 +163,7 @@ void snd_media_stop_pipeline(struct snd_usb_substream *subs)
static int snd_media_mixer_init(struct snd_usb_audio *chip)
{
- struct device *ctl_dev = &chip->card->ctl_dev;
+ struct device *ctl_dev = chip->card->ctl_dev;
struct media_intf_devnode *ctl_intf;
struct usb_mixer_interface *mixer;
struct media_device *mdev = chip->media_dev;