From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:34044 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751864AbdJOO30 (ORCPT ); Sun, 15 Oct 2017 10:29:26 -0400 Subject: Patch "ALSA: caiaq: Fix stray URB at probe error path" has been added to the 4.9-stable tree To: tiwai@suse.de, gregkh@linuxfoundation.org, johan@kernel.org Cc: , From: Date: Sun, 15 Oct 2017 16:29:23 +0200 Message-ID: <1508077763214162@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled ALSA: caiaq: Fix stray URB at probe error path to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: alsa-caiaq-fix-stray-urb-at-probe-error-path.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 99fee508245825765ff60155fed43f970ff83a8f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 11 Oct 2017 16:39:02 +0200 Subject: ALSA: caiaq: Fix stray URB at probe error path From: Takashi Iwai commit 99fee508245825765ff60155fed43f970ff83a8f upstream. caiaq driver doesn't kill the URB properly at its error path during the probe, which may lead to a use-after-free error later. This patch addresses it. Reported-by: Johan Hovold Reviewed-by: Johan Hovold Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/usb/caiaq/device.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/sound/usb/caiaq/device.c +++ b/sound/usb/caiaq/device.c @@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL, 0); if (err) - return err; + goto err_kill_urb; - if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) - return -ENODEV; + if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) { + err = -ENODEV; + goto err_kill_urb; + } usb_string(usb_dev, usb_dev->descriptor.iManufacturer, cdev->vendor_name, CAIAQ_USB_STR_LEN); @@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia setup_card(cdev); return 0; + + err_kill_urb: + usb_kill_urb(&cdev->ep1_in_urb); + return err; } static int snd_probe(struct usb_interface *intf, Patches currently in stable-queue which might be from tiwai@suse.de are queue-4.9/alsa-line6-fix-missing-initialization-before-error-path.patch queue-4.9/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch queue-4.9/alsa-seq-fix-copy_from_user-call-inside-lock.patch queue-4.9/alsa-seq-fix-use-after-free-at-creating-a-port.patch queue-4.9/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch queue-4.9/alsa-usb-audio-kill-stray-urb-at-exiting.patch