From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Takashi Iwai <tiwai@suse.de>
Subject: [ 52/82] ALSA: seq: Fix missing error handling in snd_seq_timer_open()
Date: Mon, 18 Mar 2013 04:22:36 +0000 [thread overview]
Message-ID: <20130318042149.269033401@decadent.org.uk> (raw)
In-Reply-To: <20130318042144.234468645@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 66efdc71d95887b652a742a5dae51fa834d71465 upstream.
snd_seq_timer_open() didn't catch the whole error path but let through
if the timer id is a slave. This may lead to Oops by accessing the
uninitialized pointer.
BUG: unable to handle kernel NULL pointer dereference at 00000000000002ae
IP: [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
PGD 785cd067 PUD 76964067 PMD 0
Oops: 0002 [#4] SMP
CPU 0
Pid: 4288, comm: trinity-child7 Tainted: G D W 3.9.0-rc1+ #100 Bochs Bochs
RIP: 0010:[<ffffffff819b3477>] [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
RSP: 0018:ffff88006ece7d38 EFLAGS: 00010246
RAX: 0000000000000286 RBX: ffff88007851b400 RCX: 0000000000000000
RDX: 000000000000ffff RSI: ffff88006ece7d58 RDI: ffff88006ece7d38
RBP: ffff88006ece7d98 R08: 000000000000000a R09: 000000000000fffe
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8800792c5400 R14: 0000000000e8f000 R15: 0000000000000007
FS: 00007f7aaa650700(0000) GS:ffff88007f800000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000002ae CR3: 000000006efec000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process trinity-child7 (pid: 4288, threadinfo ffff88006ece6000, task ffff880076a8a290)
Stack:
0000000000000286 ffffffff828f2be0 ffff88006ece7d58 ffffffff810f354d
65636e6575716573 2065756575712072 ffff8800792c0030 0000000000000000
ffff88006ece7d98 ffff8800792c5400 ffff88007851b400 ffff8800792c5520
Call Trace:
[<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff819b17e9>] snd_seq_queue_timer_open+0x29/0x70
[<ffffffff819ae01a>] snd_seq_ioctl_set_queue_timer+0xda/0x120
[<ffffffff819acb9b>] snd_seq_do_ioctl+0x9b/0xd0
[<ffffffff819acbe0>] snd_seq_ioctl+0x10/0x20
[<ffffffff811b9542>] do_vfs_ioctl+0x522/0x570
[<ffffffff8130a4b3>] ? file_has_perm+0x83/0xa0
[<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff811b95ed>] sys_ioctl+0x5d/0xa0
[<ffffffff813663fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<ffffffff81faed69>] system_call_fastpath+0x16/0x1b
Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_timer.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -290,10 +290,10 @@ int snd_seq_timer_open(struct snd_seq_qu
tid.device = SNDRV_TIMER_GLOBAL_SYSTEM;
err = snd_timer_open(&t, str, &tid, q->queue);
}
- if (err < 0) {
- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
- return err;
- }
+ }
+ if (err < 0) {
+ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
+ return err;
}
t->callback = snd_seq_timer_interrupt;
t->callback_data = q;
next prev parent reply other threads:[~2013-03-18 4:22 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 4:21 [ 00/82] 3.2.41-stable review Ben Hutchings
2013-03-18 4:21 ` [ 01/82] Revert "powerpc/eeh: Fix crash when adding a device in a slot with DDW" Ben Hutchings
2013-03-18 4:21 ` [ 02/82] btrfs: Init io_lock after cloning btrfs device struct Ben Hutchings
2013-03-18 4:21 ` [ 03/82] md: protect against crash upon fsync on ro array Ben Hutchings
2013-03-18 4:21 ` [ 04/82] NFS: Dont allow NFS silly-renamed files to be deleted, no signal Ben Hutchings
2013-03-18 4:21 ` [ 05/82] SUNRPC: Dont start the retransmission timer when out of socket space Ben Hutchings
2013-03-18 4:21 ` [ 06/82] [SCSI] storvsc: Initialize the sglist Ben Hutchings
2013-03-18 4:21 ` [ 07/82] [SCSI] dc395x: uninitialized variable in device_alloc() Ben Hutchings
2013-03-18 4:21 ` [ 08/82] ARM: VFP: fix emulation of second VFP instruction Ben Hutchings
2013-03-18 4:21 ` [ 09/82] ARM: fix scheduling while atomic warning in alignment handling code Ben Hutchings
2013-03-18 4:21 ` [ 10/82] md: fix two bugs when attempting to resize RAID0 array Ben Hutchings
2013-03-18 4:21 ` [ 11/82] md: raid0: fix error return from create_stripe_zones Ben Hutchings
2013-03-18 4:21 ` [ 12/82] proc connector: reject unprivileged listener bumps Ben Hutchings
2013-03-18 4:21 ` [ 13/82] ath9k: fix RSSI dummy marker value Ben Hutchings
2013-03-18 4:21 ` [ 14/82] ath9k_htc: fix signal strength handling issues Ben Hutchings
2013-03-18 4:21 ` [ 15/82] mwifiex: correct sleep delay counter Ben Hutchings
2013-03-18 4:22 ` [ 16/82] cifs: ensure that cifs_get_root() only traverses directories Ben Hutchings
2013-03-18 4:22 ` [ 17/82] xen/pci: We dont do multiple MSIs Ben Hutchings
2013-03-18 4:22 ` [ 18/82] dm: fix truncated status strings Ben Hutchings
2013-03-18 4:22 ` [ 19/82] dm snapshot: add missing module aliases Ben Hutchings
2013-03-18 4:22 ` [ 20/82] drm/i915: Dont clobber crtc->fb when queue_flip fails Ben Hutchings
2013-03-18 4:22 ` [ 21/82] ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit Ben Hutchings
2013-03-18 4:22 ` [ 22/82] hwmon: (pmbus/ltc2978) Fix peak attribute handling Ben Hutchings
2013-03-18 4:22 ` [ 23/82] hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality Ben Hutchings
2013-03-18 4:22 ` [ 24/82] hwmon: (sht15) Check return value of regulator_enable() Ben Hutchings
2013-03-18 4:22 ` [ 25/82] hw_random: make buffer usable in scatterlist Ben Hutchings
2013-03-18 4:22 ` [ 26/82] ALSA: vmaster: Fix slave change notification Ben Hutchings
2013-03-18 4:22 ` [ 27/82] drm/radeon: add primary dac adj quirk for R200 board Ben Hutchings
2013-03-18 4:22 ` [ 28/82] dmi_scan: fix missing check for _DMI_ signature in smbios_present() Ben Hutchings
2013-03-18 4:22 ` [ 29/82] iwlwifi: always copy first 16 bytes of commands Ben Hutchings
2013-03-18 4:22 ` [ 30/82] HID: add support for Sony RF receiver with USB product id 0x0374 Ben Hutchings
2013-03-18 4:22 ` [ 31/82] HID: clean up quirk for Sony RF receivers Ben Hutchings
2013-03-18 4:22 ` [ 32/82] ahci: AHCI-mode SATA patch for Intel Lynx Point DeviceIDs Ben Hutchings
2013-03-18 4:22 ` [ 33/82] ahci: Add Device IDs for Intel Lynx Point-LP PCH Ben Hutchings
2013-03-18 4:22 ` [ 34/82] ahci: AHCI-mode SATA patch for Intel Avoton DeviceIDs Ben Hutchings
2013-03-18 4:22 ` [ 35/82] ahci: Add Device IDs for Intel Wellsburg PCH Ben Hutchings
2013-03-18 4:22 ` [ 36/82] iommu/amd: Initialize device table after dma_ops Ben Hutchings
2013-03-18 4:22 ` [ 37/82] tty: Correct tty buffer flush Ben Hutchings
2013-03-18 4:22 ` [ 38/82] efi_pstore: Check remaining space with QueryVariableInfo() before writing data Ben Hutchings
2013-03-18 4:22 ` [ 39/82] efivars: Disable external interrupt while holding efivars->lock Ben Hutchings
2013-03-18 4:22 ` [ 40/82] efi: be more paranoid about available space when creating variables Ben Hutchings
2013-03-18 4:22 ` [ 41/82] ftrace: Update the kconfig for DYNAMIC_FTRACE Ben Hutchings
2013-03-18 4:22 ` [ 42/82] decnet: Fix disappearing sysctl entries Ben Hutchings
2013-03-18 4:22 ` [ 43/82] Fix memory leak in cpufreq stats Ben Hutchings
2013-03-18 4:22 ` [ 44/82] vfs: fix pipe counter breakage Ben Hutchings
2013-03-18 4:22 ` [ 45/82] USB: EHCI: dont check DMA values in QH overlays Ben Hutchings
2013-03-19 3:09 ` Ben Hutchings
2013-03-19 15:27 ` Alan Stern
2013-03-19 20:31 ` Ben Hutchings
2013-03-18 4:22 ` [ 46/82] xen/pciback: Dont disable a PCI device that is already disabled Ben Hutchings
2013-03-18 4:22 ` [ 47/82] USB: option: add Huawei E5331 Ben Hutchings
2013-03-18 4:22 ` [ 48/82] USB: storage: fix Huawei mode switching regression Ben Hutchings
2013-03-18 4:22 ` [ 49/82] USB: added support for Cinterions products AH6 and PLS8 Ben Hutchings
2013-03-18 4:22 ` [ 50/82] e1000e: fix pci-device enable-counter balance Ben Hutchings
2013-03-18 4:22 ` [ 51/82] virtio: rng: disallow multiple device registrations, fixes crashes Ben Hutchings
2013-03-18 4:22 ` Ben Hutchings [this message]
2013-03-18 4:22 ` [ 53/82] usb: cp210x new Vendor/Device IDs Ben Hutchings
2013-03-18 4:22 ` [ 54/82] staging: vt6656: Fix oops on resume from suspend Ben Hutchings
2013-03-18 4:22 ` [ 55/82] qcaux: add Franklin U600 Ben Hutchings
2013-03-18 4:22 ` [ 56/82] ext3: Fix format string issues Ben Hutchings
2013-03-18 4:22 ` [ 57/82] keys: fix race with concurrent install_user_keyrings() Ben Hutchings
2013-03-18 4:22 ` [ 58/82] tty/serial: Add support for Altera serial port Ben Hutchings
2013-03-18 4:22 ` [ 59/82] Fix 4 port and add support for 8 port Unknown PCI serial port cards Ben Hutchings
2013-03-18 4:22 ` [ 60/82] serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller Ben Hutchings
2013-03-18 4:22 ` [ 61/82] tty: serial: fix typo "ARCH_S5P6450" Ben Hutchings
2013-03-18 4:22 ` [ 62/82] usb: serial: Add Rigblaster Advantage to device table Ben Hutchings
2013-03-18 4:22 ` [ 63/82] w1: fix oops when w1_search is called from netlink connector Ben Hutchings
2013-03-18 4:22 ` [ 64/82] USB: cdc-wdm: fix buffer overflow Ben Hutchings
2013-03-18 4:22 ` [ 65/82] signal: always clear sa_restorer on execve Ben Hutchings
2013-03-18 4:22 ` [ 66/82] hwmon: (lineage-pem) Add missing terminating entry for pem_[input|fan]_attributes Ben Hutchings
2013-03-18 4:22 ` [ 67/82] hwmon: (pmbus/ltc2978) Fix temperature reporting Ben Hutchings
2013-03-18 4:22 ` [ 68/82] crypto: user - fix info leaks in report API Ben Hutchings
2013-03-18 4:22 ` [ 69/82] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Ben Hutchings
2013-03-18 4:22 ` [ 70/82] USB: Dont use EHCI port sempahore for USB 3.0 hubs Ben Hutchings
2013-03-18 4:22 ` [ 71/82] USB: Prepare for refactoring by adding extra udev checks Ben Hutchings
2013-03-18 4:22 ` [ 72/82] USB: Rip out recursive call on warm port reset Ben Hutchings
2013-03-18 4:22 ` [ 73/82] USB: Fix connected device switch to Inactive state Ben Hutchings
2013-03-18 4:22 ` [ 74/82] batman-adv: bat_socket_read missing checks Ben Hutchings
2013-03-18 4:22 ` [ 75/82] batman-adv: Only write requested number of byte to user buffer Ben Hutchings
2013-03-18 4:23 ` [ 76/82] mm/hotplug: correctly add new zone to all other nodes zone lists Ben Hutchings
2013-03-18 4:23 ` [ 77/82] xen-netfront: delay gARP until backend switches to Connected Ben Hutchings
2013-03-18 4:23 ` [ 78/82] block: use i_size_write() in bd_set_size() Ben Hutchings
2013-03-18 4:23 ` [ 79/82] loopdev: fix a deadlock Ben Hutchings
2013-03-18 4:23 ` [ 80/82] loopdev: remove an user triggerable oops Ben Hutchings
2013-03-18 4:23 ` [ 81/82] btrfs: use rcu_barrier() to wait for bdev puts at unmount Ben Hutchings
2013-03-18 4:23 ` [ 82/82] NLS: improve UTF8 -> UTF16 string conversion routine Ben Hutchings
2013-03-18 5:00 ` [ 00/82] 3.2.41-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130318042149.269033401@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).