From: Andrey Konovalov <andreyknvl@gmail.com>
Date: Sat, 13 Feb 2016 08:08:06 +0000 (+0300)
Subject: ALSA: usb-audio: avoid freeing umidi object twice
X-Git-Tag: v4.1.12-92~190^2~1
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=539aa99d8128789d59910de387d9467c7870cf87;p=users%2Fjedix%2Flinux-maple.git

ALSA: usb-audio: avoid freeing umidi object twice

Orabug: 22740866
CVE: CVE-2016-2384

The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.

Found by KASAN.

Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 07d86ca93db7e5cdf4743564d98292042ec21af7)
Signed-off-by: Brian Maly <brian.maly@oracle.com>
---

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 417ebb11cf489..1fa0a78911df9 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -2405,7 +2405,6 @@ int snd_usbmidi_create(struct snd_card *card,
 	else
 		err = snd_usbmidi_create_endpoints(umidi, endpoints);
 	if (err < 0) {
-		snd_usbmidi_free(umidi);
 		return err;
 	}