media: cx231xx: fix null pointer deref in snd_cx231xx_pcm_close

[PATCH] media: cx231xx: fix null pointer deref in snd_cx231xx_pcm_close

Ashwin Gundarapu posted 1 patch 2 days, 2 hours ago

Download mbox

drivers/media/usb/cx231xx/cx231xx-audio.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

Expand all Fold all

[PATCH] media: cx231xx: fix null pointer deref in snd_cx231xx_pcm_close

Posted by Ashwin Gundarapu 2 days, 2 hours ago

Add a null check for the dev pointer after retrieving it from
the substream. Without this, a use-after-free or null pointer
dereference can occur when closing the audio device, causing
a kernel page fault.

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2365068
Signed-off-by: Ashwin Gundarapu <linuxuser509@zohomail.in>
---
 drivers/media/usb/cx231xx/cx231xx-audio.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/media/usb/cx231xx/cx231xx-audio.c b/drivers/media/usb/cx231xx/cx231xx-audio.c
index 9c71b32552df..a13aef17ff4d 100644
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -441,12 +441,17 @@ static int snd_cx231xx_capture_open(struct snd_pcm_substream *substream)
 static int snd_cx231xx_pcm_close(struct snd_pcm_substream *substream)
 {
 	int ret;
-	struct cx231xx *dev = snd_pcm_substream_chip(substream);
+        struct cx231xx *dev = snd_pcm_substream_chip(substream);

-	dev_dbg(dev->dev, "closing device\n");
+        if (!dev) {
+                pr_err("cx231xx: called with null device\n");
+                return -ENODEV;
+        }

-	/* inform hardware to stop streaming */
-	mutex_lock(&dev->lock);
+        dev_dbg(dev->dev, "closing device\n");
+
+        /* inform hardware to stop streaming */
+        mutex_lock(&dev->lock);
 	ret = cx231xx_capture_start(dev, 0, Audio);

 	/* set alternate setting for audio interface */
-- 
2.43.0