Commit 05ca4476 authored by Takashi Iwai's avatar Takashi Iwai

ALSA: line6: Fix racy initialization of LINE6 MIDI

The initialization of MIDI devices that are found on some LINE6
drivers are currently done in a racy way; namely, the MIDI buffer
instance is allocated and initialized in each private_init callback
while the communication with the interface is already started via
line6_init_cap_control() call before that point.  This may lead to
Oops in line6_data_received() when a spurious event is received, as
reported by syzkaller.

This patch moves the MIDI initialization to line6_init_cap_control()
as well instead of the too-lately-called private_init for avoiding the
race.  Also this reduces slightly more lines, so it's a win-win
change.

Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com
Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com
Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo
Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 4c6fe8c5
...@@ -699,6 +699,10 @@ static int line6_init_cap_control(struct usb_line6 *line6) ...@@ -699,6 +699,10 @@ static int line6_init_cap_control(struct usb_line6 *line6)
line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL);
if (!line6->buffer_message) if (!line6->buffer_message)
return -ENOMEM; return -ENOMEM;
ret = line6_init_midi(line6);
if (ret < 0)
return ret;
} else { } else {
ret = line6_hwdep_init(line6); ret = line6_hwdep_init(line6);
if (ret < 0) if (ret < 0)
......
...@@ -376,11 +376,6 @@ static int pod_init(struct usb_line6 *line6, ...@@ -376,11 +376,6 @@ static int pod_init(struct usb_line6 *line6,
if (err < 0) if (err < 0)
return err; return err;
/* initialize MIDI subsystem: */
err = line6_init_midi(line6);
if (err < 0)
return err;
/* initialize PCM subsystem: */ /* initialize PCM subsystem: */
err = line6_init_pcm(line6, &pod_pcm_properties); err = line6_init_pcm(line6, &pod_pcm_properties);
if (err < 0) if (err < 0)
......
...@@ -159,7 +159,6 @@ static int variax_init(struct usb_line6 *line6, ...@@ -159,7 +159,6 @@ static int variax_init(struct usb_line6 *line6,
const struct usb_device_id *id) const struct usb_device_id *id)
{ {
struct usb_line6_variax *variax = line6_to_variax(line6); struct usb_line6_variax *variax = line6_to_variax(line6);
int err;
line6->process_message = line6_variax_process_message; line6->process_message = line6_variax_process_message;
line6->disconnect = line6_variax_disconnect; line6->disconnect = line6_variax_disconnect;
...@@ -172,11 +171,6 @@ static int variax_init(struct usb_line6 *line6, ...@@ -172,11 +171,6 @@ static int variax_init(struct usb_line6 *line6,
if (variax->buffer_activate == NULL) if (variax->buffer_activate == NULL)
return -ENOMEM; return -ENOMEM;
/* initialize MIDI subsystem: */
err = line6_init_midi(&variax->line6);
if (err < 0)
return err;
/* initiate startup procedure: */ /* initiate startup procedure: */
schedule_delayed_work(&line6->startup_work, schedule_delayed_work(&line6->startup_work,
msecs_to_jiffies(VARIAX_STARTUP_DELAY1)); msecs_to_jiffies(VARIAX_STARTUP_DELAY1));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment