[PATCH] ALSA: Dereference after free in snd_hwdep_release()

snd_card_file_remove() may free hw->card so we can't dereference
hw->card->module after that.

Coverity ID 1420.

This bug actually causes an Oops at usb-disconnection, especially
with CONFIG_PREEMPT.

From: Florin Malita <fmalita@gmail.com>
Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
index 8bd0dcc93eba98f787664085bf9734f2ed89f05d..a562f96f301024ed0e5425ec2c5556cf52592baf 100644 (file)
--- a/sound/core/hwdep.c
+++ b/sound/core/hwdep.c
@@ -158,6 +158,7 @@ static int snd_hwdep_release(struct inode *inode, struct file * file)
 {
        int err = -ENXIO;
        struct snd_hwdep *hw = file->private_data;
+       struct module *mod = hw->card->module;
        mutex_lock(&hw->open_mutex);
        if (hw->ops.release) {
                err = hw->ops.release(hw, file);
@@ -167,7 +168,7 @@ static int snd_hwdep_release(struct inode *inode, struct file * file)
                hw->used--;
        snd_card_file_remove(hw->card, file);
        mutex_unlock(&hw->open_mutex);
-       module_put(hw->card->module);
+       module_put(mod);
        return err;
 }