[PATCH] ALSA: wavefront: Fix use-after-free in MIDI operations

Next message: Conor Dooley: "Re: [PATCH] riscv: Update MIPS vendor id to 0x127."
Previous message: Claudiu: "[PATCH v2] drm: display: Drop dev_pm_domain_detach() call"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: wavefront: Fix use-after-free in MIDI operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: moonafterrain

Date: Tue Nov 04 2025 - 09:16:51 EST

From: Junrui Luo <moonafterrain@xxxxxxxxxxx>

Clear substream pointers in close functions to prevent use-after-free
when timer callbacks or interrupt handlers access them after close.

Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Reported-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
sound/isa/wavefront/wavefront_midi.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/sound/isa/wavefront/wavefront_midi.c b/sound/isa/wavefront/wavefront_midi.c
index 1250ecba659a..69d87c4cafae 100644
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_close(struct snd_rawmidi_substream *substrea
return -EIO;

guard(spinlock_irqsave)(&midi->open);
+ midi->substream_input[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_INPUT;

return 0;
@@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_close(struct snd_rawmidi_substream *substre
return -EIO;

guard(spinlock_irqsave)(&midi->open);
+ midi->substream_output[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
return 0;
}
--
2.51.1.dirty