[SRU][T][PATCH] ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c

[Hui Wang]

From: Hui Peng <benquike at gmail.com>

If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.

[ The original problem was introduced in 3.1 kernel, while it was
  developed in a different form.  The Fixes tag below indicates the
  original commit but it doesn't mean that the patch is applicable
  cleanly. -- tiwai ]

Fixes: 362e4e49abe5 ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike at gmail.com>
Reported-by: Mathias Payer <mathias.payer at nebelwelt.net>
Signed-off-by: Hui Peng <benquike at gmail.com>
Signed-off-by: Mathias Payer <mathias.payer at nebelwelt.net>
Cc: <stable at vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai at suse.de>

CVE-2018-19824

(backported from commit 5f8cf712582617d523120df67d392059eaf2fc4b)
Signed-off-by: Hui Wang <hui.wang at canonical.com>
---
 sound/usb/card.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sound/usb/card.c b/sound/usb/card.c
index 75b1040ef3bb..dfbd152c0962 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -588,9 +588,12 @@ snd_usb_audio_probe(struct usb_device *dev,
 
  __error:
 	if (chip) {
+		/* chip->probing is inside the chip->card object,
+		 * set the value before memory is possibly returned.
+		 */
+		chip->probing = 0;
 		if (!chip->num_interfaces)
 			snd_card_free(chip->card);
-		chip->probing = 0;
 	}
 	mutex_unlock(&register_mutex);
  __err_val:
-- 
2.17.1