From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Yang Yingliang <yangyingliang@huawei.com>, Hulk Robot <hulkci@huawei.com>, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>, lgirdwood@gmail.com, perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org Subject: [PATCH AUTOSEL 5.14 02/18] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() Date: Mon, 25 Oct 2021 12:59:15 -0400 [thread overview] Message-ID: <20211025165939.1393655-2-sashal@kernel.org> (raw) In-Reply-To: <20211025165939.1393655-1-sashal@kernel.org> From: Yang Yingliang <yangyingliang@huawei.com> [ Upstream commit c448b7aa3e66042fc0f849d9a0fb90d1af82e948 ] 'component' is allocated in snd_soc_register_component(), but component->list is not initalized, this may cause snd_soc_del_component_unlocked() deref null ptr in the error handing case. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:__list_del_entry_valid+0x81/0xf0 Call Trace: snd_soc_del_component_unlocked+0x69/0x1b0 [snd_soc_core] snd_soc_add_component.cold+0x54/0x6c [snd_soc_core] snd_soc_register_component+0x70/0x90 [snd_soc_core] devm_snd_soc_register_component+0x5e/0xd0 [snd_soc_core] tas2552_probe+0x265/0x320 [snd_soc_tas2552] ? tas2552_component_probe+0x1e0/0x1e0 [snd_soc_tas2552] i2c_device_probe+0xa31/0xbe0 Fix by adding INIT_LIST_HEAD() to snd_soc_component_initialize(). Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Link: https://lore.kernel.org/r/20211009065840.3196239-1-yangyingliang@huawei.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- sound/soc/soc-core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index 583f2381cfc8..e926985bb2f8 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -2599,6 +2599,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, INIT_LIST_HEAD(&component->dai_list); INIT_LIST_HEAD(&component->dobj_list); INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); mutex_init(&component->io_mutex); component->name = fmt_single_name(dev, &component->id); -- 2.33.0
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin <sashal@kernel.org>, alsa-devel@alsa-project.org, tiwai@suse.com, lgirdwood@gmail.com, Hulk Robot <hulkci@huawei.com>, Mark Brown <broonie@kernel.org>, Yang Yingliang <yangyingliang@huawei.com> Subject: [PATCH AUTOSEL 5.14 02/18] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() Date: Mon, 25 Oct 2021 12:59:15 -0400 [thread overview] Message-ID: <20211025165939.1393655-2-sashal@kernel.org> (raw) In-Reply-To: <20211025165939.1393655-1-sashal@kernel.org> From: Yang Yingliang <yangyingliang@huawei.com> [ Upstream commit c448b7aa3e66042fc0f849d9a0fb90d1af82e948 ] 'component' is allocated in snd_soc_register_component(), but component->list is not initalized, this may cause snd_soc_del_component_unlocked() deref null ptr in the error handing case. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:__list_del_entry_valid+0x81/0xf0 Call Trace: snd_soc_del_component_unlocked+0x69/0x1b0 [snd_soc_core] snd_soc_add_component.cold+0x54/0x6c [snd_soc_core] snd_soc_register_component+0x70/0x90 [snd_soc_core] devm_snd_soc_register_component+0x5e/0xd0 [snd_soc_core] tas2552_probe+0x265/0x320 [snd_soc_tas2552] ? tas2552_component_probe+0x1e0/0x1e0 [snd_soc_tas2552] i2c_device_probe+0xa31/0xbe0 Fix by adding INIT_LIST_HEAD() to snd_soc_component_initialize(). Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Link: https://lore.kernel.org/r/20211009065840.3196239-1-yangyingliang@huawei.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- sound/soc/soc-core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index 583f2381cfc8..e926985bb2f8 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -2599,6 +2599,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, INIT_LIST_HEAD(&component->dai_list); INIT_LIST_HEAD(&component->dobj_list); INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); mutex_init(&component->io_mutex); component->name = fmt_single_name(dev, &component->id); -- 2.33.0
next prev parent reply other threads:[~2021-10-25 16:59 UTC|newest] Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-10-25 16:59 [PATCH AUTOSEL 5.14 01/18] KVM: arm64: Report corrupted refcount at EL2 Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` Sasha Levin [this message] 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 02/18] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 03/18] ASoC: cs42l42: Ensure 0dB full scale volume is used for headsets Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 04/18] scsi: core: Put LLD module refcnt after SCSI device is released Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 05/18] ALSA: hda/realtek: Fixes HP Spectre x360 15-eb1xxx speakers Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 06/18] ptp: fix error print of ptp_kvm on X86_64 platform Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 07/18] net: sparx5: Add of_node_put() before goto Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 08/18] net: mscc: ocelot: " Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 09/18] cavium: Return negative value when pci_alloc_irq_vectors() fails Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 10/18] scsi: qla2xxx: Return -ENOMEM if kzalloc() fails Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 11/18] scsi: qla2xxx: Fix unmap of already freed sgl Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 12/18] mISDN: Fix return values of the probe function Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 13/18] cavium: " Sasha Levin 2021-10-25 16:59 ` Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 14/18] vrf: Revert "Reset skb conntrack connection..." Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 15/18] sfc: Export fibre-specific supported link modes Sasha Levin 2021-10-25 18:24 ` Erik Ekman 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 16/18] sfc: Don't use netif_info before net_device setup Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 17/18] usbnet: sanity check for maxpacket Sasha Levin 2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 18/18] hyperv/vmbus: include linux/bitops.h Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20211025165939.1393655-2-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=alsa-devel@alsa-project.org \ --cc=broonie@kernel.org \ --cc=hulkci@huawei.com \ --cc=lgirdwood@gmail.com \ --cc=linux-kernel@vger.kernel.org \ --cc=perex@perex.cz \ --cc=stable@vger.kernel.org \ --cc=tiwai@suse.com \ --cc=yangyingliang@huawei.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.