From: Takashi Iwai <tiwai@suse.de>
To: Dongliang Mu <mudongliangabcd@gmail.com>
Cc: perex@perex.cz, tiwai@suse.com, dan.carpenter@oracle.com,
alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org,
syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] ALSA: control led: fix memory leak in snd_ctl_led_register
Date: Wed, 02 Jun 2021 08:59:03 +0200 [thread overview]
Message-ID: <s5hh7igycp4.wl-tiwai@suse.de> (raw)
In-Reply-To: <20210602034136.2762497-1-mudongliangabcd@gmail.com>
On Wed, 02 Jun 2021 05:41:36 +0200,
Dongliang Mu wrote:
>
> The snd_ctl_led_sysfs_add and snd_ctl_led_sysfs_remove should contain
> the refcount operations in pair. However, snd_ctl_led_sysfs_remove fails
> to decrease the refcount to zero, which causes device_release never to
> be invoked. This leads to memory leak to some resources, like struct
> device_private. In addition, we also free some other similar memory
> leaks in snd_ctl_led_init/snd_ctl_led_exit.
>
> Fix this by replacing device_del to device_unregister
> in snd_ctl_led_sysfs_remove/snd_ctl_led_init/snd_ctl_led_exit.
>
> Note that, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device will
> call kobject_release and delay the release of kobject, which will cause
> use-after-free when the memory backing the kobject is freed at once.
>
> Reported-by: syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com
> Fixes: a135dfb5de1 ("ALSA: led control - add sysfs kcontrol LED marking layer")
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Applied now. Thanks.
Takashi
WARNING: multiple messages have this Message-ID (diff)
From: Takashi Iwai <tiwai@suse.de>
To: Dongliang Mu <mudongliangabcd@gmail.com>
Cc: alsa-devel@alsa-project.org, tiwai@suse.com,
syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org, dan.carpenter@oracle.com
Subject: Re: [PATCH v2] ALSA: control led: fix memory leak in snd_ctl_led_register
Date: Wed, 02 Jun 2021 08:59:03 +0200 [thread overview]
Message-ID: <s5hh7igycp4.wl-tiwai@suse.de> (raw)
In-Reply-To: <20210602034136.2762497-1-mudongliangabcd@gmail.com>
On Wed, 02 Jun 2021 05:41:36 +0200,
Dongliang Mu wrote:
>
> The snd_ctl_led_sysfs_add and snd_ctl_led_sysfs_remove should contain
> the refcount operations in pair. However, snd_ctl_led_sysfs_remove fails
> to decrease the refcount to zero, which causes device_release never to
> be invoked. This leads to memory leak to some resources, like struct
> device_private. In addition, we also free some other similar memory
> leaks in snd_ctl_led_init/snd_ctl_led_exit.
>
> Fix this by replacing device_del to device_unregister
> in snd_ctl_led_sysfs_remove/snd_ctl_led_init/snd_ctl_led_exit.
>
> Note that, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device will
> call kobject_release and delay the release of kobject, which will cause
> use-after-free when the memory backing the kobject is freed at once.
>
> Reported-by: syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com
> Fixes: a135dfb5de1 ("ALSA: led control - add sysfs kcontrol LED marking layer")
> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Applied now. Thanks.
Takashi
next prev parent reply other threads:[~2021-06-02 6:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-02 3:41 [PATCH v2] ALSA: control led: fix memory leak in snd_ctl_led_register Dongliang Mu
2021-06-02 6:35 ` Dan Carpenter
2021-06-02 6:35 ` Dan Carpenter
2021-06-02 6:47 ` Jaroslav Kysela
2021-06-02 6:59 ` Takashi Iwai [this message]
2021-06-02 6:59 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s5hh7igycp4.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=alsa-devel@alsa-project.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mudongliangabcd@gmail.com \
--cc=perex@perex.cz \
--cc=syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.