From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
To: alsa-devel@alsa-project.org
Cc: Dragos Tarcatu <dragos_tarcatu@mentor.com>,
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>,
tiwai@suse.de,
Ranjani Sridharan <ranjani.sridharan@linux.intel.com>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
broonie@kernel.org
Subject: [alsa-devel] [PATCH 3/3] ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()
Date: Wed, 4 Dec 2019 15:04:47 -0600 [thread overview]
Message-ID: <20191204210447.11701-4-pierre-louis.bossart@linux.intel.com> (raw)
In-Reply-To: <20191204210447.11701-1-pierre-louis.bossart@linux.intel.com>
From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
remove_link() is currently calling snd_soc_remove_dai_link() after
it has already freed the memory for the link name. But this is later
read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
warning. Reorder the cleanups to fix this issue.
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
---
sound/soc/soc-topology.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 81d2af000a5c..248530d028a6 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -548,12 +548,12 @@ static void remove_link(struct snd_soc_component *comp,
if (dobj->ops && dobj->ops->link_unload)
dobj->ops->link_unload(comp, dobj);
+ list_del(&dobj->list);
+ snd_soc_remove_dai_link(comp->card, link);
+
kfree(link->name);
kfree(link->stream_name);
kfree(link->cpus->dai_name);
-
- list_del(&dobj->list);
- snd_soc_remove_dai_link(comp->card, link);
kfree(link);
}
--
2.20.1
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
next prev parent reply other threads:[~2019-12-04 21:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-04 21:04 [alsa-devel] [PATCH 0/3] ASoC: SOF: fixes for kernel oopses/use-after-free Pierre-Louis Bossart
2019-12-04 21:04 ` [alsa-devel] [PATCH 1/3] ASoC: SOF: fix fault at driver unload after failed probe Pierre-Louis Bossart
2019-12-04 21:04 ` [alsa-devel] [PATCH 2/3] ASoC: SOF: Intel: hda: hda-dai: fix oops on hda_link .hw_free Pierre-Louis Bossart
2019-12-04 21:04 ` Pierre-Louis Bossart [this message]
2019-12-05 0:11 ` [alsa-devel] [PATCH 3/3] ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime() Kuninori Morimoto
2019-12-25 0:08 ` [alsa-devel] Applied "ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()" to the asoc tree Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191204210447.11701-4-pierre-louis.bossart@linux.intel.com \
--to=pierre-louis.bossart@linux.intel.com \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=dragos_tarcatu@mentor.com \
--cc=kuninori.morimoto.gx@renesas.com \
--cc=ranjani.sridharan@linux.intel.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).