From: Robert Jarzmik <robert.jarzmik@free.fr>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Lee Jones <lee.jones@linaro.org>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
Daniel Mack <daniel@zonque.org>,
Haojian Zhuang <haojian.zhuang@gmail.com>,
Robert Jarzmik <robert.jarzmik@free.fr>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>,
Lars-Peter Clausen <lars@metafoo.de>,
Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Cc: linux-kernel@vger.kernel.org, linux-input@vger.kernel.org,
patches@opensource.wolfsonmicro.com, alsa-devel@alsa-project.org,
linux-arm-kernel@lists.infradead.org,
Takashi Iwai <tiwai@suse.de>, <stable@vger.kernel.org>
Subject: [PATCH v2 12/12] ASoC: Fix use-after-free at card unregistration
Date: Mon, 19 Jun 2017 09:27:09 +0200 [thread overview]
Message-ID: <1497857229-12049-13-git-send-email-robert.jarzmik@free.fr> (raw)
In-Reply-To: <1497857229-12049-1-git-send-email-robert.jarzmik@free.fr>
From: Takashi Iwai <tiwai@suse.de>
soc_cleanup_card_resources() call snd_card_free() at the last of its
procedure. This turned out to lead to a use-after-free.
PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
while it's dereferenced later in soc_pcm_free() called via
snd_card_free().
The fix is simple: just move the snd_card_free() call to the beginning
of the whole procedure. This also gives another benefit: it
guarantees that all operations have been shut down before actually
releasing the resources, which was racy until now.
Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/soc/soc-core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 2722bb0c5573..98d60f471c5d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2286,6 +2286,9 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
list_for_each_entry(rtd, &card->rtd_list, list)
flush_delayed_work(&rtd->delayed_work);
+ /* free the ALSA card at first; this syncs with pending operations */
+ snd_card_free(card->snd_card);
+
/* remove and free each DAI */
soc_remove_dai_links(card);
soc_remove_pcm_runtimes(card);
@@ -2300,9 +2303,7 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
if (card->remove)
card->remove(card);
- snd_card_free(card->snd_card);
return 0;
-
}
/* removes a socdev */
--
2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: Robert Jarzmik <robert.jarzmik@free.fr>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Lee Jones <lee.jones@linaro.org>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
Daniel Mack <daniel@zonque.org>,
Haojian Zhuang <haojian.zhuang@gmail.com>,
Robert Jarzmik <robert.jarzmik@free.fr>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>,
Lars-Peter Clausen <lars@metafoo.de>,
Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Cc: linux-kernel@vger.kernel.org, linux-input@vger.kernel.org,
patches@opensource.wolfsonmicro.com, alsa-devel@alsa-project.org,
linux-arm-kernel@lists.infradead.org,
Takashi Iwai <tiwai@suse.de>,
stable@vger.kernel.org
Subject: [PATCH v2 12/12] ASoC: Fix use-after-free at card unregistration
Date: Mon, 19 Jun 2017 09:27:09 +0200 [thread overview]
Message-ID: <1497857229-12049-13-git-send-email-robert.jarzmik@free.fr> (raw)
In-Reply-To: <1497857229-12049-1-git-send-email-robert.jarzmik@free.fr>
From: Takashi Iwai <tiwai@suse.de>
soc_cleanup_card_resources() call snd_card_free() at the last of its
procedure. This turned out to lead to a use-after-free.
PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
while it's dereferenced later in soc_pcm_free() called via
snd_card_free().
The fix is simple: just move the snd_card_free() call to the beginning
of the whole procedure. This also gives another benefit: it
guarantees that all operations have been shut down before actually
releasing the resources, which was racy until now.
Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/soc/soc-core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 2722bb0c5573..98d60f471c5d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2286,6 +2286,9 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
list_for_each_entry(rtd, &card->rtd_list, list)
flush_delayed_work(&rtd->delayed_work);
+ /* free the ALSA card at first; this syncs with pending operations */
+ snd_card_free(card->snd_card);
+
/* remove and free each DAI */
soc_remove_dai_links(card);
soc_remove_pcm_runtimes(card);
@@ -2300,9 +2303,7 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
if (card->remove)
card->remove(card);
- snd_card_free(card->snd_card);
return 0;
-
}
/* removes a socdev */
--
2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: robert.jarzmik@free.fr (Robert Jarzmik)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 12/12] ASoC: Fix use-after-free at card unregistration
Date: Mon, 19 Jun 2017 09:27:09 +0200 [thread overview]
Message-ID: <1497857229-12049-13-git-send-email-robert.jarzmik@free.fr> (raw)
In-Reply-To: <1497857229-12049-1-git-send-email-robert.jarzmik@free.fr>
From: Takashi Iwai <tiwai@suse.de>
soc_cleanup_card_resources() call snd_card_free() at the last of its
procedure. This turned out to lead to a use-after-free.
PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
while it's dereferenced later in soc_pcm_free() called via
snd_card_free().
The fix is simple: just move the snd_card_free() call to the beginning
of the whole procedure. This also gives another benefit: it
guarantees that all operations have been shut down before actually
releasing the resources, which was racy until now.
Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
sound/soc/soc-core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 2722bb0c5573..98d60f471c5d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2286,6 +2286,9 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
list_for_each_entry(rtd, &card->rtd_list, list)
flush_delayed_work(&rtd->delayed_work);
+ /* free the ALSA card at first; this syncs with pending operations */
+ snd_card_free(card->snd_card);
+
/* remove and free each DAI */
soc_remove_dai_links(card);
soc_remove_pcm_runtimes(card);
@@ -2300,9 +2303,7 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
if (card->remove)
card->remove(card);
- snd_card_free(card->snd_card);
return 0;
-
}
/* removes a socdev */
--
2.1.4
next prev parent reply other threads:[~2017-06-19 7:29 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 7:26 [PATCH v2 00/12] AC97 device/driver model revamp Robert Jarzmik
2017-06-19 7:26 ` Robert Jarzmik
2017-06-19 7:26 ` [PATCH v2 01/12] ALSA: ac97: add an ac97 bus Robert Jarzmik
2017-06-19 7:26 ` Robert Jarzmik
2017-06-19 7:26 ` [PATCH v2 02/12] ASoC: add new ac97 bus support Robert Jarzmik
2017-06-19 7:26 ` Robert Jarzmik
2017-06-19 7:27 ` [PATCH v2 03/12] ASoC: arm: make pxa2xx-ac97-lib ac97 codec agnostic Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-09-04 17:25 ` Applied "ASoC: arm: make pxa2xx-ac97-lib ac97 codec agnostic" to the asoc tree Mark Brown
2017-09-04 17:25 ` Mark Brown
2017-09-04 17:25 ` Mark Brown
2017-06-19 7:27 ` [PATCH v2 04/12] Input: wm97xx: split out touchscreen registering Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-20 2:43 ` Dmitry Torokhov
2017-06-20 2:43 ` Dmitry Torokhov
2017-09-19 16:11 ` Applied "Input: wm97xx: split out touchscreen registering" to the asoc tree Mark Brown
2017-09-19 16:11 ` Mark Brown
2017-09-19 16:11 ` Mark Brown
2017-06-19 7:27 ` [PATCH v2 05/12] mfd: wm97xx-core: core support for wm97xx Codec Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` [PATCH v2 06/12] Input: wm97xx: add new AC97 bus support Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-20 2:44 ` Dmitry Torokhov
2017-06-20 2:44 ` Dmitry Torokhov
2017-06-20 2:44 ` Dmitry Torokhov
2017-06-19 7:27 ` [PATCH v2 07/12] ASoC: wm9713: add ac97 new " Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` [PATCH v2 08/12] ASoC: wm9712: " Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` [PATCH v2 09/12] ASoC: wm9705: add private structure Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-09-19 16:11 ` Applied "ASoC: wm9705: add private structure" to the asoc tree Mark Brown
2017-09-19 16:11 ` Mark Brown
2017-09-19 16:11 ` Mark Brown
2017-06-19 7:27 ` [PATCH v2 10/12] ASoC: wm9705: add ac97 new bus support Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` [PATCH v2 11/12] ASoC: pxa: switch to new ac97 " Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik [this message]
2017-06-19 7:27 ` [PATCH v2 12/12] ASoC: Fix use-after-free at card unregistration Robert Jarzmik
2017-06-19 7:27 ` Robert Jarzmik
2017-06-19 9:25 ` Takashi Iwai
2017-06-19 9:25 ` Takashi Iwai
2017-06-19 9:25 ` Takashi Iwai
2017-06-19 11:57 ` Robert Jarzmik
2017-06-19 11:57 ` Robert Jarzmik
2017-06-19 11:57 ` Robert Jarzmik
2017-06-28 19:53 ` [alsa-devel] " Mark Brown
2017-06-28 19:53 ` Mark Brown
2017-06-28 19:53 ` Mark Brown
2017-06-28 22:03 ` [alsa-devel] " Robert Jarzmik
2017-06-28 22:03 ` Robert Jarzmik
2017-06-28 22:03 ` Robert Jarzmik
2017-06-30 11:56 ` [alsa-devel] " Mark Brown
2017-06-30 11:56 ` Mark Brown
2017-06-30 11:56 ` Mark Brown
2017-06-30 15:06 ` [alsa-devel] " Robert Jarzmik
2017-06-30 15:06 ` Robert Jarzmik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497857229-12049-13-git-send-email-robert.jarzmik@free.fr \
--to=robert.jarzmik@free.fr \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=ckeepax@opensource.wolfsonmicro.com \
--cc=daniel@zonque.org \
--cc=dmitry.torokhov@gmail.com \
--cc=haojian.zhuang@gmail.com \
--cc=lars@metafoo.de \
--cc=lee.jones@linaro.org \
--cc=lgirdwood@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patches@opensource.wolfsonmicro.com \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.