From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Yang Yingliang <yangyingliang@huawei.com>,
Hulk Robot <hulkci@huawei.com>, Mark Brown <broonie@kernel.org>,
Sasha Levin <sashal@kernel.org>,
lgirdwood@gmail.com, perex@perex.cz, tiwai@suse.com,
alsa-devel@alsa-project.org
Subject: [PATCH AUTOSEL 5.14 02/18] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked()
Date: Mon, 25 Oct 2021 12:59:15 -0400 [thread overview]
Message-ID: <20211025165939.1393655-2-sashal@kernel.org> (raw)
In-Reply-To: <20211025165939.1393655-1-sashal@kernel.org>
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit c448b7aa3e66042fc0f849d9a0fb90d1af82e948 ]
'component' is allocated in snd_soc_register_component(), but component->list
is not initalized, this may cause snd_soc_del_component_unlocked() deref null
ptr in the error handing case.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:__list_del_entry_valid+0x81/0xf0
Call Trace:
snd_soc_del_component_unlocked+0x69/0x1b0 [snd_soc_core]
snd_soc_add_component.cold+0x54/0x6c [snd_soc_core]
snd_soc_register_component+0x70/0x90 [snd_soc_core]
devm_snd_soc_register_component+0x5e/0xd0 [snd_soc_core]
tas2552_probe+0x265/0x320 [snd_soc_tas2552]
? tas2552_component_probe+0x1e0/0x1e0 [snd_soc_tas2552]
i2c_device_probe+0xa31/0xbe0
Fix by adding INIT_LIST_HEAD() to snd_soc_component_initialize().
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211009065840.3196239-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 583f2381cfc8..e926985bb2f8 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2599,6 +2599,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
INIT_LIST_HEAD(&component->dai_list);
INIT_LIST_HEAD(&component->dobj_list);
INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
mutex_init(&component->io_mutex);
component->name = fmt_single_name(dev, &component->id);
--
2.33.0
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
alsa-devel@alsa-project.org, tiwai@suse.com, lgirdwood@gmail.com,
Hulk Robot <hulkci@huawei.com>, Mark Brown <broonie@kernel.org>,
Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH AUTOSEL 5.14 02/18] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked()
Date: Mon, 25 Oct 2021 12:59:15 -0400 [thread overview]
Message-ID: <20211025165939.1393655-2-sashal@kernel.org> (raw)
In-Reply-To: <20211025165939.1393655-1-sashal@kernel.org>
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit c448b7aa3e66042fc0f849d9a0fb90d1af82e948 ]
'component' is allocated in snd_soc_register_component(), but component->list
is not initalized, this may cause snd_soc_del_component_unlocked() deref null
ptr in the error handing case.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:__list_del_entry_valid+0x81/0xf0
Call Trace:
snd_soc_del_component_unlocked+0x69/0x1b0 [snd_soc_core]
snd_soc_add_component.cold+0x54/0x6c [snd_soc_core]
snd_soc_register_component+0x70/0x90 [snd_soc_core]
devm_snd_soc_register_component+0x5e/0xd0 [snd_soc_core]
tas2552_probe+0x265/0x320 [snd_soc_tas2552]
? tas2552_component_probe+0x1e0/0x1e0 [snd_soc_tas2552]
i2c_device_probe+0xa31/0xbe0
Fix by adding INIT_LIST_HEAD() to snd_soc_component_initialize().
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211009065840.3196239-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 583f2381cfc8..e926985bb2f8 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2599,6 +2599,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component,
INIT_LIST_HEAD(&component->dai_list);
INIT_LIST_HEAD(&component->dobj_list);
INIT_LIST_HEAD(&component->card_list);
+ INIT_LIST_HEAD(&component->list);
mutex_init(&component->io_mutex);
component->name = fmt_single_name(dev, &component->id);
--
2.33.0
next prev parent reply other threads:[~2021-10-25 16:59 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-25 16:59 [PATCH AUTOSEL 5.14 01/18] KVM: arm64: Report corrupted refcount at EL2 Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` Sasha Levin [this message]
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 02/18] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 03/18] ASoC: cs42l42: Ensure 0dB full scale volume is used for headsets Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 04/18] scsi: core: Put LLD module refcnt after SCSI device is released Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 05/18] ALSA: hda/realtek: Fixes HP Spectre x360 15-eb1xxx speakers Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 06/18] ptp: fix error print of ptp_kvm on X86_64 platform Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 07/18] net: sparx5: Add of_node_put() before goto Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 08/18] net: mscc: ocelot: " Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 09/18] cavium: Return negative value when pci_alloc_irq_vectors() fails Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 10/18] scsi: qla2xxx: Return -ENOMEM if kzalloc() fails Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 11/18] scsi: qla2xxx: Fix unmap of already freed sgl Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 12/18] mISDN: Fix return values of the probe function Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 13/18] cavium: " Sasha Levin
2021-10-25 16:59 ` Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 14/18] vrf: Revert "Reset skb conntrack connection..." Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 15/18] sfc: Export fibre-specific supported link modes Sasha Levin
2021-10-25 18:24 ` Erik Ekman
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 16/18] sfc: Don't use netif_info before net_device setup Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 17/18] usbnet: sanity check for maxpacket Sasha Levin
2021-10-25 16:59 ` [PATCH AUTOSEL 5.14 18/18] hyperv/vmbus: include linux/bitops.h Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211025165939.1393655-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=hulkci@huawei.com \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.