[PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Chen Zhongjin]

KASAN reports a use-after-free:

BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
Read of size 8 at addr ffff888008655050 by task rmmod/387
CPU: 2 PID: 387 Comm: rmmod
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl+0x79/0x9a
print_report+0x17f/0x47b
kasan_report+0xbb/0xf0
device_del+0xb5b/0xc60
platform_device_del.part.0+0x24/0x200
platform_device_unregister+0x2e/0x40
snd_soc_exit+0xa/0x22 [snd_soc_core]
__do_sys_delete_module.constprop.0+0x34f/0x5b0
do_syscall_64+0x3a/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
...
</TASK>

It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,
but its ret is ignored, which makes soc_dummy_dev unregistered twice.

snd_soc_init()
    snd_soc_util_init()
        platform_device_register_simple(soc_dummy_dev)
        platform_driver_register() # fail
    	platform_device_unregister(soc_dummy_dev)
    platform_driver_register() # success
...
snd_soc_exit()
    snd_soc_util_exit()
    # soc_dummy_dev will be unregistered for second time

To fix it, handle error and stop snd_soc_init() when util_init() fail.
Also clean debugfs when util_init() or driver_register() fail.

Fixes: fb257897bf20 ("ASoC: Work around allmodconfig failure")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
---
 sound/soc/soc-core.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 12a82f5a3ff6..a409fbed8f34 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -3477,10 +3477,23 @@ EXPORT_SYMBOL_GPL(snd_soc_of_get_dai_link_cpus);
 
 static int __init snd_soc_init(void)
 {
+	int ret;
+
 	snd_soc_debugfs_init();
-	snd_soc_util_init();
+	ret = snd_soc_util_init();
+	if (ret)
+		goto err_util_init;
 
-	return platform_driver_register(&soc_driver);
+	ret = platform_driver_register(&soc_driver);
+	if (ret)
+		goto err_register;
+	return 0;
+
+err_register:
+	snd_soc_util_exit();
+err_util_init:
+	snd_soc_debugfs_exit();
+	return ret;
 }
 module_init(snd_soc_init);
 
-- 
2.17.1

[PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Chen Zhongjin]

KASAN reports a use-after-free:

BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
Read of size 8 at addr ffff888008655050 by task rmmod/387
CPU: 2 PID: 387 Comm: rmmod
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl+0x79/0x9a
print_report+0x17f/0x47b
kasan_report+0xbb/0xf0
device_del+0xb5b/0xc60
platform_device_del.part.0+0x24/0x200
platform_device_unregister+0x2e/0x40
snd_soc_exit+0xa/0x22 [snd_soc_core]
__do_sys_delete_module.constprop.0+0x34f/0x5b0
do_syscall_64+0x3a/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
...
</TASK>

It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,
but its ret is ignored, which makes soc_dummy_dev unregistered twice.

snd_soc_init()
    snd_soc_util_init()
        platform_device_register_simple(soc_dummy_dev)
        platform_driver_register() # fail
    	platform_device_unregister(soc_dummy_dev)
    platform_driver_register() # success
...
snd_soc_exit()
    snd_soc_util_exit()
    # soc_dummy_dev will be unregistered for second time

To fix it, handle error and stop snd_soc_init() when util_init() fail.
Also clean debugfs when util_init() or driver_register() fail.

Fixes: fb257897bf20 ("ASoC: Work around allmodconfig failure")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
---
 sound/soc/soc-core.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 12a82f5a3ff6..a409fbed8f34 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -3477,10 +3477,23 @@ EXPORT_SYMBOL_GPL(snd_soc_of_get_dai_link_cpus);
 
 static int __init snd_soc_init(void)
 {
+	int ret;
+
 	snd_soc_debugfs_init();
-	snd_soc_util_init();
+	ret = snd_soc_util_init();
+	if (ret)
+		goto err_util_init;
 
-	return platform_driver_register(&soc_driver);
+	ret = platform_driver_register(&soc_driver);
+	if (ret)
+		goto err_register;
+	return 0;
+
+err_register:
+	snd_soc_util_exit();
+err_util_init:
+	snd_soc_debugfs_exit();
+	return ret;
 }
 module_init(snd_soc_init);
 
-- 
2.17.1

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Mark Brown]

On Fri, 28 Oct 2022 11:16:03 +0800, Chen Zhongjin wrote:
> KASAN reports a use-after-free:
> 
> BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
> Read of size 8 at addr ffff888008655050 by task rmmod/387
> CPU: 2 PID: 387 Comm: rmmod
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
> Call Trace:
> <TASK>
> dump_stack_lvl+0x79/0x9a
> print_report+0x17f/0x47b
> kasan_report+0xbb/0xf0
> device_del+0xb5b/0xc60
> platform_device_del.part.0+0x24/0x200
> platform_device_unregister+0x2e/0x40
> snd_soc_exit+0xa/0x22 [snd_soc_core]
> __do_sys_delete_module.constprop.0+0x34f/0x5b0
> do_syscall_64+0x3a/0x90
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> ...
> </TASK>
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: core: Fix use-after-free in snd_soc_exit()
      commit: 6ec27c53886c8963729885bcf2dd996eba2767a7

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Mark Brown]

On Fri, 28 Oct 2022 11:16:03 +0800, Chen Zhongjin wrote:
> KASAN reports a use-after-free:
> 
> BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
> Read of size 8 at addr ffff888008655050 by task rmmod/387
> CPU: 2 PID: 387 Comm: rmmod
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
> Call Trace:
> <TASK>
> dump_stack_lvl+0x79/0x9a
> print_report+0x17f/0x47b
> kasan_report+0xbb/0xf0
> device_del+0xb5b/0xc60
> platform_device_del.part.0+0x24/0x200
> platform_device_unregister+0x2e/0x40
> snd_soc_exit+0xa/0x22 [snd_soc_core]
> __do_sys_delete_module.constprop.0+0x34f/0x5b0
> do_syscall_64+0x3a/0x90
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> ...
> </TASK>
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: core: Fix use-after-free in snd_soc_exit()
      commit: 6ec27c53886c8963729885bcf2dd996eba2767a7

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Chen Zhongjin]

Hi,

On 2022/10/29 0:14, Mark Brown wrote:
> On Fri, 28 Oct 2022 11:16:03 +0800, Chen Zhongjin wrote:
>> KASAN reports a use-after-free:
>>
>> BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
>> Read of size 8 at addr ffff888008655050 by task rmmod/387
>> CPU: 2 PID: 387 Comm: rmmod
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x79/0x9a
>> print_report+0x17f/0x47b
>> kasan_report+0xbb/0xf0
>> device_del+0xb5b/0xc60
>> platform_device_del.part.0+0x24/0x200
>> platform_device_unregister+0x2e/0x40
>> snd_soc_exit+0xa/0x22 [snd_soc_core]
>> __do_sys_delete_module.constprop.0+0x34f/0x5b0
>> do_syscall_64+0x3a/0x90
>> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> ...
>> </TASK>
>>
>> [...]
> Applied to
>
>     https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
>
> Thanks!
>
> [1/1] ASoC: core: Fix use-after-free in snd_soc_exit()
>        commit: 6ec27c53886c8963729885bcf2dd996eba2767a7

I noticed that there is a build warning introduced by this patch:

WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in 
reference: init_module (section: .init.text) -> snd_soc_util_exit 
(section: .exit.text)

It's because it calls _exit snd_soc_util_exit() inside _init snd_soc_init().

Since snd_soc_util_exit is only used in snd_soc_init() and 
snd_soc_exit(), could you please add this fix to the patch and delete 
_exit for snd_soc_util_exit()?

Or should I send a v2 version to replace current one?


diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
index a3b6df2378b4..a4dba0b751e7 100644
--- a/sound/soc/soc-utils.c
+++ b/sound/soc/soc-utils.c
@@ -264,7 +264,7 @@ int __init snd_soc_util_init(void)
         return ret;
  }

-void __exit snd_soc_util_exit(void)
+void snd_soc_util_exit(void)
  {
         platform_driver_unregister(&soc_dummy_driver);
         platform_device_unregister(soc_dummy_dev);


Thanks!

Best,

Chen

> All being well this means that it will be integrated into the linux-next
> tree (usually sometime in the next 24 hours) and sent to Linus during
> the next merge window (or sooner if it is a bug fix), however if
> problems are discovered then the patch may be dropped or reverted.
>
> You may get further e-mails resulting from automated or manual testing
> and review of the tree, please engage with people reporting problems and
> send followup patches addressing any issues that are reported if needed.
>
> If any updates are required or you are submitting further changes they
> should be sent as incremental updates against current git, existing
> patches will not be replaced.
>
> Please add any relevant lists and maintainers to the CCs when replying
> to this mail.
>
> Thanks,
> Mark

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Chen Zhongjin]

Hi,

On 2022/10/29 0:14, Mark Brown wrote:
> On Fri, 28 Oct 2022 11:16:03 +0800, Chen Zhongjin wrote:
>> KASAN reports a use-after-free:
>>
>> BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
>> Read of size 8 at addr ffff888008655050 by task rmmod/387
>> CPU: 2 PID: 387 Comm: rmmod
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x79/0x9a
>> print_report+0x17f/0x47b
>> kasan_report+0xbb/0xf0
>> device_del+0xb5b/0xc60
>> platform_device_del.part.0+0x24/0x200
>> platform_device_unregister+0x2e/0x40
>> snd_soc_exit+0xa/0x22 [snd_soc_core]
>> __do_sys_delete_module.constprop.0+0x34f/0x5b0
>> do_syscall_64+0x3a/0x90
>> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> ...
>> </TASK>
>>
>> [...]
> Applied to
>
>     https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
>
> Thanks!
>
> [1/1] ASoC: core: Fix use-after-free in snd_soc_exit()
>        commit: 6ec27c53886c8963729885bcf2dd996eba2767a7

I noticed that there is a build warning introduced by this patch:

WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in 
reference: init_module (section: .init.text) -> snd_soc_util_exit 
(section: .exit.text)

It's because it calls _exit snd_soc_util_exit() inside _init snd_soc_init().

Since snd_soc_util_exit is only used in snd_soc_init() and 
snd_soc_exit(), could you please add this fix to the patch and delete 
_exit for snd_soc_util_exit()?

Or should I send a v2 version to replace current one?


diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
index a3b6df2378b4..a4dba0b751e7 100644
--- a/sound/soc/soc-utils.c
+++ b/sound/soc/soc-utils.c
@@ -264,7 +264,7 @@ int __init snd_soc_util_init(void)
         return ret;
  }

-void __exit snd_soc_util_exit(void)
+void snd_soc_util_exit(void)
  {
         platform_driver_unregister(&soc_dummy_driver);
         platform_device_unregister(soc_dummy_dev);


Thanks!

Best,

Chen

> All being well this means that it will be integrated into the linux-next
> tree (usually sometime in the next 24 hours) and sent to Linus during
> the next merge window (or sooner if it is a bug fix), however if
> problems are discovered then the patch may be dropped or reverted.
>
> You may get further e-mails resulting from automated or manual testing
> and review of the tree, please engage with people reporting problems and
> send followup patches addressing any issues that are reported if needed.
>
> If any updates are required or you are submitting further changes they
> should be sent as incremental updates against current git, existing
> patches will not be replaced.
>
> Please add any relevant lists and maintainers to the CCs when replying
> to this mail.
>
> Thanks,
> Mark

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

On Sat, Oct 29, 2022 at 12:34:19PM +0800, Chen Zhongjin wrote:

> Since snd_soc_util_exit is only used in snd_soc_init() and snd_soc_exit(),
> could you please add this fix to the patch and delete _exit for
> snd_soc_util_exit()?

> Or should I send a v2 version to replace current one?

As the mail you got when the patch was applied said:

| If any updates are required or you are submitting further changes they
| should be sent as incremental updates against current git, existing
| patches will not be replaced.

so please submit another patch on top of what's there currently as
normal.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

On Sat, Oct 29, 2022 at 12:34:19PM +0800, Chen Zhongjin wrote:

> Since snd_soc_util_exit is only used in snd_soc_init() and snd_soc_exit(),
> could you please add this fix to the patch and delete _exit for
> snd_soc_util_exit()?

> Or should I send a v2 version to replace current one?

As the mail you got when the patch was applied said:

| If any updates are required or you are submitting further changes they
| should be sent as incremental updates against current git, existing
| patches will not be replaced.

so please submit another patch on top of what's there currently as
normal.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Chen Zhongjin]

On 2022/10/31 21:05, Mark Brown wrote:
> On Sat, Oct 29, 2022 at 12:34:19PM +0800, Chen Zhongjin wrote:
>
>> Since snd_soc_util_exit is only used in snd_soc_init() and snd_soc_exit(),
>> could you please add this fix to the patch and delete _exit for
>> snd_soc_util_exit()?
>> Or should I send a v2 version to replace current one?
> As the mail you got when the patch was applied said:
>
> | If any updates are required or you are submitting further changes they
> | should be sent as incremental updates against current git, existing
> | patches will not be replaced.
>
> so please submit another patch on top of what's there currently as
> normal.

Thanks for answer! Will remember for the next time.

Have send the fix up patch:

ASoC: soc-utils: Remove __exit for snd_soc_util_exit()


Best,

Chen

Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

[Chen Zhongjin]

On 2022/10/31 21:05, Mark Brown wrote:
> On Sat, Oct 29, 2022 at 12:34:19PM +0800, Chen Zhongjin wrote:
>
>> Since snd_soc_util_exit is only used in snd_soc_init() and snd_soc_exit(),
>> could you please add this fix to the patch and delete _exit for
>> snd_soc_util_exit()?
>> Or should I send a v2 version to replace current one?
> As the mail you got when the patch was applied said:
>
> | If any updates are required or you are submitting further changes they
> | should be sent as incremental updates against current git, existing
> | patches will not be replaced.
>
> so please submit another patch on top of what's there currently as
> normal.

Thanks for answer! Will remember for the next time.

Have send the fix up patch:

ASoC: soc-utils: Remove __exit for snd_soc_util_exit()


Best,

Chen