[PATCH] ALSA: core: Fix the debugfs removal at snd_card_free()

From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Hui Wang <hui.wang@canonical.com>,
	Chris Wilson <chris@chris-wilson.co.uk>
Subject: [PATCH] ALSA: core: Fix the debugfs removal at snd_card_free()
Date: Tue,  2 Feb 2021 23:56:29 +0100	[thread overview]
Message-ID: <20210202225629.1965-1-tiwai@suse.de> (raw)

The commit 2d670ea2bd53 ("ALSA: jack: implement software jack
injection via debugfs") introduced a debugfs root for each sound card
object.  The debugfs entry gets removed at the card removal, too, but
it turned out that debugfs_remove() is called at a wrong place; it's
after the card object gets freed, hence it leads to use-after-free.

Fix it by moving the debugfs_remove() at the right place, the
destructor of the card device.

Fixes: 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs")
Reported-and-tested-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://lore.kernel.org/r/161228343605.1150.8862281636043446562@build.alporthouse.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/init.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/sound/core/init.c b/sound/core/init.c
index d4e78b176793..84b573e9c1f9 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -487,6 +487,10 @@ static int snd_card_do_free(struct snd_card *card)
 		dev_warn(card->dev, "unable to free card info\n");
 		/* Not fatal error */
 	}
+#ifdef CONFIG_SND_DEBUG
+	debugfs_remove(card->debugfs_root);
+	card->debugfs_root = NULL;
+#endif
 	if (card->release_completion)
 		complete(card->release_completion);
 	kfree(card);
@@ -537,11 +541,6 @@ int snd_card_free(struct snd_card *card)
 	/* wait, until all devices are ready for the free operation */
 	wait_for_completion(&released);
 
-#ifdef CONFIG_SND_DEBUG
-	debugfs_remove(card->debugfs_root);
-	card->debugfs_root = NULL;
-#endif
-
 	return 0;
 }
 EXPORT_SYMBOL(snd_card_free);
-- 
2.26.2

