diff mbox series

[v2,3/3] ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()

Message ID 20191218000518.5830-4-pierre-louis.bossart@linux.intel.com (mailing list archive)
State Accepted
Commit 72b46612d06b83851e2e4f7b538a0bbeb69c10de
Headers show
Series More stability fixes for corner cases. | expand

Commit Message

Pierre-Louis Bossart Dec. 18, 2019, 12:05 a.m. UTC 
From: Dragos Tarcatu <dragos_tarcatu@mentor.com>

remove_link() is currently calling snd_soc_remove_pcm_runtime() after
it has already freed the memory for the link name. But this is later
read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
warning. Reorder the cleanups to fix this issue.

Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
---
 sound/soc/soc-topology.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Kuninori Morimoto Dec. 18, 2019, 1:57 a.m. UTC | #1 
Hi Pierre-Louis

> From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
> 
> remove_link() is currently calling snd_soc_remove_pcm_runtime() after
> it has already freed the memory for the link name. But this is later
> read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
> warning. Reorder the cleanups to fix this issue.
> 
> Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
> Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
> ---
>  sound/soc/soc-topology.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
> index f8bd406c6198..2b3c74a0b126 100644
> --- a/sound/soc/soc-topology.c
> +++ b/sound/soc/soc-topology.c
> @@ -548,14 +548,14 @@ static void remove_link(struct snd_soc_component *comp,
>  	if (dobj->ops && dobj->ops->link_unload)
>  		dobj->ops->link_unload(comp, dobj);
>  
> -	kfree(link->name);
> -	kfree(link->stream_name);
> -	kfree(link->cpus->dai_name);
> -
>  	list_del(&dobj->list);
>  
>  	snd_soc_remove_pcm_runtime(comp->card,
>  			snd_soc_get_pcm_runtime(comp->card, link));
> +
> +	kfree(link->name);
> +	kfree(link->stream_name);
> +	kfree(link->cpus->dai_name);
>  	kfree(link);
>  }

Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

Thank you for your help !!
Best regards
---
Kuninori Morimoto
diff mbox series

Patch

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index f8bd406c6198..2b3c74a0b126 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -548,14 +548,14 @@  static void remove_link(struct snd_soc_component *comp,
 	if (dobj->ops && dobj->ops->link_unload)
 		dobj->ops->link_unload(comp, dobj);
 
-	kfree(link->name);
-	kfree(link->stream_name);
-	kfree(link->cpus->dai_name);
-
 	list_del(&dobj->list);
 
 	snd_soc_remove_pcm_runtime(comp->card,
 			snd_soc_get_pcm_runtime(comp->card, link));
+
+	kfree(link->name);
+	kfree(link->stream_name);
+	kfree(link->cpus->dai_name);
 	kfree(link);
 }