ASoC: Fix use after free
diff mbox

Message ID 1394609679-10045-1-git-send-email-lars@metafoo.de
State Accepted
Commit 5c1d5f091dc39eecf9a34a8be01492d14c23ad91
Headers show

Commit Message

Lars-Peter Clausen March 12, 2014, 7:34 a.m. UTC
Freeing the current list element while iterating over the list will cause a use
after free since the iterator function will still use the current element to
look up the next. Use list_for_each_safe() and remove the element from the list
before freeing it to avoid this.

Fixes: 1438c2f60b ("ASoC: Add a per component dai list")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
---
 sound/soc/soc-core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Mark Brown March 12, 2014, 12:07 p.m. UTC | #1
On Wed, Mar 12, 2014 at 08:34:39AM +0100, Lars-Peter Clausen wrote:
> Freeing the current list element while iterating over the list will cause a use
> after free since the iterator function will still use the current element to
> look up the next. Use list_for_each_safe() and remove the element from the list
> before freeing it to avoid this.

Applied, thanks.

Patch
diff mbox

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index f67cef4..dac616d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -3928,11 +3928,12 @@  static inline char *fmt_multiple_name(struct device *dev,
  */
 static void snd_soc_unregister_dais(struct snd_soc_component *component)
 {
-	struct snd_soc_dai *dai;
+	struct snd_soc_dai *dai, *_dai;
 
-	list_for_each_entry(dai, &component->dai_list, list) {
+	list_for_each_entry_safe(dai, _dai, &component->dai_list, list) {
 		dev_dbg(component->dev, "ASoC: Unregistered DAI '%s'\n",
 			dai->name);
+		list_del(&dai->list);
 		kfree(dai->name);
 		kfree(dai);
 	}