| Message ID | 1394609679-10045-1-git-send-email-lars@metafoo.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 5c1d5f091dc39eecf9a34a8be01492d14c23ad91 |
| Headers | show |
On Wed, Mar 12, 2014 at 08:34:39AM +0100, Lars-Peter Clausen wrote: > Freeing the current list element while iterating over the list will cause a use > after free since the iterator function will still use the current element to > look up the next. Use list_for_each_safe() and remove the element from the list > before freeing it to avoid this. Applied, thanks.
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index f67cef4..dac616d 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -3928,11 +3928,12 @@ static inline char *fmt_multiple_name(struct device *dev, */ static void snd_soc_unregister_dais(struct snd_soc_component *component) { - struct snd_soc_dai *dai; + struct snd_soc_dai *dai, *_dai; - list_for_each_entry(dai, &component->dai_list, list) { + list_for_each_entry_safe(dai, _dai, &component->dai_list, list) { dev_dbg(component->dev, "ASoC: Unregistered DAI '%s'\n", dai->name); + list_del(&dai->list); kfree(dai->name); kfree(dai); }
Freeing the current list element while iterating over the list will cause a use after free since the iterator function will still use the current element to look up the next. Use list_for_each_safe() and remove the element from the list before freeing it to avoid this. Fixes: 1438c2f60b ("ASoC: Add a per component dai list") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> --- sound/soc/soc-core.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)