From patchwork Thu Mar 17 02:58:06 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Shuah Khan <shuahkh@osg.samsung.com>
X-Patchwork-Id: 8606691
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Original-To: patchwork-alsa-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 66C799F294
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu, 17 Mar 2016 02:58:35 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 8E97C20279
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu, 17 Mar 2016 02:58:34 +0000 (UTC)
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.kernel.org (Postfix) with ESMTP id D9DC5200E6
	for <patchwork-alsa-devel@patchwork.kernel.org>;
	Thu, 17 Mar 2016 02:58:31 +0000 (UTC)
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 597C72663E1; Thu, 17 Mar 2016 03:58:30 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id 684BF261585;
	Thu, 17 Mar 2016 03:58:22 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
	id 90CBE261564; Thu, 17 Mar 2016 03:58:21 +0100 (CET)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169])
	by alsa0.perex.cz (Postfix) with ESMTP id 474EC261564
	for <alsa-devel@alsa-project.org>;
	Thu, 17 Mar 2016 03:58:13 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by mailout.easymail.ca (Postfix) with ESMTP id E85B3F713;
	Wed, 16 Mar 2016 22:58:08 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca
Received: from mailout.easymail.ca ([127.0.0.1])
	by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id 3htWZeUVy081; Wed, 16 Mar 2016 22:58:08 -0400 (EDT)
Received: from mail.gonehiking.org (c-73-181-52-62.hsd1.co.comcast.net
	[73.181.52.62])
	by mailout.easymail.ca (Postfix) with ESMTPA id 68FA5F712;
	Wed, 16 Mar 2016 22:58:08 -0400 (EDT)
Received: from lorien.internal (lorien-wl.internal [192.168.1.40])
	by mail.gonehiking.org (Postfix) with ESMTP id E65719F373;
	Wed, 16 Mar 2016 20:58:07 -0600 (MDT)
From: Shuah Khan <shuahkh@osg.samsung.com>
To: mchehab@osg.samsung.com,
	perex@perex.cz
Date: Wed, 16 Mar 2016 20:58:06 -0600
Message-Id: <1458183486-8113-1-git-send-email-shuahkh@osg.samsung.com>
X-Mailer: git-send-email 2.5.0
Cc: linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
	Shuah Khan <shuahkh@osg.samsung.com>, linux-media@vger.kernel.org
Subject: [alsa-devel] [PATCH] sound/usb: Fix memory leak in
	media_snd_stream_delete() during unbind
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
	http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
	<mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

media_snd_stream_delete() fails to release resources during unbind. This
leads to use-after-free in media_gobj_create() on a subsequent bind.

[ 1445.086410] BUG: KASAN: use-after-free in media_gobj_create+0x3a1/0x470 [media] at addr ffff8801ead49998

[ 1445.086771] Call Trace:
[ 1445.086779]  [<ffffffff81ade373>] dump_stack+0x67/0x94
[ 1445.086785]  [<ffffffff81523c29>] print_trailer+0xf9/0x150
[ 1445.086790]  [<ffffffff81529644>] object_err+0x34/0x40
[ 1445.086796]  [<ffffffff8152b9e1>] kasan_report_error+0x221/0x530
[ 1445.086803]  [<ffffffff8152bfb3>] __asan_report_store8_noabort+0x43/0x50
[ 1445.086813]  [<ffffffffa0a79341>] ? media_gobj_create+0x3a1/0x470 [media]
[ 1445.086822]  [<ffffffffa0a79341>] media_gobj_create+0x3a1/0x470 [media]
[ 1445.086831]  [<ffffffffa0a705a9>] media_device_register_entity+0x259/0x6f0 [media]
[ 1445.086841]  [<ffffffffa0a70350>] ? media_device_unregister_entity_notify+0x100/0x100 [media]
[ 1445.086846]  [<ffffffff81526232>] ? ___slab_alloc+0x172/0x500
[ 1445.086854]  [<ffffffff81203548>] ? mark_held_locks+0xc8/0x120
[ 1445.086859]  [<ffffffff81526610>] ? __slab_alloc+0x50/0x70
[ 1445.086878]  [<ffffffffa0fe711c>] ? media_snd_mixer_init+0x16c/0x500 [snd_usb_audio]
[ 1445.086884]  [<ffffffff8152b086>] ? kasan_unpoison_shadow+0x36/0x50
[ 1445.086890]  [<ffffffff8152b086>] ? kasan_unpoison_shadow+0x36/0x50
[ 1445.086895]  [<ffffffff8152b0fe>] ? kasan_kmalloc+0x5e/0x70

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Acked-by: Takashi Iwai <tiwai@suse.de>
---
 sound/usb/media.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/media.c b/sound/usb/media.c
index 44a5de9..0d03773 100644
--- a/sound/usb/media.c
+++ b/sound/usb/media.c
@@ -135,7 +135,7 @@ void media_snd_stream_delete(struct snd_usb_substream *subs)
 	if (mctl && mctl->media_dev) {
 		struct media_device *mdev;
 
-		mdev = subs->stream->chip->media_dev;
+		mdev = mctl->media_dev;
 		if (mdev && media_devnode_is_registered(&mdev->devnode)) {
 			media_devnode_remove(mctl->intf_devnode);
 			media_device_unregister_entity(&mctl->media_entity);