From patchwork Mon Jul 11 17:51:06 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Wu X-Patchwork-Id: 9223907 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CF33C604DB for ; Mon, 11 Jul 2016 17:51:30 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C435C27DE0 for ; Mon, 11 Jul 2016 17:51:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B8D7627E5A; Mon, 11 Jul 2016 17:51:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1406B27DE0 for ; Mon, 11 Jul 2016 17:51:29 +0000 (UTC) Received: by alsa0.perex.cz (Postfix, from userid 1000) id 9798D2660F6; Mon, 11 Jul 2016 19:51:28 +0200 (CEST) Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id BB995265A28; Mon, 11 Jul 2016 19:51:20 +0200 (CEST) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id E7B83265D2B; Mon, 11 Jul 2016 19:51:18 +0200 (CEST) Received: from lekensteyn.nl (lekensteyn.nl [178.21.112.251]) by alsa0.perex.cz (Postfix) with ESMTP id A7ACE265338 for ; Mon, 11 Jul 2016 19:51:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lekensteyn.nl; s=s2048-2015-q1; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=0JXySIS7Uo1Na0sAcd78Z2BqCqm433cAgSvCls4E6Sw=; b=MGWkMo3j3dX4H1VycLREfoZoLC1yOfaCh5sDAfiOZlokO+1gEmrViZPt+n1VZHfUTy2yCAU5cInumjNXBltLWzpqPXAamGt5iHKC0h/lt3Rc7xydxBELuJ71Yj4kEuGBcYAcnP8Tg5WpfmKHebZLB6nEdQsTouXxgA8DuOJvzRVHDkpZkFAULWNp1zNb6RIXs65692Qthri1LQtHaK4UsUxKmEdYhL9RMmu4ZYDu2yPkJqSViuW05OF6PKpTFcIuDBZKgQ7nJu1ERMFsHOQvISrK3HFBfvZ0KW+1rBfZ4ZkFyD/QeZAEUT+mmaDq5F7iVDIG/W5jUvN3tYpBsbgnYA==; Received: by lekensteyn.nl with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1bMfMO-0006nN-0Q; Mon, 11 Jul 2016 19:51:12 +0200 From: Peter Wu To: Takashi Iwai Date: Mon, 11 Jul 2016 19:51:06 +0200 Message-Id: <20160711175106.5349-1-peter@lekensteyn.nl> X-Mailer: git-send-email 2.9.0 In-Reply-To: References: Cc: alsa-devel@alsa-project.org Subject: [alsa-devel] [PATCH v2] snd/hda: fix use-after-free after module unload X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP register_vga_switcheroo() sets the PM ops from the hda structure which is freed later in azx_free. Make sure that these ops are cleared. Caught by KASAN, initially noticed due to a general protection fault. Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)") Signed-off-by: Peter Wu --- Maybe Cc stable? --- sound/pci/hda/hda_intel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c index 94089fc..4aeed98 100644 --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -1217,8 +1217,10 @@ static int azx_free(struct azx *chip) if (use_vga_switcheroo(hda)) { if (chip->disabled && hda->probe_continued) snd_hda_unlock_devices(&chip->bus); - if (hda->vga_switcheroo_registered) + if (hda->vga_switcheroo_registered) { vga_switcheroo_unregister_client(chip->pci); + vga_switcheroo_fini_domain_pm_ops(chip->card->dev); + } } if (bus->chip_init) {