From patchwork Thu Mar 17 02:58:06 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shuah Khan X-Patchwork-Id: 8606701 Return-Path: X-Original-To: patchwork-linux-media@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id D3AF0C0553 for ; Thu, 17 Mar 2016 02:58:38 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 05005200E6 for ; Thu, 17 Mar 2016 02:58:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 118AE200E8 for ; Thu, 17 Mar 2016 02:58:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751037AbcCQC6L (ORCPT ); Wed, 16 Mar 2016 22:58:11 -0400 Received: from mailout.easymail.ca ([64.68.201.169]:48710 "EHLO mailout.easymail.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750916AbcCQC6K (ORCPT ); Wed, 16 Mar 2016 22:58:10 -0400 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id E85B3F713; Wed, 16 Mar 2016 22:58:08 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca X-Spam-Score: -3.693 X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3htWZeUVy081; Wed, 16 Mar 2016 22:58:08 -0400 (EDT) Received: from mail.gonehiking.org (c-73-181-52-62.hsd1.co.comcast.net [73.181.52.62]) by mailout.easymail.ca (Postfix) with ESMTPA id 68FA5F712; Wed, 16 Mar 2016 22:58:08 -0400 (EDT) Received: from lorien.internal (lorien-wl.internal [192.168.1.40]) by mail.gonehiking.org (Postfix) with ESMTP id E65719F373; Wed, 16 Mar 2016 20:58:07 -0600 (MDT) From: Shuah Khan To: mchehab@osg.samsung.com, perex@perex.cz Cc: Shuah Khan , alsa-devel@alsa-project.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] sound/usb: Fix memory leak in media_snd_stream_delete() during unbind Date: Wed, 16 Mar 2016 20:58:06 -0600 Message-Id: <1458183486-8113-1-git-send-email-shuahkh@osg.samsung.com> X-Mailer: git-send-email 2.5.0 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP media_snd_stream_delete() fails to release resources during unbind. This leads to use-after-free in media_gobj_create() on a subsequent bind. [ 1445.086410] BUG: KASAN: use-after-free in media_gobj_create+0x3a1/0x470 [media] at addr ffff8801ead49998 [ 1445.086771] Call Trace: [ 1445.086779] [] dump_stack+0x67/0x94 [ 1445.086785] [] print_trailer+0xf9/0x150 [ 1445.086790] [] object_err+0x34/0x40 [ 1445.086796] [] kasan_report_error+0x221/0x530 [ 1445.086803] [] __asan_report_store8_noabort+0x43/0x50 [ 1445.086813] [] ? media_gobj_create+0x3a1/0x470 [media] [ 1445.086822] [] media_gobj_create+0x3a1/0x470 [media] [ 1445.086831] [] media_device_register_entity+0x259/0x6f0 [media] [ 1445.086841] [] ? media_device_unregister_entity_notify+0x100/0x100 [media] [ 1445.086846] [] ? ___slab_alloc+0x172/0x500 [ 1445.086854] [] ? mark_held_locks+0xc8/0x120 [ 1445.086859] [] ? __slab_alloc+0x50/0x70 [ 1445.086878] [] ? media_snd_mixer_init+0x16c/0x500 [snd_usb_audio] [ 1445.086884] [] ? kasan_unpoison_shadow+0x36/0x50 [ 1445.086890] [] ? kasan_unpoison_shadow+0x36/0x50 [ 1445.086895] [] ? kasan_kmalloc+0x5e/0x70 Signed-off-by: Shuah Khan Acked-by: Takashi Iwai --- sound/usb/media.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/usb/media.c b/sound/usb/media.c index 44a5de9..0d03773 100644 --- a/sound/usb/media.c +++ b/sound/usb/media.c @@ -135,7 +135,7 @@ void media_snd_stream_delete(struct snd_usb_substream *subs) if (mctl && mctl->media_dev) { struct media_device *mdev; - mdev = subs->stream->chip->media_dev; + mdev = mctl->media_dev; if (mdev && media_devnode_is_registered(&mdev->devnode)) { media_devnode_remove(mctl->intf_devnode); media_device_unregister_entity(&mctl->media_entity);