Hi,
this is a test patch set for addressing the UAF problems with delayed kobj releases reported by Curtis: https://lore.kernel.org/r/20230801171928.1460120-1-cujomalainey@chromium.org
The patch introduced a simple helper for allocating memory with a refcount, and converts the card object, control, PCM and compress objects with the new type. With the refcount, the actual memory release is delayed until all referrer are gone.
It's just a RFC and only lightly tested. I myself am not sure whether this is the best way to go. It might be better to take Curtis' approach, just converting the device to its own allocation, too. (But I don't know whether Curtis' patch set covers all cases -- can still be a UAF of card_dev due to devres vs kobj release?)
thanks,
Takashi
===
Takashi Iwai (6): ALSA: core: Introduced referenced memory allocator ALSA: core: Fix potential UAF by delayed kobject release of card_dev ALSA: core: Associate memory reference with device initialization ALSA: pcm: Release memory with reference ALSA: control: Reference card by ctl_dev ALSA: compress: Reference card by the device
include/sound/core.h | 7 ++- sound/core/compress_offload.c | 2 +- sound/core/control.c | 2 +- sound/core/hwdep.c | 2 +- sound/core/init.c | 105 +++++++++++++++++++++++++++------ sound/core/pcm.c | 6 +- sound/core/rawmidi.c | 2 +- sound/core/seq/seq_clientmgr.c | 2 +- sound/core/timer.c | 2 +- 9 files changed, 101 insertions(+), 29 deletions(-)