Re: [alsa-devel] [PATCH] snd/hda: fix use-after-free after module unload
On Sat, 09 Jul 2016 16:38:57 +0200, Peter Wu wrote:
register_vga_switcheroo() sets the PM ops from the hda structure which is freed later in azx_free. Make sure that these ops are cleared.
Caught by KASAN.
Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)") Signed-off-by: Peter Wu peter@lekensteyn.nl
sound/pci/hda/hda_intel.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c index 94089fc..a339066 100644 --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -1219,6 +1219,7 @@ static int azx_free(struct azx *chip) snd_hda_unlock_devices(&chip->bus); if (hda->vga_switcheroo_registered) vga_switcheroo_unregister_client(chip->pci);
vga_switcheroo_fini_domain_pm_ops(chip->card->dev);
The domain pm ops is set only when hda->vga_switcheroo_registered flag is set. So the call should be in the previous if block.
Also, the indentation looks wrong. Please use the correct indentation.
Could you resubmit with these fixes?
thanks,
Takashi
On Mon, Jul 11, 2016 at 12:42:27PM +0200, Takashi Iwai wrote:
On Sat, 09 Jul 2016 16:38:57 +0200, Peter Wu wrote:
register_vga_switcheroo() sets the PM ops from the hda structure which is freed later in azx_free. Make sure that these ops are cleared.
Caught by KASAN.
Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)") Signed-off-by: Peter Wu peter@lekensteyn.nl
sound/pci/hda/hda_intel.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c index 94089fc..a339066 100644 --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -1219,6 +1219,7 @@ static int azx_free(struct azx *chip) snd_hda_unlock_devices(&chip->bus); if (hda->vga_switcheroo_registered) vga_switcheroo_unregister_client(chip->pci);
vga_switcheroo_fini_domain_pm_ops(chip->card->dev);The domain pm ops is set only when hda->vga_switcheroo_registered flag is set. So the call should be in the previous if block.
Yes that would be cleaner, will do that.
Also, the indentation looks wrong. Please use the correct indentation.
Noticed too late that the editor config was wrong on the testing machine.
Could you resubmit with these fixes?
I will, thanks for the feedback!
register_vga_switcheroo() sets the PM ops from the hda structure which is freed later in azx_free. Make sure that these ops are cleared.
Caught by KASAN, initially noticed due to a general protection fault.
Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)") Signed-off-by: Peter Wu peter@lekensteyn.nl --- Maybe Cc stable? --- sound/pci/hda/hda_intel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c index 94089fc..4aeed98 100644 --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -1217,8 +1217,10 @@ static int azx_free(struct azx *chip) if (use_vga_switcheroo(hda)) { if (chip->disabled && hda->probe_continued) snd_hda_unlock_devices(&chip->bus); - if (hda->vga_switcheroo_registered) + if (hda->vga_switcheroo_registered) { vga_switcheroo_unregister_client(chip->pci); + vga_switcheroo_fini_domain_pm_ops(chip->card->dev); + } }
if (bus->chip_init) {
On Mon, 11 Jul 2016 19:51:06 +0200, Peter Wu wrote:
register_vga_switcheroo() sets the PM ops from the hda structure which is freed later in azx_free. Make sure that these ops are cleared.
Caught by KASAN, initially noticed due to a general protection fault.
Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)") Signed-off-by: Peter Wu peter@lekensteyn.nl
Maybe Cc stable?
Yes, I applied with Cc to stable now.
thanks,
Takashi
participants (2)
-
Peter Wu -
Takashi Iwai