[alsa-devel] [PATCH 3/3] ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()
Kuninori Morimoto
kuninori.morimoto.gx at renesas.com
Thu Dec 5 01:11:37 CET 2019
Hi
> From: Dragos Tarcatu <dragos_tarcatu at mentor.com>
>
> remove_link() is currently calling snd_soc_remove_dai_link() after
> it has already freed the memory for the link name. But this is later
> read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
> warning. Reorder the cleanups to fix this issue.
>
> Reviewed-by: Ranjani Sridharan <ranjani.sridharan at linux.intel.com>
> Signed-off-by: Dragos Tarcatu <dragos_tarcatu at mentor.com>
> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart at linux.intel.com>
> ---
> sound/soc/soc-topology.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
> index 81d2af000a5c..248530d028a6 100644
> --- a/sound/soc/soc-topology.c
> +++ b/sound/soc/soc-topology.c
> @@ -548,12 +548,12 @@ static void remove_link(struct snd_soc_component *comp,
> if (dobj->ops && dobj->ops->link_unload)
> dobj->ops->link_unload(comp, dobj);
>
> + list_del(&dobj->list);
> + snd_soc_remove_dai_link(comp->card, link);
> +
> kfree(link->name);
> kfree(link->stream_name);
> kfree(link->cpus->dai_name);
> -
> - list_del(&dobj->list);
> - snd_soc_remove_dai_link(comp->card, link);
> kfree(link);
> }
Yeah, indeed this is needed, I think.
Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx at renesas.com>
Thank you for your help !!
Best regards
---
Kuninori Morimoto
More information about the Alsa-devel
mailing list