[PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

Chen Zhongjin chenzhongjin at huawei.com
Sat Oct 29 06:34:19 CEST 2022


Hi,

On 2022/10/29 0:14, Mark Brown wrote:
> On Fri, 28 Oct 2022 11:16:03 +0800, Chen Zhongjin wrote:
>> KASAN reports a use-after-free:
>>
>> BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
>> Read of size 8 at addr ffff888008655050 by task rmmod/387
>> CPU: 2 PID: 387 Comm: rmmod
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x79/0x9a
>> print_report+0x17f/0x47b
>> kasan_report+0xbb/0xf0
>> device_del+0xb5b/0xc60
>> platform_device_del.part.0+0x24/0x200
>> platform_device_unregister+0x2e/0x40
>> snd_soc_exit+0xa/0x22 [snd_soc_core]
>> __do_sys_delete_module.constprop.0+0x34f/0x5b0
>> do_syscall_64+0x3a/0x90
>> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> ...
>> </TASK>
>>
>> [...]
> Applied to
>
>     https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
>
> Thanks!
>
> [1/1] ASoC: core: Fix use-after-free in snd_soc_exit()
>        commit: 6ec27c53886c8963729885bcf2dd996eba2767a7

I noticed that there is a build warning introduced by this patch:

WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in 
reference: init_module (section: .init.text) -> snd_soc_util_exit 
(section: .exit.text)

It's because it calls _exit snd_soc_util_exit() inside _init snd_soc_init().

Since snd_soc_util_exit is only used in snd_soc_init() and 
snd_soc_exit(), could you please add this fix to the patch and delete 
_exit for snd_soc_util_exit()?

Or should I send a v2 version to replace current one?


diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
index a3b6df2378b4..a4dba0b751e7 100644
--- a/sound/soc/soc-utils.c
+++ b/sound/soc/soc-utils.c
@@ -264,7 +264,7 @@ int __init snd_soc_util_init(void)
         return ret;
  }

-void __exit snd_soc_util_exit(void)
+void snd_soc_util_exit(void)
  {
         platform_driver_unregister(&soc_dummy_driver);
         platform_device_unregister(soc_dummy_dev);


Thanks!

Best,

Chen

> All being well this means that it will be integrated into the linux-next
> tree (usually sometime in the next 24 hours) and sent to Linus during
> the next merge window (or sooner if it is a bug fix), however if
> problems are discovered then the patch may be dropped or reverted.
>
> You may get further e-mails resulting from automated or manual testing
> and review of the tree, please engage with people reporting problems and
> send followup patches addressing any issues that are reported if needed.
>
> If any updates are required or you are submitting further changes they
> should be sent as incremental updates against current git, existing
> patches will not be replaced.
>
> Please add any relevant lists and maintainers to the CCs when replying
> to this mail.
>
> Thanks,
> Mark


More information about the Alsa-devel mailing list