diff mbox

[v2,12/12] ASoC: Fix use-after-free at card unregistration

Message ID 1497857229-12049-13-git-send-email-robert.jarzmik@free.fr (mailing list archive)
State New, archived
Headers show

Commit Message

Robert Jarzmik June 19, 2017, 7:27 a.m. UTC
From: Takashi Iwai <tiwai@suse.de>

soc_cleanup_card_resources() call snd_card_free() at the last of its
procedure.  This turned out to lead to a use-after-free.
PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
while it's dereferenced later in soc_pcm_free() called via
snd_card_free().

The fix is simple: just move the snd_card_free() call to the beginning
of the whole procedure.  This also gives another benefit: it
guarantees that all operations have been shut down before actually
releasing the resources, which was racy until now.

Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/soc/soc-core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Takashi Iwai June 19, 2017, 9:25 a.m. UTC | #1
On Mon, 19 Jun 2017 09:27:09 +0200,
Robert Jarzmik wrote:
> 
> From: Takashi Iwai <tiwai@suse.de>
> 
> soc_cleanup_card_resources() call snd_card_free() at the last of its
> procedure.  This turned out to lead to a use-after-free.
> PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
> while it's dereferenced later in soc_pcm_free() called via
> snd_card_free().
> 
> The fix is simple: just move the snd_card_free() call to the beginning
> of the whole procedure.  This also gives another benefit: it
> guarantees that all operations have been shut down before actually
> releasing the resources, which was racy until now.
> 
> Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>

This patch must be superfluous :)


Takashi


> ---
>  sound/soc/soc-core.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
> index 2722bb0c5573..98d60f471c5d 100644
> --- a/sound/soc/soc-core.c
> +++ b/sound/soc/soc-core.c
> @@ -2286,6 +2286,9 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
>  	list_for_each_entry(rtd, &card->rtd_list, list)
>  		flush_delayed_work(&rtd->delayed_work);
>  
> +	/* free the ALSA card at first; this syncs with pending operations */
> +	snd_card_free(card->snd_card);
> +
>  	/* remove and free each DAI */
>  	soc_remove_dai_links(card);
>  	soc_remove_pcm_runtimes(card);
> @@ -2300,9 +2303,7 @@ static int soc_cleanup_card_resources(struct snd_soc_card *card)
>  	if (card->remove)
>  		card->remove(card);
>  
> -	snd_card_free(card->snd_card);
>  	return 0;
> -
>  }
>  
>  /* removes a socdev */
> -- 
> 2.1.4
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Robert Jarzmik June 19, 2017, 11:57 a.m. UTC | #2
Takashi Iwai <tiwai@suse.de> writes:

> On Mon, 19 Jun 2017 09:27:09 +0200,
> Robert Jarzmik wrote:
>> 
>> From: Takashi Iwai <tiwai@suse.de>
>> 
>> soc_cleanup_card_resources() call snd_card_free() at the last of its
>> procedure.  This turned out to lead to a use-after-free.
>> PCM runtimes have been already removed via soc_remove_pcm_runtimes(),
>> while it's dereferenced later in soc_pcm_free() called via
>> snd_card_free().
>> 
>> The fix is simple: just move the snd_card_free() call to the beginning
>> of the whole procedure.  This also gives another benefit: it
>> guarantees that all operations have been shut down before actually
>> releasing the resources, which was racy until now.
>> 
>> Reported-and-tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Takashi Iwai <tiwai@suse.de>
>
> This patch must be superfluous :)
Haha :)

My serie shifted by one, so the very first of the serie is therefore missing,
formerly "ALSA: ac97: split out the generic ac97 registers" in
https://patchwork.kernel.org/patch/9398143/, and the shift triggered the
inclusion of the last patch of my tree, ie. yours :)

Cheers.

--
Robert
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Mark Brown June 28, 2017, 7:53 p.m. UTC | #3
On Mon, Jun 19, 2017 at 01:57:20PM +0200, Robert Jarzmik wrote:

> My serie shifted by one, so the very first of the serie is therefore missing,
> formerly "ALSA: ac97: split out the generic ac97 registers" in
> https://patchwork.kernel.org/patch/9398143/, and the shift triggered the
> inclusion of the last patch of my tree, ie. yours :)

Based on the missing first patch I was expecting the series to get
reposted?
Robert Jarzmik June 28, 2017, 10:03 p.m. UTC | #4
Mark Brown <broonie@kernel.org> writes:

> On Mon, Jun 19, 2017 at 01:57:20PM +0200, Robert Jarzmik wrote:
>
>> My serie shifted by one, so the very first of the serie is therefore missing,
>> formerly "ALSA: ac97: split out the generic ac97 registers" in
>> https://patchwork.kernel.org/patch/9398143/, and the shift triggered the
>> inclusion of the last patch of my tree, ie. yours :)
>
> Based on the missing first patch I was expecting the series to get
> reposted?
Hi Mark,

The first patch is only moving around a .h file. I was expecting a review before
reposting a v3.

Cheers.
Mark Brown June 30, 2017, 11:56 a.m. UTC | #5
On Thu, Jun 29, 2017 at 12:03:58AM +0200, Robert Jarzmik wrote:
> Mark Brown <broonie@kernel.org> writes:

> > Based on the missing first patch I was expecting the series to get
> > reposted?

> The first patch is only moving around a .h file. I was expecting a review before
> reposting a v3.

I can't tell what's in the first patch if you didn't send it.... :(
In general it's best to resend for things like this, I know I focus my
review on things that can progress as-is.
Robert Jarzmik June 30, 2017, 3:06 p.m. UTC | #6
Mark Brown <broonie@kernel.org> writes:

> On Thu, Jun 29, 2017 at 12:03:58AM +0200, Robert Jarzmik wrote:
>> Mark Brown <broonie@kernel.org> writes:
>
>> > Based on the missing first patch I was expecting the series to get
>> > reposted?
>
>> The first patch is only moving around a .h file. I was expecting a review before
>> reposting a v3.
>
> I can't tell what's in the first patch if you didn't send it.... :(
> In general it's best to resend for things like this, I know I focus my
> review on things that can progress as-is.
OK, no problem, I'll resend a v2 resend in the following hours.

Cheers.
diff mbox

Patch

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 2722bb0c5573..98d60f471c5d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2286,6 +2286,9 @@  static int soc_cleanup_card_resources(struct snd_soc_card *card)
 	list_for_each_entry(rtd, &card->rtd_list, list)
 		flush_delayed_work(&rtd->delayed_work);
 
+	/* free the ALSA card at first; this syncs with pending operations */
+	snd_card_free(card->snd_card);
+
 	/* remove and free each DAI */
 	soc_remove_dai_links(card);
 	soc_remove_pcm_runtimes(card);
@@ -2300,9 +2303,7 @@  static int soc_cleanup_card_resources(struct snd_soc_card *card)
 	if (card->remove)
 		card->remove(card);
 
-	snd_card_free(card->snd_card);
 	return 0;
-
 }
 
 /* removes a socdev */