| Message ID | 20211009065840.3196239-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c448b7aa3e66042fc0f849d9a0fb90d1af82e948 |
| Headers | show |
| Series | ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() | expand |
On Sat, 9 Oct 2021 14:58:40 +0800, Yang Yingliang wrote: > 'component' is allocated in snd_soc_register_component(), but component->list > is not initalized, this may cause snd_soc_del_component_unlocked() deref null > ptr in the error handing case. > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] > RIP: 0010:__list_del_entry_valid+0x81/0xf0 > Call Trace: > snd_soc_del_component_unlocked+0x69/0x1b0 [snd_soc_core] > snd_soc_add_component.cold+0x54/0x6c [snd_soc_core] > snd_soc_register_component+0x70/0x90 [snd_soc_core] > devm_snd_soc_register_component+0x5e/0xd0 [snd_soc_core] > tas2552_probe+0x265/0x320 [snd_soc_tas2552] > ? tas2552_component_probe+0x1e0/0x1e0 [snd_soc_tas2552] > i2c_device_probe+0xa31/0xbe0 > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next Thanks! [1/1] ASoC: soc-core: fix null-ptr-deref in snd_soc_del_component_unlocked() commit: c448b7aa3e66042fc0f849d9a0fb90d1af82e948 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index c830e96afba2..80ca260595fd 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -2599,6 +2599,7 @@ int snd_soc_component_initialize(struct snd_soc_component *component, INIT_LIST_HEAD(&component->dai_list); INIT_LIST_HEAD(&component->dobj_list); INIT_LIST_HEAD(&component->card_list); + INIT_LIST_HEAD(&component->list); mutex_init(&component->io_mutex); component->name = fmt_single_name(dev, &component->id);
'component' is allocated in snd_soc_register_component(), but component->list is not initalized, this may cause snd_soc_del_component_unlocked() deref null ptr in the error handing case. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:__list_del_entry_valid+0x81/0xf0 Call Trace: snd_soc_del_component_unlocked+0x69/0x1b0 [snd_soc_core] snd_soc_add_component.cold+0x54/0x6c [snd_soc_core] snd_soc_register_component+0x70/0x90 [snd_soc_core] devm_snd_soc_register_component+0x5e/0xd0 [snd_soc_core] tas2552_probe+0x265/0x320 [snd_soc_tas2552] ? tas2552_component_probe+0x1e0/0x1e0 [snd_soc_tas2552] i2c_device_probe+0xa31/0xbe0 Fix by adding INIT_LIST_HEAD() to snd_soc_component_initialize(). Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- sound/soc/soc-core.c | 1 + 1 file changed, 1 insertion(+)