]> git.baikalelectronics.ru Git - kernel.git/commitdiff
ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()
authorDragos Tarcatu <dragos_tarcatu@mentor.com>
Wed, 18 Dec 2019 00:05:18 +0000 (18:05 -0600)
committerMark Brown <broonie@kernel.org>
Wed, 18 Dec 2019 20:00:05 +0000 (20:00 +0000)
remove_link() is currently calling snd_soc_remove_pcm_runtime() after
it has already freed the memory for the link name. But this is later
read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
warning. Reorder the cleanups to fix this issue.

Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/20191218000518.5830-4-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
sound/soc/soc-topology.c

index f8bd406c619898f600f73662cd22363410a92c16..2b3c74a0b1269602ac502a952bc8c40d8d0b887e 100644 (file)
@@ -548,14 +548,14 @@ static void remove_link(struct snd_soc_component *comp,
        if (dobj->ops && dobj->ops->link_unload)
                dobj->ops->link_unload(comp, dobj);
 
-       kfree(link->name);
-       kfree(link->stream_name);
-       kfree(link->cpus->dai_name);
-
        list_del(&dobj->list);
 
        snd_soc_remove_pcm_runtime(comp->card,
                        snd_soc_get_pcm_runtime(comp->card, link));
+
+       kfree(link->name);
+       kfree(link->stream_name);
+       kfree(link->cpus->dai_name);
        kfree(link);
 }