Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4504163img; Tue, 26 Mar 2019 10:37:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqxOMUk2L8Q76YvCEysZIJOZSdt9NMSl+tyDzwWOYebxQcw+C4UKTiulh/ogDeI5IpHHR1NN X-Received: by 2002:a65:63c2:: with SMTP id n2mr30279131pgv.439.1553621878994; Tue, 26 Mar 2019 10:37:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553621878; cv=none; d=google.com; s=arc-20160816; b=s3SS2geP6ctoPwE1uqDC1KazWg/P68L2u8aI/LsYjsqp58hiL/OVn/coxWAD7FLHW+ 8s/nj+wYc5SipqfDTzLoLRTzK6P7nkS8Oi/Vd/bgo1X8ARsJm6asKs5TWNKhQAsERFba uyvra3LYGsoR9kDjW3fDFpUN2yJdN5Q6aKUbs3en+jqwfpPO4TRpjAEfqfmbrIi9umgY YiVvJaLO40eISX3beQqG9HLo3ojIH9DemEtyt4+ZgIVxKf8m3dronZHJR6VnCyOPRKkw Rtx9RNY2Bf7w8oCQxncqkpxo6U85anJEKkJONDpWyX7SpqbLcNTnFu5o3rc5ufE/HDgI h9Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=fh1xn3BFpKpmZ9pOfN6sqvpgY9pmZ7FMYMOw16dPnCY=; b=Kg401giSxtEXa/YhPYVBF9hC8oXSzbrFfb/LoPlmBtu5e1gtFRaP/IWbcssi+NLYcW a9KDrE4beWiiwM+LDiOkwQE5dN9SPcLHNaokwrALzDQmWRPCG5aJsVntUEWWw77lkht1 F6agwOeWv4Nk2WXHN+aVNizpXASNqi6+rvEAGijNi5c+xyd8sPd/Ya/dOWppX+BS405H 1hkknKaTSt4oN4EqslthR1lYHbZiub3+EFrxsyINeWW5bPDgIFsXrO1/Z2XVI41Qrf3l 1nj+cSn90nn7e99KLPK9xeigCUifj38ayoGGBU8aciSd3lZkFhTnGNuMVRdUlUOdbOSs IREA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=stbcIIt8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d132si16167016pgc.482.2019.03.26.10.37.44; Tue, 26 Mar 2019 10:37:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=stbcIIt8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731971AbfCZRf5 (ORCPT + 99 others); Tue, 26 Mar 2019 13:35:57 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:46877 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726207AbfCZRf4 (ORCPT ); Tue, 26 Mar 2019 13:35:56 -0400 Received: by mail-lj1-f196.google.com with SMTP id k23so2570197lji.13 for ; Tue, 26 Mar 2019 10:35:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fh1xn3BFpKpmZ9pOfN6sqvpgY9pmZ7FMYMOw16dPnCY=; b=stbcIIt8FnZdyb598n3p1ayhbvwjCKe8XA2yBLtPfa0HAZXlLfPW1E5NBZPSLnjLx/ 4/xmfZ1QGn00DhkY7iv5bQMZLzUc9Mym2k1VLgBQzT9N1BVdcvnuKJozzzk2liiv5ffc AA0M3UicoB7UVfO0aaBdBR+nBETkFSks4a+U9QUPMLwEXRVO3mCsBUj2RaPfGBLi/uSE rexYTCNqdWUvQMno2b3yrujVi2tCRnjHT7FLyeID23dVk5NvzjfYciQACXD12l8UGdWb 7exIJjhJdB6Y6voNmL0pO8dxUKwX8cLLAtWfR4KIPX3BDopmOccEcJHgyg7vQIWa8Qvr 2krA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fh1xn3BFpKpmZ9pOfN6sqvpgY9pmZ7FMYMOw16dPnCY=; b=bGqNEUARkGkLleqgtCcHp751s0jUe7a8o4yM7TodqJ7TdhFDbm0U2UeMXy/qWayAnu u0clovSP8MXJhgIRVSa08M5PVYUBxEgDyxaKw3Vw+qoxin68rXUR62z5sfxYLxCX+9iO XA7EEWm/dbYmpwHxyYC1AGQR4Zqz8hGcIgm+E5hjnTWzcjLqI6yfsBIZCPwf3oXfNS50 kMBPLF36EIE0rl2xIeznzTq/G0KNfL0Tflo+EanHAzjhFJqSOMXjeM0IRYsTkE0UQdd+ 9v3iy/Jd3ArdNeF1D0WJ1PR2NHVdybvY0Ya8xbDRaBaX9VgR20NAbbSlwmmYjrafIhnO v5bw== X-Gm-Message-State: APjAAAXkA/AqiKWKaPOwAJT6WO/85glJkNNgNH6kddcuH+v6a78ILVsG AK3EyvI/QVGN98Uliim5imR82LBOxBXxLLREVlsDlA== X-Received: by 2002:a2e:47c4:: with SMTP id u187mr17435076lja.10.1553621753096; Tue, 26 Mar 2019 10:35:53 -0700 (PDT) MIME-Version: 1.0 References: <1553621018-8944-1-git-send-email-linux@roeck-us.net> In-Reply-To: <1553621018-8944-1-git-send-email-linux@roeck-us.net> From: Curtis Malainey Date: Tue, 26 Mar 2019 10:35:41 -0700 Message-ID: Subject: Re: [PATCH] ASoC: core: Fix use-after-free after deferred card registration To: Guenter Roeck Cc: Mark Brown , Liam Girdwood , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org, Linux Kernel Mailing List , Curtis Malainey Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This has already been patched. See https://mailman.alsa-project.org/pipermail/alsa-devel/2019-March/146150.html On Tue, Mar 26, 2019 at 10:23 AM Guenter Roeck wrote: > > If snd_soc_register_card() fails because one of its links fails > to instantiate with -EPROBE_DEFER, and the to-be-registered link > is a legacy link, a subsequent retry will trigger a use-after-free > and quite often a system crash. > > Example: > > byt-max98090 byt-max98090: ASoC: failed to init link Baytrail Audio > byt-max98090 byt-max98090: snd_soc_register_card failed -517 > .... > BUG: KASAN: use-after-free in snd_soc_init_platform+0x233/0x312 > Read of size 8 at addr ffff888067c43070 by task kworker/1:1/23 > > snd_soc_init_platform() allocates memory attached to the card device. > This memory is released when the card device is released. However, > the pointer to the memory (dai_link->platforms) is only cleared from > soc_cleanup_platform(), which is called from soc_cleanup_card_resources(), > but not if snd_soc_register_card() fails early. > > Add the missing call to soc_cleanup_platform() in the error handling > code of snd_soc_register_card() to fix the problem. > > Fixes: 78a24e10cd94 ("ASoC: soc-core: clear platform pointers on error") > Cc: Curtis Malainey > Signed-off-by: Guenter Roeck > --- > sound/soc/soc-core.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c > index 93d316d5bf8e..6bf9884d0863 100644 > --- a/sound/soc/soc-core.c > +++ b/sound/soc/soc-core.c > @@ -2799,6 +2799,7 @@ int snd_soc_register_card(struct snd_soc_card *card) > if (ret) { > dev_err(card->dev, "ASoC: failed to init link %s\n", > link->name); > + soc_cleanup_platform(card); > mutex_unlock(&client_mutex); > return ret; > } > -- > 2.7.4 >