Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1164960ybf;
        Thu, 27 Feb 2020 06:11:43 -0800 (PST)
X-Google-Smtp-Source: APXvYqz/z0MD3wzZx1UNiCJujIhvUd649hxWCwR8s520qa7kA50V8wvbyffnt5QYkW8vWlicihP7
X-Received: by 2002:a9d:6181:: with SMTP id g1mr3632735otk.104.1582812703434;
        Thu, 27 Feb 2020 06:11:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582812703; cv=none;
        d=google.com; s=arc-20160816;
        b=LGijGHAneZA2+hX8K4qTQMHqR2NOpKJg9gZ/ufHvMWkuzYLPFM8QlZyxmrUvHcYftr
         Sdctako+Sy+luDz9sL5Eq0Qg4i+ENpbXfh4GNeh5BrUfLNHfq88nHcBg6o2puhmtBfDi
         ZIIiwo5gWQ4BvjGb5coTQZ96cqG1D/wWZM9EJ8vAh28X9Oh8tm7zO2PVb6Uwv7V32k8J
         xi+T5k7Z7uih/ShEML208sr17BqweviYN+muDDI4ZsY9+kSOaIpKk+QQG2d9S6s04Fxa
         OvWNo0muTNpyUxMiUSw615UPtvRrGPjij8RTS1dUTn88Idn5HHohPGuJdL97Pcm8TqBO
         m09Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=lRIUSd12JSXnXGsLCu6nBSdPcIutY3MYZimBuY5ajXw=;
        b=wgugYovuosSsJZwuber1wjZU04Si7qZK3NG0kQHFaaS/wXxiKAl4/dvmI0aFywSvoj
         TiG4+twMWA8ZaREQtGa43Z+/DzvCsFwBZj/Lqit39OkyOeGg9dwtMtsqbW+qusa0EUkk
         pLe+8l0wOKgklZwCIRgzc1L/16dacVqskDmK8f3fZ6XG4MnSRmdrDHG55QKKNJwAPT6i
         lCr5PNsXTligcXIrH1bnMywpFHblx8pO94hYnjtNI8bTtkjmUKPIC/UHYZFbzFbLHfdI
         y3tJM2BXQJzw8uiZvK9RNwloYUage5yM1CYi8Iib2r343+F02UGNo/f/577aZ575YRMO
         UHEw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ISqdRjUq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c10si2282895ots.106.2020.02.27.06.11.26;
        Thu, 27 Feb 2020 06:11:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ISqdRjUq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388692AbgB0OLZ (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Thu, 27 Feb 2020 09:11:25 -0500
Received: from mail.kernel.org ([198.145.29.99]:49858 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388688AbgB0OLX (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Feb 2020 09:11:23 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0FEEC20578;
        Thu, 27 Feb 2020 14:11:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1582812682;
        bh=/tyTvlOefgejlw1qNqg4s5MKur21O+cVuaR95mSgyx0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ISqdRjUqDog3n7cZUX9IP5BcrMs50Ofv4DAO+GqvHwagB65M58xNgqjoxeh0rNdEC
         ov/qExun0rqSJRH19y76roCGE4xHEi7hgoP6KI2JDnbyCNP56quqioAtmgDHJtLiTR
         G2fsJ3yilDrkSuD+7tHJuATf1BjinEuGBfPqwu30=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        Viresh Kumar <viresh.kumar@linaro.org>,
        Vaibhav Agarwal <vaibhav.sr@gmail.com>
Subject: [PATCH 5.4 112/135] staging: greybus: use after free in gb_audio_manager_remove_all()
Date:   Thu, 27 Feb 2020 14:37:32 +0100
Message-Id: <20200227132246.031633069@linuxfoundation.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200227132228.710492098@linuxfoundation.org>
References: <20200227132228.710492098@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Dan Carpenter <dan.carpenter@oracle.com>

commit b7db58105b80fa9232719c8329b995b3addfab55 upstream.

When we call kobject_put() and it's the last reference to the kobject
then it calls gb_audio_module_release() and frees module.  We dereference
"module" on the next line which is a use after free.

Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/greybus/audio_manager.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/greybus/audio_manager.c
+++ b/drivers/staging/greybus/audio_manager.c
@@ -92,8 +92,8 @@ void gb_audio_manager_remove_all(void)
 
 	list_for_each_entry_safe(module, next, &modules_list, list) {
 		list_del(&module->list);
-		kobject_put(&module->kobj);
 		ida_simple_remove(&module_id, module->id);
+		kobject_put(&module->kobj);
 	}
 
 	is_empty = list_empty(&modules_list);