release/5.2.38/ASoC-topology-Prevent-use-after-free-in-snd_soc_get_.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From dc0cc79bf57377a0622b82a6e3b9624d65dea9c1 Mon Sep 17 00:00:00 2001
 From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
 Date: Wed, 4 Dec 2019 15:04:47 -0600
 Subject: [PATCH] ASoC: topology: Prevent use-after-free in
  snd_soc_get_pcm_runtime()

 commit dd836ddf4e4e1c7f1eb2ae44783ccd70872ef24e upstream.

 remove_link() is currently calling snd_soc_remove_dai_link() after
 it has already freed the memory for the link name. But this is later
 read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
 warning. Reorder the cleanups to fix this issue.

 Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
 Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
 Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
 Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
 Link: https://lore.kernel.org/r/20191204210447.11701-4-pierre-louis.bossart@linux.intel.com
 Signed-off-by: Mark Brown <broonie@kernel.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
 index 85a23b0f99bb..e24a11010fe5 100644
 --- a/sound/soc/soc-topology.c
 +++ b/sound/soc/soc-topology.c
 @@ -558,12 +558,12 @@ static void remove_link(struct snd_soc_component *comp,
  	if (dobj->ops && dobj->ops->link_unload)
  		dobj->ops->link_unload(comp, dobj);

 +	list_del(&dobj->list);
 +	snd_soc_remove_dai_link(comp->card, link);
 +
  	kfree(link->name);
  	kfree(link->stream_name);
  	kfree(link->cpu_dai_name);
 -
 -	list_del(&dobj->list);
 -	snd_soc_remove_dai_link(comp->card, link);
  	kfree(link);
  }

 --
 2.7.4
	From dc0cc79bf57377a0622b82a6e3b9624d65dea9c1 Mon Sep 17 00:00:00 2001
	From: Dragos Tarcatu <dragos_tarcatu@mentor.com>
	Date: Wed, 4 Dec 2019 15:04:47 -0600
	Subject: [PATCH] ASoC: topology: Prevent use-after-free in
	snd_soc_get_pcm_runtime()

	commit dd836ddf4e4e1c7f1eb2ae44783ccd70872ef24e upstream.

	remove_link() is currently calling snd_soc_remove_dai_link() after
	it has already freed the memory for the link name. But this is later
	read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
	warning. Reorder the cleanups to fix this issue.

	Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
	Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
	Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
	Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
	Link: https://lore.kernel.org/r/20191204210447.11701-4-pierre-louis.bossart@linux.intel.com
	Signed-off-by: Mark Brown <broonie@kernel.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
	index 85a23b0f99bb..e24a11010fe5 100644
	--- a/sound/soc/soc-topology.c
	+++ b/sound/soc/soc-topology.c
	@@ -558,12 +558,12 @@ static void remove_link(struct snd_soc_component *comp,
	if (dobj->ops && dobj->ops->link_unload)
	dobj->ops->link_unload(comp, dobj);

	+ list_del(&dobj->list);
	+ snd_soc_remove_dai_link(comp->card, link);
	+
	kfree(link->name);
	kfree(link->stream_name);
	kfree(link->cpu_dai_name);
	-
	- list_del(&dobj->list);
	- snd_soc_remove_dai_link(comp->card, link);
	kfree(link);
	}

	--
	2.7.4