Commit dd836ddf authored by Dragos Tarcatu's avatar Dragos Tarcatu Committed by Mark Brown

ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()

remove_link() is currently calling snd_soc_remove_dai_link() after
it has already freed the memory for the link name. But this is later
read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
warning. Reorder the cleanups to fix this issue.
Reviewed-by: default avatarRanjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: default avatarDragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/20191204210447.11701-4-pierre-louis.bossart@linux.intel.comSigned-off-by: default avatarMark Brown <broonie@kernel.org>
parent 77fffa74
...@@ -548,12 +548,12 @@ static void remove_link(struct snd_soc_component *comp, ...@@ -548,12 +548,12 @@ static void remove_link(struct snd_soc_component *comp,
if (dobj->ops && dobj->ops->link_unload) if (dobj->ops && dobj->ops->link_unload)
dobj->ops->link_unload(comp, dobj); dobj->ops->link_unload(comp, dobj);
list_del(&dobj->list);
snd_soc_remove_dai_link(comp->card, link);
kfree(link->name); kfree(link->name);
kfree(link->stream_name); kfree(link->stream_name);
kfree(link->cpus->dai_name); kfree(link->cpus->dai_name);
list_del(&dobj->list);
snd_soc_remove_dai_link(comp->card, link);
kfree(link); kfree(link);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment