Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()

From: Chen Zhongjin
Date: Sat Oct 29 2022 - 00:34:28 EST

Next message: Manivannan Sadhasivam: "Re: [PATCH 08/11] arm64: dts: qcom: sc8280xp-x13s: Add PMK8280 VADC channels"
Previous message: Chao Yu: "Re: [PATCH 2/2] f2fs: introduce gc_mode sysfs node"
In reply to: Mark Brown: "Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()"
Next in thread: Mark Brown: "Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 2022/10/29 0:14, Mark Brown wrote:

On Fri, 28 Oct 2022 11:16:03 +0800, Chen Zhongjin wrote:

KASAN reports a use-after-free:

BUG: KASAN: use-after-free in device_del+0xb5b/0xc60
Read of size 8 at addr ffff888008655050 by task rmmod/387
CPU: 2 PID: 387 Comm: rmmod
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl+0x79/0x9a
print_report+0x17f/0x47b
kasan_report+0xbb/0xf0
device_del+0xb5b/0xc60
platform_device_del.part.0+0x24/0x200
platform_device_unregister+0x2e/0x40
snd_soc_exit+0xa/0x22 [snd_soc_core]
__do_sys_delete_module.constprop.0+0x34f/0x5b0
do_syscall_64+0x3a/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
...
</TASK>

[...]

Applied to

https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: core: Fix use-after-free in snd_soc_exit()
commit: 6ec27c53886c8963729885bcf2dd996eba2767a7

I noticed that there is a build warning introduced by this patch:

WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in reference: init_module (section: .init.text) -> snd_soc_util_exit (section: .exit.text)

It's because it calls _exit snd_soc_util_exit() inside _init snd_soc_init().

Since snd_soc_util_exit is only used in snd_soc_init() and snd_soc_exit(), could you please add this fix to the patch and delete _exit for snd_soc_util_exit()?

Or should I send a v2 version to replace current one?

diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
index a3b6df2378b4..a4dba0b751e7 100644
--- a/sound/soc/soc-utils.c
+++ b/sound/soc/soc-utils.c
@@ -264,7 +264,7 @@ int __init snd_soc_util_init(void)
        return ret;
}

-void __exit snd_soc_util_exit(void)
+void snd_soc_util_exit(void)
{
        platform_driver_unregister(&soc_dummy_driver);
        platform_device_unregister(soc_dummy_dev);

Thanks!

Best,

Chen

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

Next message: Manivannan Sadhasivam: "Re: [PATCH 08/11] arm64: dts: qcom: sc8280xp-x13s: Add PMK8280 VADC channels"
Previous message: Chao Yu: "Re: [PATCH 2/2] f2fs: introduce gc_mode sysfs node"
In reply to: Mark Brown: "Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()"
Next in thread: Mark Brown: "Re: [PATCH] ASoC: core: Fix use-after-free in snd_soc_exit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]