soc: fix a use after free case

Unloading ASoC modules as used by the SOF driver leads to an object being used after it's been freed. Fix this be clearing a reference to it and making sure to check for its presence. This fixes issue torvalds#144. Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@intel.com> (cherry picked from commit 0576373)
plbossart · Nov 9, 2018 · a5c9b05 · a5c9b05
1 parent f74fcf8
commit a5c9b05
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
@@ -951,7 +951,7 @@ static void soc_remove_dai(struct snd_soc_dai *dai, int order)
 {
 	int err;
 
-	if (!dai || !dai->probed ||
+	if (!dai || !dai->probed || !dai->driver ||
 	    dai->driver->remove_order != order)
 		return;
 

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
@@ -503,13 +503,18 @@ static void remove_dai(struct snd_soc_component *comp,
 {
 	struct snd_soc_dai_driver *dai_drv =
 		container_of(dobj, struct snd_soc_dai_driver, dobj);
+	struct snd_soc_dai *dai;
 
 	if (pass != SOC_TPLG_PASS_PCM_DAI)
 		return;
 
 	if (dobj->ops && dobj->ops->dai_unload)
 		dobj->ops->dai_unload(comp, dobj);
 
+	list_for_each_entry(dai, &comp->dai_list, list)
+		if (dai->driver == dai_drv)
+			dai->driver = NULL;
+
 	kfree(dai_drv->name);
 	list_del(&dobj->list);
 	kfree(dai_drv);