[PATCH] ASoC: Fix use after free

[PATCH] ASoC: Fix use after free

[Lars-Peter Clausen]

Freeing the current list element while iterating over the list will cause a use
after free since the iterator function will still use the current element to
look up the next. Use list_for_each_safe() and remove the element from the list
before freeing it to avoid this.

Fixes: 1438c2f60b ("ASoC: Add a per component dai list")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
---
 sound/soc/soc-core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index f67cef4..dac616d 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -3928,11 +3928,12 @@ static inline char *fmt_multiple_name(struct device *dev,
  */
 static void snd_soc_unregister_dais(struct snd_soc_component *component)
 {
-	struct snd_soc_dai *dai;
+	struct snd_soc_dai *dai, *_dai;
 
-	list_for_each_entry(dai, &component->dai_list, list) {
+	list_for_each_entry_safe(dai, _dai, &component->dai_list, list) {
 		dev_dbg(component->dev, "ASoC: Unregistered DAI '%s'\n",
 			dai->name);
+		list_del(&dai->list);
 		kfree(dai->name);
 		kfree(dai);
 	}
-- 
1.8.0

Re: [PATCH] ASoC: Fix use after free

[Mark Brown]

[-- Attachment #1.1: Type: text/plain, Size: 364 bytes --]

On Wed, Mar 12, 2014 at 08:34:39AM +0100, Lars-Peter Clausen wrote:
> Freeing the current list element while iterating over the list will cause a use
> after free since the iterator function will still use the current element to
> look up the next. Use list_for_each_safe() and remove the element from the list
> before freeing it to avoid this.

Applied, thanks.

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]