From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Stable@vger.kernel.org,
Arseniy Krasnov <avkrasnov@salutedevices.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Mark Brown <broonie@kernel.org>
Subject: [PATCH 6.1 63/63] ASoC: meson: axg-card: fix use-after-free
Date: Mon, 16 Sep 2024 13:44:42 +0200 [thread overview]
Message-ID: <20240916114223.257494742@linuxfoundation.org> (raw)
In-Reply-To: <20240916114221.021192667@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
commit 4f9a71435953f941969a4f017e2357db62d85a86 upstream.
Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()',
so move 'pad' pointer initialization after this function when memory is
already reallocated.
Kasan bug report:
==================================================================
BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc
Read of size 8 at addr ffff000000e8b260 by task modprobe/356
CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x78/0x90
print_report+0xfc/0x5c0
kasan_report+0xb8/0xfc
__asan_load8+0x9c/0xb8
axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card]
meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils]
platform_probe+0x8c/0xf4
really_probe+0x110/0x39c
__driver_probe_device+0xb8/0x18c
driver_probe_device+0x108/0x1d8
__driver_attach+0xd0/0x25c
bus_for_each_dev+0xe0/0x154
driver_attach+0x34/0x44
bus_add_driver+0x134/0x294
driver_register+0xa8/0x1e8
__platform_driver_register+0x44/0x54
axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card]
do_one_initcall+0xdc/0x25c
do_init_module+0x10c/0x334
load_module+0x24c4/0x26cc
init_module_from_file+0xd4/0x128
__arm64_sys_finit_module+0x1f4/0x41c
invoke_syscall+0x60/0x188
el0_svc_common.constprop.0+0x78/0x13c
do_el0_svc+0x30/0x40
el0_svc+0x38/0x78
el0t_64_sync_handler+0x100/0x12c
el0t_64_sync+0x190/0x194
Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support")
Cc: Stable@vger.kernel.org
Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Reviewed-by: Jerome Brunet <jbrunet@baylibre.com>
Link: https://patch.msgid.link/20240911142425.598631-1-avkrasnov@salutedevices.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/meson/axg-card.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/soc/meson/axg-card.c
+++ b/sound/soc/meson/axg-card.c
@@ -104,7 +104,7 @@ static int axg_card_add_tdm_loopback(str
int *index)
{
struct meson_card *priv = snd_soc_card_get_drvdata(card);
- struct snd_soc_dai_link *pad = &card->dai_link[*index];
+ struct snd_soc_dai_link *pad;
struct snd_soc_dai_link *lb;
struct snd_soc_dai_link_component *dlc;
int ret;
@@ -114,6 +114,7 @@ static int axg_card_add_tdm_loopback(str
if (ret)
return ret;
+ pad = &card->dai_link[*index];
lb = &card->dai_link[*index + 1];
lb->name = devm_kasprintf(card->dev, GFP_KERNEL, "%s-lb", pad->name);
next prev parent reply other threads:[~2024-09-16 12:01 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-16 11:43 [PATCH 6.1 00/63] 6.1.111-rc1 review Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 01/63] ksmbd: override fsids for share path check Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 02/63] ksmbd: override fsids for smb2_query_info() Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 03/63] usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 04/63] net: ethernet: use ip_hdrlen() instead of bit shift Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 05/63] drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 06/63] drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 07/63] net: phy: vitesse: repair vsc73xx autonegotiation Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 08/63] powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 09/63] btrfs: update target inodes ctime on unlink Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 10/63] Input: ads7846 - ratelimit the spi_sync error message Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 11/63] Input: synaptics - enable SMBus for HP Elitebook 840 G2 Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 12/63] HID: multitouch: Add support for GT7868Q Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 13/63] scripts: kconfig: merge_config: config files: add a trailing newline Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 14/63] platform/surface: aggregator_registry: Add Support for Surface Pro 10 Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 15/63] platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 16/63] drm/msm/adreno: Fix error return if missing firmware-name Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 17/63] Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 18/63] smb/server: fix return value of smb2_open() Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 19/63] NFSv4: Fix clearing of layout segments in layoutreturn Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.1 20/63] NFS: Avoid unnecessary rescanning of the per-server delegation list Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 21/63] platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 22/63] platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 23/63] mptcp: pm: Fix uaf in __timer_delete_sync Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 24/63] arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 25/63] arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog " Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 26/63] minmax: reduce min/max macro expansion in atomisp driver Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 27/63] net: tighten bad gso csum offset check in virtio_net_hdr Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 28/63] dm-integrity: fix a race condition when accessing recalc_sector Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 29/63] mm: avoid leaving partial pfn mappings around in error case Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 30/63] net: xilinx: axienet: Fix race in axienet_stop Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 31/63] pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 32/63] fs/ntfs3: Use kvfree to free memory allocated by kvmalloc Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 33/63] arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 34/63] eeprom: digsy_mtc: Fix 93xx46 driver probe failure Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 35/63] cxl/core: Fix incorrect vendor debug UUID define Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 36/63] selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 37/63] hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 38/63] ice: fix accounting for filters shared by multiple VSIs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 39/63] igb: Always call igb_xdp_ring_update_tail() under Tx lock Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 40/63] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 41/63] net/mlx5e: Add missing link modes to ptys2ethtool_map Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 42/63] net/mlx5: Explicitly set scheduling element and TSAR type Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 43/63] net/mlx5: Add missing masks and QoS bit masks for scheduling elements Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 44/63] net/mlx5: Correct TASR typo into TSAR Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 45/63] net/mlx5: Verify support for scheduling element and TSAR type Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 46/63] net/mlx5: Fix bridge mode operations when there are no VFs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 47/63] fou: fix initialization of grc Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 48/63] octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 49/63] octeontx2-af: Modify SMQ flush sequence to drop packets Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 50/63] net: ftgmac100: Enable TX interrupt to avoid TX timeout Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 51/63] netfilter: nft_socket: fix sk refcount leaks Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 52/63] netfilter: nft_socket: make cgroupsv2 matching work with namespaces Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 53/63] net: dpaa: Pad packets to ETH_ZLEN Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 54/63] spi: nxp-fspi: fix the KASAN report out-of-bounds bug Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 55/63] soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 56/63] dma-buf: heaps: Fix off-by-one in CMA heap fault handler Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 57/63] drm/amdgpu/atomfirmware: Silence UBSAN warning Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 58/63] spi: geni-qcom: Convert to platform remove callback returning void Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 59/63] spi: geni-qcom: Undo runtime PM changes at driver exit time Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 60/63] spi: geni-qcom: Fix incorrect free_irq() sequence Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 61/63] drm/i915/guc: prevent a possible int overflow in wq offsets Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.1 62/63] pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Greg Kroah-Hartman
2024-09-16 11:44 ` Greg Kroah-Hartman [this message]
2024-09-16 17:28 ` [PATCH 6.1 00/63] 6.1.111-rc1 review Peter Schneider
2024-09-17 9:38 ` Yann Sionneau
2024-09-17 9:56 ` Mark Brown
2024-09-17 14:43 ` Naresh Kamboju
2024-09-18 6:19 ` Greg Kroah-Hartman
2024-09-18 13:56 ` Naresh Kamboju
2024-09-18 12:08 ` Georgi Djakov
2024-09-18 13:54 ` Naresh Kamboju
2024-09-25 15:42 ` Dan Carpenter
2024-10-08 23:43 ` Georgi Djakov
2024-09-17 15:18 ` Jon Hunter
2024-09-17 19:06 ` Pavel Machek
2024-09-17 21:29 ` Florian Fainelli
2024-09-17 22:42 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240916114223.257494742@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=avkrasnov@salutedevices.com \
--cc=broonie@kernel.org \
--cc=jbrunet@baylibre.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox