soc: fix a use after free case

Unloading ASoC modules as used by the SOF driver leads to an object being used after it's been freed. Fix this be clearing a reference to it and making sure to check for its presence. This fixes issue torvalds#144. Signed-off-by: Guennadi Liakhovetski <[email protected]>
plbossart · Oct 23, 2018 · f553a75 · f553a75
1 parent ab6804e
commit f553a75
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
@@ -946,9 +946,9 @@ static void soc_remove_dai(struct snd_soc_dai *dai, int order)
 {
 	int err;
 
-	if (dai && dai->probed &&
-			dai->driver->remove_order == order) {
-		if (dai->driver->remove) {
+	if (dai && dai->probed) {
+		if (dai->driver && dai->driver->remove_order == order &&
+		    dai->driver->remove) {
 			err = dai->driver->remove(dai);
 			if (err < 0)
 				dev_err(dai->dev,

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
@@ -508,13 +508,18 @@ static void remove_dai(struct snd_soc_component *comp,
 {
 	struct snd_soc_dai_driver *dai_drv =
 		container_of(dobj, struct snd_soc_dai_driver, dobj);
+	struct snd_soc_dai *dai;
 
 	if (pass != SOC_TPLG_PASS_PCM_DAI)
 		return;
 
 	if (dobj->ops && dobj->ops->dai_unload)
 		dobj->ops->dai_unload(comp, dobj);
 
+	list_for_each_entry(dai, &comp->dai_list, list)
+		if (dai->driver == dai_drv)
+			dai->driver = NULL;
+
 	kfree(dai_drv->name);
 	list_del(&dobj->list);
 	kfree(dai_drv);