From 3c4ab49ec59b94651dea7c7b0104c781c79c62b5 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 2 Feb 2021 23:56:29 +0100 Subject: [PATCH] ALSA: core: Fix the debugfs removal at snd_card_free() The commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") introduced a debugfs root for each sound card object. The debugfs entry gets removed at the card removal, too, but it turned out that debugfs_remove() is called at a wrong place; it's after the card object gets freed, hence it leads to use-after-free. Fix it by moving the debugfs_remove() at the right place, the destructor of the card device. Fixes: 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") Reported-and-tested-by: Chris Wilson Link: https://lore.kernel.org/r/161228343605.1150.8862281636043446562@build.alporthouse.com Link: https://lore.kernel.org/r/20210202225629.1965-1-tiwai@suse.de Signed-off-by: Takashi Iwai --- sound/core/init.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/sound/core/init.c b/sound/core/init.c index d4e78b176793..84b573e9c1f9 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -487,6 +487,10 @@ static int snd_card_do_free(struct snd_card *card) dev_warn(card->dev, "unable to free card info\n"); /* Not fatal error */ } +#ifdef CONFIG_SND_DEBUG + debugfs_remove(card->debugfs_root); + card->debugfs_root = NULL; +#endif if (card->release_completion) complete(card->release_completion); kfree(card); @@ -537,11 +541,6 @@ int snd_card_free(struct snd_card *card) /* wait, until all devices are ready for the free operation */ wait_for_completion(&released); -#ifdef CONFIG_SND_DEBUG - debugfs_remove(card->debugfs_root); - card->debugfs_root = NULL; -#endif - return 0; } EXPORT_SYMBOL(snd_card_free);