summaryrefslogtreecommitdiff
path: root/sound/core/init.c
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2021-02-02 23:56:29 +0100
committerTakashi Iwai <tiwai@suse.de>2021-02-02 23:57:30 +0100
commit3c4ab49ec59b94651dea7c7b0104c781c79c62b5 (patch)
treed1760d3b1ce80d08c106df5c687adf364f7fded3 /sound/core/init.c
parent016f94feb57d73b2c375f1ccd665bb546d401162 (diff)
downloadlwn-3c4ab49ec59b94651dea7c7b0104c781c79c62b5.tar.gz
lwn-3c4ab49ec59b94651dea7c7b0104c781c79c62b5.zip
ALSA: core: Fix the debugfs removal at snd_card_free()
The commit 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") introduced a debugfs root for each sound card object. The debugfs entry gets removed at the card removal, too, but it turned out that debugfs_remove() is called at a wrong place; it's after the card object gets freed, hence it leads to use-after-free. Fix it by moving the debugfs_remove() at the right place, the destructor of the card device. Fixes: 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs") Reported-and-tested-by: Chris Wilson <chris@chris-wilson.co.uk> Link: https://lore.kernel.org/r/161228343605.1150.8862281636043446562@build.alporthouse.com Link: https://lore.kernel.org/r/20210202225629.1965-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/core/init.c')
-rw-r--r--sound/core/init.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/sound/core/init.c b/sound/core/init.c
index d4e78b176793..84b573e9c1f9 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -487,6 +487,10 @@ static int snd_card_do_free(struct snd_card *card)
dev_warn(card->dev, "unable to free card info\n");
/* Not fatal error */
}
+#ifdef CONFIG_SND_DEBUG
+ debugfs_remove(card->debugfs_root);
+ card->debugfs_root = NULL;
+#endif
if (card->release_completion)
complete(card->release_completion);
kfree(card);
@@ -537,11 +541,6 @@ int snd_card_free(struct snd_card *card)
/* wait, until all devices are ready for the free operation */
wait_for_completion(&released);
-#ifdef CONFIG_SND_DEBUG
- debugfs_remove(card->debugfs_root);
- card->debugfs_root = NULL;
-#endif
-
return 0;
}
EXPORT_SYMBOL(snd_card_free);