From patchwork Mon Aug  7 13:52:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 711165
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.lore.kernel.org (Postfix) with ESMTPS id A11E0C41513
 for <alsa-devel@archiver.kernel.org>; Mon,  7 Aug 2023 13:54:11 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by alsa0.perex.cz (Postfix) with ESMTPS id 5D728851;
 Mon,  7 Aug 2023 15:53:19 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 5D728851
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
 s=default; t=1691416449;
 bh=pCwotDHo8J//t0I9amkQXyyXOeD9Az44LtlBiSUQkko=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
 List-Unsubscribe:From;
 b=nTixpYbR9Cw4vmjW5YPE8Z9xegnmHwI4/4F/2Tv8RY6XRT7TtyL31SpluB1bDeoY9
 RtTjZqAWLTIlI0bhcwYXT/5Wihx9uZonsw1iiasTrriLUI66AM0E8s79l5C0fNpi5B
 APZwka8MXXlcI0KIlg8QfY2jHM50eRhpi0dzAEzE=
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id B8A3CF80570; Mon,  7 Aug 2023 15:52:26 +0200 (CEST)
Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org
 [10.254.200.10])
 by alsa1.perex.cz (Postfix) with ESMTP id 3B2C6F80579;
 Mon,  7 Aug 2023 15:52:26 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id C42D1F8051E; Mon,  7 Aug 2023 15:52:21 +0200 (CEST)
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id 119E0F8016B
 for <alsa-devel@alsa-project.org>; Mon,  7 Aug 2023 15:52:11 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 119E0F8016B
Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key,
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=yuA7e7/k;
 dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=9jh44YiJ
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out1.suse.de (Postfix) with ESMTPS id 8FF7B21A82;
 Mon,  7 Aug 2023 13:52:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1691416331;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=Ihh3dfYzJeKo3w4F9JU7CpkqrYRVR8vLank7cmWooFo=;
 b=yuA7e7/k9BPVHT2FHp3a4zY24qZGWJgEdPQjl2Zne3BSQWEjk13nu0wc01deyIKk3KMSXc
 Fx8xN7bRqe8DZbKnq/2zpCPMBrIl4w0YpF6Opdok0WIllSwE1pbrs4Z5wC9tGlP3HNp3hp
 74Tdm+HSf/0qMkC+RorwtkItdF5zdDM=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1691416331;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=Ihh3dfYzJeKo3w4F9JU7CpkqrYRVR8vLank7cmWooFo=;
 b=9jh44YiJijSeWezq5UkvwPvFVj4+30TUsxEZ9Qu90Oi/qOH6QhZUI2Fg8v2dZNVsHGcybB
 aOkBrFEMVBAzc2Aw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 7005D13A6F;
 Mon,  7 Aug 2023 13:52:11 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id CFyGGgv30GS3JwAAMHmgww
 (envelope-from <tiwai@suse.de>); Mon, 07 Aug 2023 13:52:11 +0000
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>
Subject: [PATCH RFC 1/6] ALSA: core: Introduced referenced memory allocator
Date: Mon,  7 Aug 2023 15:52:01 +0200
Message-Id: <20230807135207.17708-2-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230807135207.17708-1-tiwai@suse.de>
References: <20230807135207.17708-1-tiwai@suse.de>
MIME-Version: 1.0
Message-ID-Hash: GWI254DU7BMLBYNRCJSQPFRBJFDBF6NS
X-Message-ID-Hash: GWI254DU7BMLBYNRCJSQPFRBJFDBF6NS
X-MailFrom: tiwai@suse.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-alsa-devel.alsa-project.org-0;
 header-match-alsa-devel.alsa-project.org-1; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Owner: <mailto:alsa-devel-owner@alsa-project.org>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Subscribe: <mailto:alsa-devel-join@alsa-project.org>
List-Unsubscribe: <mailto:alsa-devel-leave@alsa-project.org>

Introduce simple helpers to allocate memory with a refcount.  The
refcount can be chained to the parent, so that it assures to keep the
parent memory until all children are released.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 include/sound/core.h |  5 ++++
 sound/core/init.c    | 58 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/include/sound/core.h b/include/sound/core.h
index f6e0dd648b80..6fccec08a12f 100644
--- a/include/sound/core.h
+++ b/include/sound/core.h
@@ -75,6 +75,11 @@ struct snd_device {
 
 #define snd_device(n) list_entry(n, struct snd_device, list)
 
+/* referenced memory allocation */
+void *snd_refmem_alloc(size_t bytes, void *parent);
+void *snd_refmem_get(void *p);
+void snd_refmem_put(void *p);
+
 /* main structure for soundcard */
 
 struct snd_card {
diff --git a/sound/core/init.c b/sound/core/init.c
index baef2688d0cf..7e7c4b8d4e11 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -111,6 +111,64 @@ static int get_slot_from_bitmask(int mask, int (*check)(struct module *, int),
 	return mask; /* unchanged */
 }
 
+/*
+ * referenced memory allocation
+ */
+
+struct snd_refmem {
+	struct kref kref;
+	void *parent;
+	char data[];
+};
+
+#define to_refmem(p)	container_of(p, struct snd_refmem, data)
+
+void *snd_refmem_alloc(size_t bytes, void *parent)
+{
+	struct snd_refmem *ref;
+
+	ref = kzalloc(bytes + sizeof(*ref), GFP_KERNEL);
+	if (!ref)
+		return NULL;
+	kref_init(&ref->kref);
+	ref->parent = parent;
+	snd_refmem_get(parent);
+	return ref->data;
+}
+EXPORT_SYMBOL_GPL(snd_refmem_alloc);
+
+void *snd_refmem_get(void *p)
+{
+	struct snd_refmem *ref;
+
+	if (!p)
+		return NULL;
+	ref = to_refmem(p);
+	kref_get(&ref->kref);
+	return p;
+}
+EXPORT_SYMBOL_GPL(snd_refmem_get);
+
+static void snd_refmem_release(struct kref *kref)
+{
+	struct snd_refmem *ref = container_of(kref, struct snd_refmem, kref);
+	void *parent = ref->parent;
+
+	kfree(ref);
+	snd_refmem_put(parent);
+}
+
+void snd_refmem_put(void *p)
+{
+	struct snd_refmem *ref;
+
+	if (!p)
+		return;
+	ref = to_refmem(p);
+	kref_put(&ref->kref, snd_refmem_release);
+}
+EXPORT_SYMBOL_GPL(snd_refmem_put);
+
 /* the default release callback set in snd_device_initialize() below;
  * this is just NOP for now, as almost all jobs are already done in
  * dev_free callback of snd_device chain instead.

From patchwork Mon Aug  7 13:52:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 711163
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.lore.kernel.org (Postfix) with ESMTPS id 17092C001DB
 for <alsa-devel@archiver.kernel.org>; Mon,  7 Aug 2023 13:55:22 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by alsa0.perex.cz (Postfix) with ESMTPS id 3D7ED827;
 Mon,  7 Aug 2023 15:54:30 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 3D7ED827
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
 s=default; t=1691416520;
 bh=1B0PU6iKuGgTa3v8xog+pp7rzt8cgLPXM34mweDfHL0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
 List-Unsubscribe:From;
 b=YgpI5UnaqXveLHTQg4stqBCiOj8TbsOADEG9Rur2Qp7e7A6TucRHjGF1Nah1qpq92
 85dot/cP8QTtKMhAUMVOII0cbVZP2mLELq5RZOuzebak3psAgscnFuFTU2neNga6Vy
 S7izwUFgGe5tOysYVWeSRBxDj7oY1eNpfEpaeBoQ=
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id C8295F80548; Mon,  7 Aug 2023 15:53:30 +0200 (CEST)
Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org
 [10.254.200.10])
 by alsa1.perex.cz (Postfix) with ESMTP id 329D8F8056F;
 Mon,  7 Aug 2023 15:53:30 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id 631C6F8051E; Mon,  7 Aug 2023 15:53:25 +0200 (CEST)
Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id 7A280F8016A
 for <alsa-devel@alsa-project.org>; Mon,  7 Aug 2023 15:52:12 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 7A280F8016A
Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key,
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=ZsrKaOoD;
 dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=c6ZC+nlG
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out2.suse.de (Postfix) with ESMTPS id B54651FDF0;
 Mon,  7 Aug 2023 13:52:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1691416331;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=2icgKmNFV61ZDxAVK85eTeSq6RTwbU2hfWHpU5z0lvw=;
 b=ZsrKaOoDucxfI/lywXM9/zm3h82e3bWPIJdXJxsv54ec9OK2lVqBwS2QVP5un4yBDG3jS/
 CDH5YNpA0xR9+6GZYlZOJG07VLksuI5f2EwqPYkVz8CZWoKQfJqcJkXlOX7mqI+4xboW7I
 mRRYPDsan0kqxTDdI4Aj4It2LtMtbG8=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1691416331;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=2icgKmNFV61ZDxAVK85eTeSq6RTwbU2hfWHpU5z0lvw=;
 b=c6ZC+nlGXc4fjRjaRS1qlh7tfwGdol4RuqaI13dZVhQi/e2JnzYX+18tiFIX6o0O/V14Ty
 jllbft7gPvcproBw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 93DC813910;
 Mon,  7 Aug 2023 13:52:11 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id SBIjIwv30GS3JwAAMHmgww
 (envelope-from <tiwai@suse.de>); Mon, 07 Aug 2023 13:52:11 +0000
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>
Subject: [PATCH RFC 2/6] ALSA: core: Fix potential UAF by delayed kobject
 release of card_dev
Date: Mon,  7 Aug 2023 15:52:02 +0200
Message-Id: <20230807135207.17708-3-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230807135207.17708-1-tiwai@suse.de>
References: <20230807135207.17708-1-tiwai@suse.de>
MIME-Version: 1.0
Message-ID-Hash: MO3BJNYVZBK6PQAYZVNRIU6P2VEDXXSD
X-Message-ID-Hash: MO3BJNYVZBK6PQAYZVNRIU6P2VEDXXSD
X-MailFrom: tiwai@suse.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-alsa-devel.alsa-project.org-0;
 header-match-alsa-devel.alsa-project.org-1; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Owner: <mailto:alsa-devel-owner@alsa-project.org>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Subscribe: <mailto:alsa-devel-join@alsa-project.org>
List-Unsubscribe: <mailto:alsa-devel-leave@alsa-project.org>

Use a new refmem allocation for the card object, and fix the potential
UAF of card object due to the race between the devres and the delayed
kobj release.  Now the devres keeps only the card object pointer, not
the card object itself, and the card object is unreferenced at both
releases.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/init.c | 38 ++++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/sound/core/init.c b/sound/core/init.c
index 7e7c4b8d4e11..22da438faf40 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -231,7 +231,7 @@ int snd_card_new(struct device *parent, int idx, const char *xid,
 
 	if (extra_size < 0)
 		extra_size = 0;
-	card = kzalloc(sizeof(*card) + extra_size, GFP_KERNEL);
+	card = snd_refmem_alloc(sizeof(*card) + extra_size, NULL);
 	if (!card)
 		return -ENOMEM;
 
@@ -246,7 +246,14 @@ EXPORT_SYMBOL(snd_card_new);
 
 static void __snd_card_release(struct device *dev, void *data)
 {
-	snd_card_free(data);
+	struct snd_card **card_p = data;
+	struct snd_card *card;
+
+	if (card_p) {
+		card = *card_p;
+		snd_card_free(card);
+		snd_refmem_put(card);
+	}
 }
 
 /**
@@ -279,21 +286,22 @@ int snd_devm_card_new(struct device *parent, int idx, const char *xid,
 		      struct snd_card **card_ret)
 {
 	struct snd_card *card;
+	struct snd_card **card_devres;
 	int err;
 
 	*card_ret = NULL;
-	card = devres_alloc(__snd_card_release, sizeof(*card) + extra_size,
-			    GFP_KERNEL);
-	if (!card)
+	card_devres = devres_alloc(__snd_card_release, sizeof(void *), GFP_KERNEL);
+	if (!card_devres)
 		return -ENOMEM;
-	card->managed = true;
-	err = snd_card_init(card, parent, idx, xid, module, extra_size);
-	if (err < 0) {
-		devres_free(card); /* in managed mode, we need to free manually */
-		return err;
-	}
+	devres_add(parent, card_devres);
 
-	devres_add(parent, card);
+	err = snd_card_new(parent, idx, xid, module, extra_size, &card);
+	if (err)
+		return err;
+
+	card->managed = true;
+	snd_refmem_get(card);
+	*card_devres = card;
 	*card_ret = card;
 	return 0;
 }
@@ -353,8 +361,7 @@ static int snd_card_init(struct snd_card *card, struct device *parent,
 		mutex_unlock(&snd_card_mutex);
 		dev_err(parent, "cannot find the slot for index %d (range 0-%i), error: %d\n",
 			 idx, snd_ecards_limit - 1, err);
-		if (!card->managed)
-			kfree(card); /* manually free here, as no destructor called */
+		snd_refmem_put(card); /* manually free here, as no destructor called */
 		return err;
 	}
 	set_bit(idx, snd_cards_lock);		/* lock it */
@@ -650,8 +657,7 @@ static int snd_card_do_free(struct snd_card *card)
 #endif
 	if (card->release_completion)
 		complete(card->release_completion);
-	if (!card->managed)
-		kfree(card);
+	snd_refmem_put(card);
 	return 0;
 }
 

From patchwork Mon Aug  7 13:52:04 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 712018
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.lore.kernel.org (Postfix) with ESMTPS id 837C0C00528
 for <alsa-devel@archiver.kernel.org>; Mon,  7 Aug 2023 13:54:33 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by alsa0.perex.cz (Postfix) with ESMTPS id B422982C;
 Mon,  7 Aug 2023 15:53:41 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz B422982C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
 s=default; t=1691416471;
 bh=PyryD2E/JRL3Qjsm9SV25XCmOqgpKa650hXATRfl9Bw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
 List-Unsubscribe:From;
 b=D5zyapWjebWoUMR6IBNTkkYqqfGQxiPoHucu114KbcZhgmZh00kA/Sb0l8n8EoqHN
 9pdCNE/QPwQLYZyBH0mGnexCL33VKVIWXaW6h7DHP6wT16PPyUo1DkDg5nb+iugxYZ
 DLobYivfoRE7zHDYnQ5QOoAjf/+1XExmfgFT/hYs=
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id 4A8C4F8058C; Mon,  7 Aug 2023 15:52:29 +0200 (CEST)
Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org
 [10.254.200.10])
 by alsa1.perex.cz (Postfix) with ESMTP id C206AF80587;
 Mon,  7 Aug 2023 15:52:28 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id E312EF80579; Mon,  7 Aug 2023 15:52:24 +0200 (CEST)
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id B64E2F80520
 for <alsa-devel@alsa-project.org>; Mon,  7 Aug 2023 15:52:12 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz B64E2F80520
Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key,
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=I59ULtOP;
 dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=j+DuoXA0
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out2.suse.de (Postfix) with ESMTPS id 08A3B1FDF2;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qq2OFpTFbduTwjPLGnpBeMVjccXUznztxxu/8/5oMNo=;
 b=I59ULtOP67BoDPfnRbxgk4gfzOfTK7AnbOyB9Lj+41EVRbvH0DefAQ0Ylf4/cW4j5pMS+e
 U61+76xiyTZxt6eMeM6yeUH73ZGjyD1kZ1nMmLecgJ8q3Pnr1VV+oi/36FUz08RK21E9ka
 verrZINmL85hp7rrKc8HyYzIM93dPA4=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=qq2OFpTFbduTwjPLGnpBeMVjccXUznztxxu/8/5oMNo=;
 b=j+DuoXA0sHsOb6JvTX38r9GcJZUe3AJGbgxTr2EAWejlCyjiAw0H/9LBuEEWvmukge4Ihi
 f/B1rC0+2bMozTBw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id DD1F913A6F;
 Mon,  7 Aug 2023 13:52:11 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id uCM1NQv30GS3JwAAMHmgww
 (envelope-from <tiwai@suse.de>); Mon, 07 Aug 2023 13:52:11 +0000
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>
Subject: [PATCH RFC 3/6] ALSA: core: Associate memory reference with device
 initialization
Date: Mon,  7 Aug 2023 15:52:04 +0200
Message-Id: <20230807135207.17708-5-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230807135207.17708-1-tiwai@suse.de>
References: <20230807135207.17708-1-tiwai@suse.de>
MIME-Version: 1.0
Message-ID-Hash: 4XTDJ5WBFI4S7MLY7G6IHDFZADWT5YKF
X-Message-ID-Hash: 4XTDJ5WBFI4S7MLY7G6IHDFZADWT5YKF
X-MailFrom: tiwai@suse.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-alsa-devel.alsa-project.org-0;
 header-match-alsa-devel.alsa-project.org-1; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Owner: <mailto:alsa-devel-owner@alsa-project.org>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Subscribe: <mailto:alsa-devel-join@alsa-project.org>
List-Unsubscribe: <mailto:alsa-devel-leave@alsa-project.org>

Allow to assign a refmem pointer to snd_device_initialize().  It takes
the reference, and does unreference at the release callback in turn.

A caveat is that this uses drvdata for keeping the associated
pointer.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 include/sound/core.h           | 2 +-
 sound/core/compress_offload.c  | 2 +-
 sound/core/control.c           | 2 +-
 sound/core/hwdep.c             | 2 +-
 sound/core/init.c              | 9 ++++++---
 sound/core/pcm.c               | 2 +-
 sound/core/rawmidi.c           | 2 +-
 sound/core/seq/seq_clientmgr.c | 2 +-
 sound/core/timer.c             | 2 +-
 9 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/include/sound/core.h b/include/sound/core.h
index 6fccec08a12f..dfa5b44d9666 100644
--- a/include/sound/core.h
+++ b/include/sound/core.h
@@ -244,7 +244,7 @@ extern struct dentry *sound_debugfs_root;
 
 void snd_request_card(int card);
 
-void snd_device_initialize(struct device *dev, struct snd_card *card);
+void snd_device_initialize(struct device *dev, struct snd_card *card, void *refp);
 
 int snd_register_device(int type, struct snd_card *card, int dev,
 			const struct file_operations *f_ops,
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index 30f73097447b..d91fa8925cde 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -1189,7 +1189,7 @@ int snd_compress_new(struct snd_card *card, int device,
 
 	snd_compress_set_id(compr, id);
 
-	snd_device_initialize(&compr->dev, card);
+	snd_device_initialize(&compr->dev, card, NULL);
 	dev_set_name(&compr->dev, "comprC%iD%i", card->number, device);
 
 	ret = snd_device_new(card, SNDRV_DEV_COMPRESS, compr, &ops);
diff --git a/sound/core/control.c b/sound/core/control.c
index 8386b53acdcd..5b9340f5cb8c 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -2395,7 +2395,7 @@ int snd_ctl_create(struct snd_card *card)
 	if (snd_BUG_ON(card->number < 0 || card->number >= SNDRV_CARDS))
 		return -ENXIO;
 
-	snd_device_initialize(&card->ctl_dev, card);
+	snd_device_initialize(&card->ctl_dev, card, NULL);
 	dev_set_name(&card->ctl_dev, "controlC%d", card->number);
 
 	err = snd_device_new(card, SNDRV_DEV_CONTROL, card, &ops);
diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
index e95fa275c289..5edea1094a07 100644
--- a/sound/core/hwdep.c
+++ b/sound/core/hwdep.c
@@ -382,7 +382,7 @@ int snd_hwdep_new(struct snd_card *card, char *id, int device,
 	if (id)
 		strscpy(hwdep->id, id, sizeof(hwdep->id));
 
-	snd_device_initialize(&hwdep->dev, card);
+	snd_device_initialize(&hwdep->dev, card, NULL);
 	hwdep->dev.release = release_hwdep_device;
 	dev_set_name(&hwdep->dev, "hwC%iD%i", card->number, device);
 #ifdef CONFIG_SND_OSSEMUL
diff --git a/sound/core/init.c b/sound/core/init.c
index 22da438faf40..6bc77705ecc3 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -170,25 +170,28 @@ void snd_refmem_put(void *p)
 EXPORT_SYMBOL_GPL(snd_refmem_put);
 
 /* the default release callback set in snd_device_initialize() below;
- * this is just NOP for now, as almost all jobs are already done in
- * dev_free callback of snd_device chain instead.
+ * unreference the memory here if it's specified at initialization
  */
 static void default_release(struct device *dev)
 {
+	snd_refmem_put(dev_get_drvdata(dev));
 }
 
 /**
  * snd_device_initialize - Initialize struct device for sound devices
  * @dev: device to initialize
  * @card: card to assign, optional
+ * @refp: memory associated with snd_refmem
  */
-void snd_device_initialize(struct device *dev, struct snd_card *card)
+void snd_device_initialize(struct device *dev, struct snd_card *card, void *refp)
 {
 	device_initialize(dev);
 	if (card)
 		dev->parent = &card->card_dev;
 	dev->class = &sound_class;
 	dev->release = default_release;
+	dev_set_drvdata(dev, refp);
+	snd_refmem_get(refp);
 }
 EXPORT_SYMBOL_GPL(snd_device_initialize);
 
diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 9d95e3731123..461a10cc0db9 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -650,7 +650,7 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count)
 	if (!substream_count)
 		return 0;
 
-	snd_device_initialize(&pstr->dev, pcm->card);
+	snd_device_initialize(&pstr->dev, pcm->card, NULL);
 	pstr->dev.groups = pcm_dev_attr_groups;
 	pstr->dev.type = &pcm_dev_type;
 	dev_set_name(&pstr->dev, "pcmC%iD%i%c", pcm->card->number, pcm->device,
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 2d3cec908154..34f124b126ca 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1906,7 +1906,7 @@ int snd_rawmidi_init(struct snd_rawmidi *rmidi,
 	if (id != NULL)
 		strscpy(rmidi->id, id, sizeof(rmidi->id));
 
-	snd_device_initialize(&rmidi->dev, card);
+	snd_device_initialize(&rmidi->dev, card, NULL);
 	rmidi->dev.release = release_rawmidi_device;
 	if (rawmidi_is_ump(rmidi))
 		dev_set_name(&rmidi->dev, "umpC%iD%i", card->number, device);
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index e3f9ea67d019..66e73b35e57e 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -2730,7 +2730,7 @@ int __init snd_sequencer_device_init(void)
 {
 	int err;
 
-	snd_device_initialize(&seq_dev, NULL);
+	snd_device_initialize(&seq_dev, NULL, NULL);
 	dev_set_name(&seq_dev, "seq");
 
 	mutex_lock(&register_mutex);
diff --git a/sound/core/timer.c b/sound/core/timer.c
index 9d0d2a5c2e15..04e77a89ecb6 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -2311,7 +2311,7 @@ static int __init alsa_timer_init(void)
 {
 	int err;
 
-	snd_device_initialize(&timer_dev, NULL);
+	snd_device_initialize(&timer_dev, NULL, NULL);
 	dev_set_name(&timer_dev, "timer");
 
 #ifdef SNDRV_OSS_INFO_DEV_TIMERS

From patchwork Mon Aug  7 13:52:05 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 711164
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.lore.kernel.org (Postfix) with ESMTPS id 27E96C001DB
 for <alsa-devel@archiver.kernel.org>; Mon,  7 Aug 2023 13:54:51 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by alsa0.perex.cz (Postfix) with ESMTPS id 37A71839;
 Mon,  7 Aug 2023 15:53:59 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 37A71839
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
 s=default; t=1691416489;
 bh=RUFAT4WAzz9Iy8/CWg3K/H+kVUk5mLFxTI0IZWVm/Eo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
 List-Unsubscribe:From;
 b=jWctMl2CKfwXiBoyAapJ/1+57SnMK4cGs3t3SuFTVWHF7NgVnrE/EZlCKIFJ+DSSB
 ExMqH0rBEHo/agAoTZaVq3E054Culg2KrYvQw12j0noreiEJpl6gPwbCRac8s2L5Fr
 tFFsTwYAF1bYQFJ9VzM25v+R7RCcwd6v8MsH3kS4=
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id C112BF805AC; Mon,  7 Aug 2023 15:52:30 +0200 (CEST)
Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org
 [10.254.200.10])
 by alsa1.perex.cz (Postfix) with ESMTP id 47CEDF805AC;
 Mon,  7 Aug 2023 15:52:30 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id DF175F80579; Mon,  7 Aug 2023 15:52:25 +0200 (CEST)
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id 63877F8053B
 for <alsa-devel@alsa-project.org>; Mon,  7 Aug 2023 15:52:12 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 63877F8053B
Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key,
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=gf0q+oaa;
 dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=NbcPY6Mu
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out2.suse.de (Postfix) with ESMTPS id 2FBF31FDF3;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=pFPF5Nrw2GKNzuqgeRhsZPYtcyFfU6WKf4YaXth90Ak=;
 b=gf0q+oaaQhVuGC1pP5Q9zCr7GphHN0nICkoeH6FVD6MK1ZGQGpsDwhJM00cUyuZrddfKcB
 jf0LXkLgGKFCnxfQPHWpQKkVH/f5cTT74B98tNihxj7iTFBrOSRqHyltH+1q+FY8nyYG2E
 cLgTdu+F0i7GFB1Y2Qi0bgv1ALv6lF4=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=pFPF5Nrw2GKNzuqgeRhsZPYtcyFfU6WKf4YaXth90Ak=;
 b=NbcPY6MucNkkIAZiY6YeOxHkUwTQka4OzHRiEqn2lqRH/8fE0efaC09Ff2YB7sLmNWmHMv
 RMoqJ1N37BC5weBg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 0D1C413910;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id UL9IAgz30GS3JwAAMHmgww
 (envelope-from <tiwai@suse.de>); Mon, 07 Aug 2023 13:52:12 +0000
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>
Subject: [PATCH RFC 4/6] ALSA: pcm: Release memory with reference
Date: Mon,  7 Aug 2023 15:52:05 +0200
Message-Id: <20230807135207.17708-6-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230807135207.17708-1-tiwai@suse.de>
References: <20230807135207.17708-1-tiwai@suse.de>
MIME-Version: 1.0
Message-ID-Hash: 5KA3H3UCICMUFGB2E35UMH3YL4OQ32MG
X-Message-ID-Hash: 5KA3H3UCICMUFGB2E35UMH3YL4OQ32MG
X-MailFrom: tiwai@suse.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-alsa-devel.alsa-project.org-0;
 header-match-alsa-devel.alsa-project.org-1; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Owner: <mailto:alsa-devel-owner@alsa-project.org>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Subscribe: <mailto:alsa-devel-join@alsa-project.org>
List-Unsubscribe: <mailto:alsa-devel-leave@alsa-project.org>

Use refmem allocation for the PCM object that holds two PCM devices
(for playback and capture).  This fixes the UAF bug by the delayed
kobj release.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/pcm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 461a10cc0db9..1e96437f3f0e 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -650,7 +650,7 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count)
 	if (!substream_count)
 		return 0;
 
-	snd_device_initialize(&pstr->dev, pcm->card, NULL);
+	snd_device_initialize(&pstr->dev, pcm->card, pcm);
 	pstr->dev.groups = pcm_dev_attr_groups;
 	pstr->dev.type = &pcm_dev_type;
 	dev_set_name(&pstr->dev, "pcmC%iD%i%c", pcm->card->number, pcm->device,
@@ -721,7 +721,7 @@ static int _snd_pcm_new(struct snd_card *card, const char *id, int device,
 		return -ENXIO;
 	if (rpcm)
 		*rpcm = NULL;
-	pcm = kzalloc(sizeof(*pcm), GFP_KERNEL);
+	pcm = snd_refmem_alloc(sizeof(*pcm), card);
 	if (!pcm)
 		return -ENOMEM;
 	pcm->card = card;
@@ -872,7 +872,7 @@ static int snd_pcm_free(struct snd_pcm *pcm)
 	snd_pcm_lib_preallocate_free_for_all(pcm);
 	snd_pcm_free_stream(&pcm->streams[SNDRV_PCM_STREAM_PLAYBACK]);
 	snd_pcm_free_stream(&pcm->streams[SNDRV_PCM_STREAM_CAPTURE]);
-	kfree(pcm);
+	snd_refmem_put(pcm);
 	return 0;
 }
 

From patchwork Mon Aug  7 13:52:06 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 712016
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.lore.kernel.org (Postfix) with ESMTPS id CE274C001DB
 for <alsa-devel@archiver.kernel.org>; Mon,  7 Aug 2023 13:55:29 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by alsa0.perex.cz (Postfix) with ESMTPS id C8867825;
 Mon,  7 Aug 2023 15:54:37 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz C8867825
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
 s=default; t=1691416527;
 bh=SUDghj9Oqx0ofdNnKrx0JNxVpCVDc4i/Sbmh/T7pKG0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
 List-Unsubscribe:From;
 b=TBmekWHCfzxiK+ZCucMRRaTgSmWgtWVgwCtRf73Bk27jnYfl0tgusFi2jzTre4+eI
 Sh3XTCaj/1iVt1ftkJHKVxo06P41oU1buzLA//h5Kh5z7VBHsH5xIAuUgS4f0J+LEu
 SsE/JYPigW+xSWsKOt4bMNy0DII0fSrxP9x/ques=
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id 642D8F805BB; Mon,  7 Aug 2023 15:53:32 +0200 (CEST)
Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org
 [10.254.200.10])
 by alsa1.perex.cz (Postfix) with ESMTP id 228A7F805BD;
 Mon,  7 Aug 2023 15:53:32 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id E4F64F8016D; Mon,  7 Aug 2023 15:53:25 +0200 (CEST)
Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id 5BB32F80535
 for <alsa-devel@alsa-project.org>; Mon,  7 Aug 2023 15:52:12 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 5BB32F80535
Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key,
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=iYKh8pO2;
 dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=W4kw11c/
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out2.suse.de (Postfix) with ESMTPS id 6C7171FDF4;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=CHyRNooG5ngGjy65JnuP96SKT9Scua7aqQ1HTrWTV9Y=;
 b=iYKh8pO2EnvO8mxaJO2J60KhmAdz3GCR3fk8sksSM2q9d/lyoe8k9SYvH6j9yho+KSv1FS
 AYY3w4tAllNu/4Tv7xAf0dvqkbUG1gVXAWZ08DOlLDNRqdgvmvzFJE48HhVUQ/0GXWOYE7
 DnxG/D5M05wsB+5IUZyATQPuE6B0PqI=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=CHyRNooG5ngGjy65JnuP96SKT9Scua7aqQ1HTrWTV9Y=;
 b=W4kw11c/h4Hh2Da/oEUTKMd+qCd9QIhHD0dvmbBCE3i6ZhX/H2zoEwvQUEJ/OXkbjrOavi
 CqzJXUBSEbsZMfBw==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 324BE13A6F;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id KMJfCwz30GS3JwAAMHmgww
 (envelope-from <tiwai@suse.de>); Mon, 07 Aug 2023 13:52:12 +0000
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>
Subject: [PATCH RFC 5/6] ALSA: control: Reference card by ctl_dev
Date: Mon,  7 Aug 2023 15:52:06 +0200
Message-Id: <20230807135207.17708-7-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230807135207.17708-1-tiwai@suse.de>
References: <20230807135207.17708-1-tiwai@suse.de>
MIME-Version: 1.0
Message-ID-Hash: YNKGXORRLSQDATKHROMKPD37LZ2UG57C
X-Message-ID-Hash: YNKGXORRLSQDATKHROMKPD37LZ2UG57C
X-MailFrom: tiwai@suse.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-alsa-devel.alsa-project.org-0;
 header-match-alsa-devel.alsa-project.org-1; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Owner: <mailto:alsa-devel-owner@alsa-project.org>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Subscribe: <mailto:alsa-devel-join@alsa-project.org>
List-Unsubscribe: <mailto:alsa-devel-leave@alsa-project.org>

Add the reference to the card object at control device
initialization.  This fixes the potential UAF by the delayed kobj
release.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/control.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/control.c b/sound/core/control.c
index 5b9340f5cb8c..7ac077b57709 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -2395,7 +2395,7 @@ int snd_ctl_create(struct snd_card *card)
 	if (snd_BUG_ON(card->number < 0 || card->number >= SNDRV_CARDS))
 		return -ENXIO;
 
-	snd_device_initialize(&card->ctl_dev, card, NULL);
+	snd_device_initialize(&card->ctl_dev, card, card);
 	dev_set_name(&card->ctl_dev, "controlC%d", card->number);
 
 	err = snd_device_new(card, SNDRV_DEV_CONTROL, card, &ops);

From patchwork Mon Aug  7 13:52:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
X-Patchwork-Id: 712017
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by smtp.lore.kernel.org (Postfix) with ESMTPS id 5DCB0C04A6A
 for <alsa-devel@archiver.kernel.org>; Mon,  7 Aug 2023 13:55:04 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by alsa0.perex.cz (Postfix) with ESMTPS id 6808BAEA;
 Mon,  7 Aug 2023 15:54:12 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 6808BAEA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
 s=default; t=1691416502;
 bh=F5UBGA3uNyhZW/Snbi6YieWUBFm+/c1lKKGicfqt0zo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
 List-Unsubscribe:From;
 b=Np995qjPDBGeF1tAvg7FONqRjt7NiQtMVpKI5OEI4sIGoVoNZHFhL4EiqdehGrwbF
 hJOMxujokPlawp+JZnrfQ/hiWHsc34sDyDyqUBVlcNyZQr1y9z9DogIGizGXBwZbGd
 UeG6JFSPoFH0bk2tf2JC9KcNMIgDzdIgMC4v7Erw=
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id 82918F80553; Mon,  7 Aug 2023 15:53:29 +0200 (CEST)
Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org
 [10.254.200.10])
 by alsa1.perex.cz (Postfix) with ESMTP id BF3E4F8051E;
 Mon,  7 Aug 2023 15:53:28 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id F2BAEF8051E; Mon,  7 Aug 2023 15:53:24 +0200 (CEST)
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id 312C4F80534
 for <alsa-devel@alsa-project.org>; Mon,  7 Aug 2023 15:52:12 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 312C4F80534
Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key,
 unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256
 header.s=susede2_rsa header.b=BR35uX5Y;
 dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256
 header.s=susede2_ed25519 header.b=Xe80AthX
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by smtp-out1.suse.de (Postfix) with ESMTPS id A2AF721A84;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=xeejrhn4dqDZnwj0CNviEVNLWOu4ithaovGao1w8l9E=;
 b=BR35uX5YXGQ8J80QqgK5q/x99pkswlYyfzG9rB3L8jXXyX587m0EbMry8F1y71haFJwlN6
 hXNitoIYmA7Q/nyTHiMsBsZpZe8h3/0XAB/VKHugtY2iI/1x3uPMthswq+QxsjcDGZHVxS
 WiloGmwppOMyL48V73vJuSpahOdzFLg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1691416332;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=xeejrhn4dqDZnwj0CNviEVNLWOu4ithaovGao1w8l9E=;
 b=Xe80AthXLpNhXF2A3AxTVq5mA9Qe4mWxlMSIgKeCoxVU0AmqAyUl/OvRluYgFLMg+DPHh3
 UyNDphozMjFsMAAA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
 (No client certificate requested)
 by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 6F2DA13910;
 Mon,  7 Aug 2023 13:52:12 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
 by imap2.suse-dmz.suse.de with ESMTPSA id GGM4Ggz30GS3JwAAMHmgww
 (envelope-from <tiwai@suse.de>); Mon, 07 Aug 2023 13:52:12 +0000
From: Takashi Iwai <tiwai@suse.de>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>
Subject: [PATCH RFC 6/6] ALSA: compress: Reference card by the device
Date: Mon,  7 Aug 2023 15:52:07 +0200
Message-Id: <20230807135207.17708-8-tiwai@suse.de>
X-Mailer: git-send-email 2.35.3
In-Reply-To: <20230807135207.17708-1-tiwai@suse.de>
References: <20230807135207.17708-1-tiwai@suse.de>
MIME-Version: 1.0
Message-ID-Hash: HFNJGOGYD7BKKWNX2UQBZ2E47JXXKSGY
X-Message-ID-Hash: HFNJGOGYD7BKKWNX2UQBZ2E47JXXKSGY
X-MailFrom: tiwai@suse.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-alsa-devel.alsa-project.org-0;
 header-match-alsa-devel.alsa-project.org-1; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
Archived-At: <>
List-Archive: <>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Owner: <mailto:alsa-devel-owner@alsa-project.org>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Subscribe: <mailto:alsa-devel-join@alsa-project.org>
List-Unsubscribe: <mailto:alsa-devel-leave@alsa-project.org>

Add the reference to the card object at compress device
initialization.  This fixes the potential UAF by the delayed kobj
release.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/core/compress_offload.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index d91fa8925cde..971f6d9f5906 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -1189,7 +1189,7 @@ int snd_compress_new(struct snd_card *card, int device,
 
 	snd_compress_set_id(compr, id);
 
-	snd_device_initialize(&compr->dev, card, NULL);
+	snd_device_initialize(&compr->dev, card, card);
 	dev_set_name(&compr->dev, "comprC%iD%i", card->number, device);
 
 	ret = snd_device_new(card, SNDRV_DEV_COMPRESS, compr, &ops);