ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()

[ Upstream commit dd836ddf4e4e1c7f1eb2ae44783ccd70872ef24e ]

remove_link() is currently calling snd_soc_remove_dai_link() after
it has already freed the memory for the link name. But this is later
read from snd_soc_get_pcm_runtime() causing a KASAN use-after-free
warning. Reorder the cleanups to fix this issue.

Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Signed-off-by: Dragos Tarcatu <dragos_tarcatu@mentor.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/20191204210447.11701-4-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index fd2d22ddc81b0c02d1d7ef3c8bd27ac2767b1e77..7ccbca47240d7a429f39edd6eac2acbcd4bfb67c 100644 (file)
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -548,12 +548,12 @@ static void remove_link(struct snd_soc_component *comp,
        if (dobj->ops && dobj->ops->link_unload)
                dobj->ops->link_unload(comp, dobj);
 
+       list_del(&dobj->list);
+       snd_soc_remove_dai_link(comp->card, link);
+
        kfree(link->name);
        kfree(link->stream_name);
        kfree(link->cpus->dai_name);
-
-       list_del(&dobj->list);
-       snd_soc_remove_dai_link(comp->card, link);
        kfree(link);
 }