ALSA: core: Fix the debugfs removal at snd_card_free()

The commit 2d670ea2bd53 ("ALSA: jack: implement software jack
injection via debugfs") introduced a debugfs root for each sound card
object.  The debugfs entry gets removed at the card removal, too, but
it turned out that debugfs_remove() is called at a wrong place; it's
after the card object gets freed, hence it leads to use-after-free.

Fix it by moving the debugfs_remove() at the right place, the
destructor of the card device.

Fixes: 2d670ea2bd53 ("ALSA: jack: implement software jack injection via debugfs")
Reported-and-tested-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://lore.kernel.org/r/161228343605.1150.8862281636043446562@build.alporthouse.com
Link: https://lore.kernel.org/r/20210202225629.1965-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/core/init.c b/sound/core/init.c
index d4e78b17679308838731f5e835fcc5c49ac768a2..84b573e9c1f99c363309f4a1d2a06c7f581535fc 100644 (file)
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -487,6 +487,10 @@ static int snd_card_do_free(struct snd_card *card)
                dev_warn(card->dev, "unable to free card info\n");
                /* Not fatal error */
        }
+#ifdef CONFIG_SND_DEBUG
+       debugfs_remove(card->debugfs_root);
+       card->debugfs_root = NULL;
+#endif
        if (card->release_completion)
                complete(card->release_completion);
        kfree(card);
@@ -537,11 +541,6 @@ int snd_card_free(struct snd_card *card)
        /* wait, until all devices are ready for the free operation */
        wait_for_completion(&released);
 
-#ifdef CONFIG_SND_DEBUG
-       debugfs_remove(card->debugfs_root);
-       card->debugfs_root = NULL;
-#endif
-
        return 0;
 }
 EXPORT_SYMBOL(snd_card_free);