lib-manager: fix use-after-free#10184
Merged
kv2019i merged 1 commit intothesofproject:mainfrom Aug 22, 2025
Merged
Conversation
lyakh
requested review from
dbaluta,
kv2019i,
lbetlej,
lgirdwood,
mmaka1 and
plbossart
as code owners
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a use-after-free bug in the library manager module cleanup code. The issue occurs when module_adapter_free() deallocates the device object, but subsequent code attempts to access fields from the freed memory.
- Extracts the component ID before calling
module_adapter_free()to avoid dereferencing freed memory - Updates error logging to use the library manager tracer instead of the freed device object
- Ensures safe cleanup sequence by accessing device data before deallocation
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
src/library_manager/lib_manager.c
Outdated
| { | ||
| struct processing_module *mod = comp_mod(dev); | ||
| const struct comp_ipc_config *const config = &mod->dev->ipc_config; | ||
| uint32_t component_id = mod->dev->ipc_config.id; |
There was a problem hiding this comment.
The component_id is extracted from mod->dev->ipc_config.id, but mod is derived from dev (comp_mod(dev)) and will also be invalidated when module_adapter_free(dev) is called. This still represents a potential use-after-free issue since mod points to memory within the dev structure that gets freed.
module_adapter_free() called in lib_manager_module_free() frees the device object, dereferencing it after that is invalid and can lead to exceptions. Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
lgirdwood
approved these changes
Aug 21, 2025
kv2019i
approved these changes
Aug 21, 2025
Collaborator
|
FYI @softwarecki |
Collaborator
|
Good catch! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
module_adapter_free() called in lib_manager_module_free() frees the device object, dereferencing it after that is invalid and can lead to exceptions.