All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ASoC: dapm: Move dai_link widgets to runtime to fix use after free
@ 2020-05-26 16:19 Charles Keepax
  2020-05-27 13:49 ` Mark Brown
  0 siblings, 1 reply; 2+ messages in thread
From: Charles Keepax @ 2020-05-26 16:19 UTC (permalink / raw)
  To: broonie; +Cc: patches, alsa-devel, lgirdwood

The newly added CODEC to CODEC DAI link widget pointers in
snd_soc_dai_link are better placed in snd_soc_pcm_runtime.
snd_soc_dai_link is really intended for static configuration of
the DAI, and the runtime for dynamic data.  The snd_soc_dai_link
structures are not destroyed if the card is unbound. The widgets
are cleared up on unbind, however if the card is rebound as the
snd_soc_dai_link structures are reused these pointers will be left at
their old values, causing access to freed memory.

Fixes: 595571cca4de ("ASoC: dapm: Fix regression introducing multiple copies of DAI widgets")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
---
 include/sound/soc.h  |  6 +++---
 sound/soc/soc-dapm.c | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/include/sound/soc.h b/include/sound/soc.h
index a7fa642601081..ba07cdfcdcee4 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -801,9 +801,6 @@ struct snd_soc_dai_link {
 	const struct snd_soc_pcm_stream *params;
 	unsigned int num_params;
 
-	struct snd_soc_dapm_widget *playback_widget;
-	struct snd_soc_dapm_widget *capture_widget;
-
 	unsigned int dai_fmt;           /* format to set on init */
 
 	enum snd_soc_dpcm_trigger trigger[2]; /* trigger type for DPCM */
@@ -1169,6 +1166,9 @@ struct snd_soc_pcm_runtime {
 	unsigned int num_codecs;
 	unsigned int num_cpus;
 
+	struct snd_soc_dapm_widget *playback_widget;
+	struct snd_soc_dapm_widget *capture_widget;
+
 	struct delayed_work delayed_work;
 	void (*close_delayed_work_func)(struct snd_soc_pcm_runtime *rtd);
 #ifdef CONFIG_DEBUG_FS
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index a4de3e4bc2eff..fc40f283a2480 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4340,16 +4340,16 @@ static void dapm_connect_dai_pair(struct snd_soc_card *card,
 	codec = codec_dai->playback_widget;
 
 	if (playback_cpu && codec) {
-		if (dai_link->params && !dai_link->playback_widget) {
+		if (dai_link->params && !rtd->playback_widget) {
 			substream = streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
 			dai = snd_soc_dapm_new_dai(card, substream, "playback");
 			if (IS_ERR(dai))
 				goto capture;
-			dai_link->playback_widget = dai;
+			rtd->playback_widget = dai;
 		}
 
 		dapm_connect_dai_routes(&card->dapm, cpu_dai, playback_cpu,
-					dai_link->playback_widget,
+					rtd->playback_widget,
 					codec_dai, codec);
 	}
 
@@ -4358,16 +4358,16 @@ static void dapm_connect_dai_pair(struct snd_soc_card *card,
 	codec = codec_dai->capture_widget;
 
 	if (codec && capture_cpu) {
-		if (dai_link->params && !dai_link->capture_widget) {
+		if (dai_link->params && !rtd->capture_widget) {
 			substream = streams[SNDRV_PCM_STREAM_CAPTURE].substream;
 			dai = snd_soc_dapm_new_dai(card, substream, "capture");
 			if (IS_ERR(dai))
 				return;
-			dai_link->capture_widget = dai;
+			rtd->capture_widget = dai;
 		}
 
 		dapm_connect_dai_routes(&card->dapm, codec_dai, codec,
-					dai_link->capture_widget,
+					rtd->capture_widget,
 					cpu_dai, capture_cpu);
 	}
 }
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] ASoC: dapm: Move dai_link widgets to runtime to fix use after free
  2020-05-26 16:19 [PATCH] ASoC: dapm: Move dai_link widgets to runtime to fix use after free Charles Keepax
@ 2020-05-27 13:49 ` Mark Brown
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Brown @ 2020-05-27 13:49 UTC (permalink / raw)
  To: Charles Keepax; +Cc: patches, alsa-devel, lgirdwood

On Tue, 26 May 2020 17:19:30 +0100, Charles Keepax wrote:
> The newly added CODEC to CODEC DAI link widget pointers in
> snd_soc_dai_link are better placed in snd_soc_pcm_runtime.
> snd_soc_dai_link is really intended for static configuration of
> the DAI, and the runtime for dynamic data.  The snd_soc_dai_link
> structures are not destroyed if the card is unbound. The widgets
> are cleared up on unbind, however if the card is rebound as the
> snd_soc_dai_link structures are reused these pointers will be left at
> their old values, causing access to freed memory.

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: dapm: Move dai_link widgets to runtime to fix use after free
      commit: f4aa5e214eeaf7f1c7f157526a5aa29784cb6a1f

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-27 13:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-26 16:19 [PATCH] ASoC: dapm: Move dai_link widgets to runtime to fix use after free Charles Keepax
2020-05-27 13:49 ` Mark Brown

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.