[PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[Jared Kangas]

gbaudio_dapm_free_controls() iterates over widgets using the
list_for_each_entry*() family of macros from <linux/list.h>, which
leaves the loop cursor pointing to a meaningless structure if it
completes a traversal of the list. The cursor was set to NULL at the end
of the loop body, but would be overwritten by the final loop cursor
update.

Because of this behavior, the widget could be non-null after the loop
even if the widget wasn't found, and the cleanup logic would treat the
pointer as a valid widget to free.

To fix this, introduce a temporary variable to act as the loop cursor
and copy it to a variable that can be accessed after the loop finishes.
Due to not removing any list elements, use list_for_each_entry() instead
of list_for_each_entry_safe() in the revised loop.

This was detected with the help of Coccinelle.

Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
Cc: stable@vger.kernel.org
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jared Kangas <kangas.jd@gmail.com>
---

Changes since v1:
 * Removed safe list iteration as suggested by Johan Hovold <johan@kernel.org>
 * Updated patch changelog to explain the list iteration change
 * Added tags to changelog based on feedback (Cc:, Fixes:, Reviewed-by:)

 drivers/staging/greybus/audio_helper.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
index 843760675876..05e91e6bc2a0 100644
--- a/drivers/staging/greybus/audio_helper.c
+++ b/drivers/staging/greybus/audio_helper.c
@@ -115,7 +115,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
 			       int num)
 {
 	int i;
-	struct snd_soc_dapm_widget *w, *next_w;
+	struct snd_soc_dapm_widget *w, *tmp_w;
 #ifdef CONFIG_DEBUG_FS
 	struct dentry *parent = dapm->debugfs_dapm;
 	struct dentry *debugfs_w = NULL;
@@ -124,13 +124,13 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
 	mutex_lock(&dapm->card->dapm_mutex);
 	for (i = 0; i < num; i++) {
 		/* below logic can be optimized to identify widget pointer */
-		list_for_each_entry_safe(w, next_w, &dapm->card->widgets,
-					 list) {
-			if (w->dapm != dapm)
-				continue;
-			if (!strcmp(w->name, widget->name))
+		w = NULL;
+		list_for_each_entry(tmp_w, &dapm->card->widgets, list) {
+			if (tmp_w->dapm == dapm &&
+			    !strcmp(tmp_w->name, widget->name)) {
+				w = tmp_w;
 				break;
-			w = NULL;
+			}
 		}
 		if (!w) {
 			dev_err(dapm->dev, "%s: widget not found\n",
-- 
2.34.3

Re: [PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[Greg KH]

On Thu, Jun 09, 2022 at 02:45:18PM -0700, Jared Kangas wrote:
> gbaudio_dapm_free_controls() iterates over widgets using the
> list_for_each_entry*() family of macros from <linux/list.h>, which
> leaves the loop cursor pointing to a meaningless structure if it
> completes a traversal of the list. The cursor was set to NULL at the end
> of the loop body, but would be overwritten by the final loop cursor
> update.
> 
> Because of this behavior, the widget could be non-null after the loop
> even if the widget wasn't found, and the cleanup logic would treat the
> pointer as a valid widget to free.
> 
> To fix this, introduce a temporary variable to act as the loop cursor
> and copy it to a variable that can be accessed after the loop finishes.
> Due to not removing any list elements, use list_for_each_entry() instead
> of list_for_each_entry_safe() in the revised loop.
> 
> This was detected with the help of Coccinelle.
> 
> Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
> Cc: stable@vger.kernel.org
> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Johan Hovold <johan@kernel.org>
> Signed-off-by: Jared Kangas <kangas.jd@gmail.com>
> ---
> 
> Changes since v1:
>  * Removed safe list iteration as suggested by Johan Hovold <johan@kernel.org>
>  * Updated patch changelog to explain the list iteration change
>  * Added tags to changelog based on feedback (Cc:, Fixes:, Reviewed-by:)
> 
>  drivers/staging/greybus/audio_helper.c | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
> index 843760675876..05e91e6bc2a0 100644
> --- a/drivers/staging/greybus/audio_helper.c
> +++ b/drivers/staging/greybus/audio_helper.c
> @@ -115,7 +115,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
>  			       int num)
>  {
>  	int i;
> -	struct snd_soc_dapm_widget *w, *next_w;
> +	struct snd_soc_dapm_widget *w, *tmp_w;
>  #ifdef CONFIG_DEBUG_FS
>  	struct dentry *parent = dapm->debugfs_dapm;
>  	struct dentry *debugfs_w = NULL;
> @@ -124,13 +124,13 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
>  	mutex_lock(&dapm->card->dapm_mutex);
>  	for (i = 0; i < num; i++) {
>  		/* below logic can be optimized to identify widget pointer */
> -		list_for_each_entry_safe(w, next_w, &dapm->card->widgets,
> -					 list) {
> -			if (w->dapm != dapm)
> -				continue;
> -			if (!strcmp(w->name, widget->name))
> +		w = NULL;
> +		list_for_each_entry(tmp_w, &dapm->card->widgets, list) {
> +			if (tmp_w->dapm == dapm &&
> +			    !strcmp(tmp_w->name, widget->name)) {
> +				w = tmp_w;
>  				break;
> -			w = NULL;
> +			}
>  		}
>  		if (!w) {
>  			dev_err(dapm->dev, "%s: widget not found\n",
> -- 
> 2.34.3
> 
> 


Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- Your patch did not apply to any known trees that Greg is in control
  of.  Possibly this is because you made it against Linus's tree, not
  the linux-next tree, which is where all of the development for the
  next version of the kernel is at.  Please refresh your patch against
  the linux-next tree, or even better yet, the development tree
  specified in the MAINTAINERS file for the subsystem you are submitting
  a patch for, and resend it.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[Johan Hovold]

On Thu, Jun 09, 2022 at 02:45:18PM -0700, Jared Kangas wrote:
> gbaudio_dapm_free_controls() iterates over widgets using the
> list_for_each_entry*() family of macros from <linux/list.h>, which
> leaves the loop cursor pointing to a meaningless structure if it
> completes a traversal of the list. The cursor was set to NULL at the end
> of the loop body, but would be overwritten by the final loop cursor
> update.
> 
> Because of this behavior, the widget could be non-null after the loop
> even if the widget wasn't found, and the cleanup logic would treat the
> pointer as a valid widget to free.
> 
> To fix this, introduce a temporary variable to act as the loop cursor
> and copy it to a variable that can be accessed after the loop finishes.
> Due to not removing any list elements, use list_for_each_entry() instead
> of list_for_each_entry_safe() in the revised loop.
> 
> This was detected with the help of Coccinelle.
> 
> Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
> Cc: stable@vger.kernel.org
> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Johan Hovold <johan@kernel.org>
> Signed-off-by: Jared Kangas <kangas.jd@gmail.com>
> ---
> 
> Changes since v1:
>  * Removed safe list iteration as suggested by Johan Hovold <johan@kernel.org>
>  * Updated patch changelog to explain the list iteration change
>  * Added tags to changelog based on feedback (Cc:, Fixes:, Reviewed-by:)

Apparently Greg applied this to staging-next before we had a change to
look at it. You should have received a notification from Greg when he
did so.

	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git/commit/?h=staging-next&id=80c968a04a381dc0e690960c60ffd6b6aee7e157

It seems unlikely that this would cause any issues in real life, but
there's still a chance it will be picked up by the stable team despite
the lack of a CC stable tag.

I've just sent a follow-up patch to replace the list macro.

Johan

Re: [PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[Dan Carpenter]

On Fri, Jun 10, 2022 at 10:00:03AM +0200, Johan Hovold wrote:
> > Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
> > Cc: stable@vger.kernel.org
> > Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Reviewed-by: Johan Hovold <johan@kernel.org>
> > Signed-off-by: Jared Kangas <kangas.jd@gmail.com>
> > ---
> > 
> > Changes since v1:
> >  * Removed safe list iteration as suggested by Johan Hovold <johan@kernel.org>
> >  * Updated patch changelog to explain the list iteration change
> >  * Added tags to changelog based on feedback (Cc:, Fixes:, Reviewed-by:)
> 
> Apparently Greg applied this to staging-next before we had a change to
> look at it. You should have received a notification from Greg when he
> did so.
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git/commit/?h=staging-next&id=80c968a04a381dc0e690960c60ffd6b6aee7e157
> 
> It seems unlikely that this would cause any issues in real life, but
> there's still a chance it will be picked up by the stable team despite
> the lack of a CC stable tag.

If you want you can always email the stable team to pick up the patch.

regards,
dan carpenter

Re: [greybus-dev] Re: [PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[Johan Hovold]

On Fri, Jun 10, 2022 at 11:06:27AM +0300, Dan Carpenter wrote:
> On Fri, Jun 10, 2022 at 10:00:03AM +0200, Johan Hovold wrote:
> > > Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
> > > Cc: stable@vger.kernel.org
> > > Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > Reviewed-by: Johan Hovold <johan@kernel.org>
> > > Signed-off-by: Jared Kangas <kangas.jd@gmail.com>
> > > ---
> > > 
> > > Changes since v1:
> > >  * Removed safe list iteration as suggested by Johan Hovold <johan@kernel.org>
> > >  * Updated patch changelog to explain the list iteration change
> > >  * Added tags to changelog based on feedback (Cc:, Fixes:, Reviewed-by:)
> > 
> > Apparently Greg applied this to staging-next before we had a change to
> > look at it. You should have received a notification from Greg when he
> > did so.
> > 
> > 	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git/commit/?h=staging-next&id=80c968a04a381dc0e690960c60ffd6b6aee7e157
> > 
> > It seems unlikely that this would cause any issues in real life, but
> > there's still a chance it will be picked up by the stable team despite
> > the lack of a CC stable tag.
> 
> If you want you can always email the stable team to pick up the patch.

Yes, of course. But it will be months before this fix hits mainline and
I probably won't remember to do so then.

I'm pretty sure Sasha's autosel tool will pick it up anyway, though.

Johan

Re: [PATCH v2] staging: greybus: audio: fix loop cursor use after iteration

[Jared Kangas]

On Fri, Jun 10, 2022 at 10:00:03AM +0200, Johan Hovold wrote:
> On Thu, Jun 09, 2022 at 02:45:18PM -0700, Jared Kangas wrote:
> > gbaudio_dapm_free_controls() iterates over widgets using the
> > list_for_each_entry*() family of macros from <linux/list.h>, which
> > leaves the loop cursor pointing to a meaningless structure if it
> > completes a traversal of the list. The cursor was set to NULL at the end
> > of the loop body, but would be overwritten by the final loop cursor
> > update.
> > 
> > Because of this behavior, the widget could be non-null after the loop
> > even if the widget wasn't found, and the cleanup logic would treat the
> > pointer as a valid widget to free.
> > 
> > To fix this, introduce a temporary variable to act as the loop cursor
> > and copy it to a variable that can be accessed after the loop finishes.
> > Due to not removing any list elements, use list_for_each_entry() instead
> > of list_for_each_entry_safe() in the revised loop.
> > 
> > This was detected with the help of Coccinelle.
> > 
> > Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
> > Cc: stable@vger.kernel.org
> > Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Reviewed-by: Johan Hovold <johan@kernel.org>
> > Signed-off-by: Jared Kangas <kangas.jd@gmail.com>
> > ---
> > 
> > Changes since v1:
> >  * Removed safe list iteration as suggested by Johan Hovold <johan@kernel.org>
> >  * Updated patch changelog to explain the list iteration change
> >  * Added tags to changelog based on feedback (Cc:, Fixes:, Reviewed-by:)
> 
> Apparently Greg applied this to staging-next before we had a change to
> look at it. You should have received a notification from Greg when he
> did so.
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git/commit/?h=staging-next&id=80c968a04a381dc0e690960c60ffd6b6aee7e157
> 
> It seems unlikely that this would cause any issues in real life, but
> there's still a chance it will be picked up by the stable team despite
> the lack of a CC stable tag.
> 
> I've just sent a follow-up patch to replace the list macro.
> 
> Johan

Sorry about that - I got a notification but thought it was still
revisable. In hindsight, it makes sense that once it gets applied to
a public branch, changes should be done in additional patches. Thanks to
both you and Dan for taking the time to review and catch my mistakes.

Jared