Alsa-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic
@ 2019-07-10  7:25 Wen Yang
  2019-07-10  7:25 ` [PATCH 1/4] ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm() Wen Yang
                   ` (4 more replies)
  0 siblings, 5 replies; 10+ messages in thread
From: Wen Yang @ 2019-07-10  7:25 UTC (permalink / raw)
  To: lgirdwood
  Cc: broonie, perex, tiwai, kuninori.morimoto.gx, alsa-devel,
	linux-kernel, jonathanh, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

We developed a coccinelle SmPL to detect sound/sooc/generic code and
found some use-after-free problems.
This patch series fixes those problems.

Wen Yang (4):
  ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()
  ASoC: simple-card: fix an use-after-free in simple_for_each_link()
  ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()
  ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()

 sound/soc/generic/audio-graph-card.c | 30 ++++++++++++++++--------------
 sound/soc/generic/simple-card.c      | 26 +++++++++++++-------------
 2 files changed, 29 insertions(+), 27 deletions(-)

Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org

-- 
2.9.5

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 1/4] ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()
  2019-07-10  7:25 [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Wen Yang
@ 2019-07-10  7:25 ` Wen Yang
  2019-07-10 15:34   ` Applied "ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()" to the asoc tree Mark Brown
  2019-07-10  7:25 ` [PATCH 2/4] ASoC: simple-card: fix an use-after-free in simple_for_each_link() Wen Yang
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 10+ messages in thread
From: Wen Yang @ 2019-07-10  7:25 UTC (permalink / raw)
  To: lgirdwood
  Cc: broonie, perex, tiwai, kuninori.morimoto.gx, alsa-devel,
	linux-kernel, jonathanh, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

The node variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: cfc652a73331 ("ASoC: simple-card: tidyup prefix for snd_soc_codec_conf")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: Jon Hunter <jonathanh@nvidia.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/generic/simple-card.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
index e5cde0d..4117e54 100644
--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -124,8 +124,6 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	li->link++;
 
-	of_node_put(node);
-
 	/* For single DAI link & old style of DT node */
 	if (is_top)
 		prefix = PREFIX;
@@ -147,17 +145,17 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_cpu(np, dai_link, &is_single_links);
 		if (ret)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_cpu(dev, np, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "fe.%s",
 						   cpus->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		asoc_simple_canonicalize_cpu(dai_link, is_single_links);
 	} else {
@@ -180,17 +178,17 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_codec(np, dai_link);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_codec(dev, np, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "be.%s",
 						   codecs->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* check "prefix" from top node */
 		snd_soc_of_parse_node_prefix(top, cconf, codecs->of_node,
@@ -208,19 +206,21 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	ret = asoc_simple_parse_tdm(np, dai);
 	if (ret)
-		return ret;
+		goto out_put_node;
 
 	ret = asoc_simple_parse_daifmt(dev, node, codec,
 				       prefix, &dai_link->dai_fmt);
 	if (ret < 0)
-		return ret;
+		goto out_put_node;
 
 	dai_link->dpcm_playback		= 1;
 	dai_link->dpcm_capture		= 1;
 	dai_link->ops			= &simple_ops;
 	dai_link->init			= asoc_simple_dai_init;
 
-	return 0;
+out_put_node:
+	of_node_put(node);
+	return ret;
 }
 
 static int simple_dai_link_of(struct asoc_simple_priv *priv,
-- 
2.9.5

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 2/4] ASoC: simple-card: fix an use-after-free in simple_for_each_link()
  2019-07-10  7:25 [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Wen Yang
  2019-07-10  7:25 ` [PATCH 1/4] ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm() Wen Yang
@ 2019-07-10  7:25 ` Wen Yang
  2019-07-10 15:34   ` Applied "ASoC: simple-card: fix an use-after-free in simple_for_each_link()" to the asoc tree Mark Brown
  2019-07-10  7:25 ` [PATCH 3/4] ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm() Wen Yang
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 10+ messages in thread
From: Wen Yang @ 2019-07-10  7:25 UTC (permalink / raw)
  To: lgirdwood
  Cc: jonathanh, wang.yi59, alsa-devel, kuninori.morimoto.gx,
	linux-kernel, tiwai, broonie, xue.zhihong, cheng.shengyu,
	Wen Yang

The codec variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: d947cdfd4be2 ("ASoC: simple-card: cleanup DAI link loop method - step1")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: Jon Hunter <jonathanh@nvidia.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/generic/simple-card.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
index 4117e54..ef84915 100644
--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -364,8 +364,6 @@ static int simple_for_each_link(struct asoc_simple_priv *priv,
 			goto error;
 		}
 
-		of_node_put(codec);
-
 		/* get convert-xxx property */
 		memset(&adata, 0, sizeof(adata));
 		for_each_child_of_node(node, np)
@@ -387,11 +385,13 @@ static int simple_for_each_link(struct asoc_simple_priv *priv,
 				ret = func_noml(priv, np, codec, li, is_top);
 
 			if (ret < 0) {
+				of_node_put(codec);
 				of_node_put(np);
 				goto error;
 			}
 		}
 
+		of_node_put(codec);
 		node = of_get_next_child(top, node);
 	} while (!is_top && node);
 
-- 
2.9.5

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 3/4] ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()
  2019-07-10  7:25 [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Wen Yang
  2019-07-10  7:25 ` [PATCH 1/4] ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm() Wen Yang
  2019-07-10  7:25 ` [PATCH 2/4] ASoC: simple-card: fix an use-after-free in simple_for_each_link() Wen Yang
@ 2019-07-10  7:25 ` Wen Yang
  2019-07-10 15:34   ` Applied "ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()" to the asoc tree Mark Brown
  2019-07-10  7:25 ` [PATCH 4/4] ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id() Wen Yang
  2019-07-10  8:07 ` [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Kuninori Morimoto
  4 siblings, 1 reply; 10+ messages in thread
From: Wen Yang @ 2019-07-10  7:25 UTC (permalink / raw)
  To: lgirdwood
  Cc: broonie, perex, tiwai, kuninori.morimoto.gx, alsa-devel,
	linux-kernel, jonathanh, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

After calling of_node_put() on the ports, port, and node variables,
they are still being used, which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.

Fixes: dd98fbc558a0 ("ASoC: audio-graph-card: cleanup DAI link loop method - step1")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/generic/audio-graph-card.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index 30a4e83..31fc83d 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -208,10 +208,6 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	dev_dbg(dev, "link_of DPCM (%pOF)\n", ep);
 
-	of_node_put(ports);
-	of_node_put(port);
-	of_node_put(node);
-
 	if (li->cpu) {
 		int is_single_links = 0;
 
@@ -229,17 +225,17 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_cpu(ep, dai_link, &is_single_links);
 		if (ret)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_cpu(dev, ep, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "fe.%s",
 						   cpus->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* card->num_links includes Codec */
 		asoc_simple_canonicalize_cpu(dai_link, is_single_links);
@@ -263,17 +259,17 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_codec(ep, dai_link);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_codec(dev, ep, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "be.%s",
 						   codecs->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* check "prefix" from top node */
 		snd_soc_of_parse_node_prefix(top, cconf, codecs->of_node,
@@ -293,19 +289,23 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	ret = asoc_simple_parse_tdm(ep, dai);
 	if (ret)
-		return ret;
+		goto out_put_node;
 
 	ret = asoc_simple_parse_daifmt(dev, cpu_ep, codec_ep,
 				       NULL, &dai_link->dai_fmt);
 	if (ret < 0)
-		return ret;
+		goto out_put_node;
 
 	dai_link->dpcm_playback		= 1;
 	dai_link->dpcm_capture		= 1;
 	dai_link->ops			= &graph_ops;
 	dai_link->init			= asoc_simple_dai_init;
 
-	return 0;
+out_put_node:
+	of_node_put(ports);
+	of_node_put(port);
+	of_node_put(node);
+	return ret;
 }
 
 static int graph_dai_link_of(struct asoc_simple_priv *priv,
-- 
2.9.5

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH 4/4] ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()
  2019-07-10  7:25 [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Wen Yang
                   ` (2 preceding siblings ...)
  2019-07-10  7:25 ` [PATCH 3/4] ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm() Wen Yang
@ 2019-07-10  7:25 ` Wen Yang
  2019-07-10 15:34   ` Applied "ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()" to the asoc tree Mark Brown
  2019-07-10  8:07 ` [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Kuninori Morimoto
  4 siblings, 1 reply; 10+ messages in thread
From: Wen Yang @ 2019-07-10  7:25 UTC (permalink / raw)
  To: lgirdwood
  Cc: broonie, perex, tiwai, kuninori.morimoto.gx, alsa-devel,
	linux-kernel, jonathanh, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

After calling of_node_put() on the node variable, it is still being
used, which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.

Fixes: a0c426fe1433 ("ASoC: simple-card-utils: check "reg" property on asoc_simple_card_get_dai_id()")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/generic/audio-graph-card.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index 31fc83d..c8abb86 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -63,6 +63,7 @@ static int graph_get_dai_id(struct device_node *ep)
 	struct device_node *endpoint;
 	struct of_endpoint info;
 	int i, id;
+	u32 *reg;
 	int ret;
 
 	/* use driver specified DAI ID if exist */
@@ -83,8 +84,9 @@ static int graph_get_dai_id(struct device_node *ep)
 			return info.id;
 
 		node = of_get_parent(ep);
+		reg = of_get_property(node, "reg", NULL);
 		of_node_put(node);
-		if (of_get_property(node, "reg", NULL))
+		if (reg)
 			return info.port;
 	}
 	node = of_graph_get_port_parent(ep);
-- 
2.9.5

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic
  2019-07-10  7:25 [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Wen Yang
                   ` (3 preceding siblings ...)
  2019-07-10  7:25 ` [PATCH 4/4] ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id() Wen Yang
@ 2019-07-10  8:07 ` Kuninori Morimoto
  4 siblings, 0 replies; 10+ messages in thread
From: Kuninori Morimoto @ 2019-07-10  8:07 UTC (permalink / raw)
  To: Wen Yang
  Cc: lgirdwood, broonie, perex, tiwai, alsa-devel, linux-kernel,
	jonathanh, xue.zhihong, wang.yi59, cheng.shengyu


Hi Wen

> We developed a coccinelle SmPL to detect sound/sooc/generic code and
> found some use-after-free problems.
> This patch series fixes those problems.
> 
> Wen Yang (4):
>   ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()
>   ASoC: simple-card: fix an use-after-free in simple_for_each_link()
>   ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()
>   ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()

Actually,  I was curious about these issue.
Thank you for your patches.

Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

Thank you for your help !!
Best regards
---
Kuninori Morimoto

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Applied "ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()" to the asoc tree
  2019-07-10  7:25 ` [PATCH 4/4] ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id() Wen Yang
@ 2019-07-10 15:34   ` Mark Brown
  0 siblings, 0 replies; 10+ messages in thread
From: Mark Brown @ 2019-07-10 15:34 UTC (permalink / raw)
  To: Wen Yang
  Cc: alsa-devel, broonie, cheng.shengyu, jonathanh,
	kuninori.morimoto.gx@renesas.comKuninori Morimoto, lgirdwood,
	linux-kernel@vger.kernel.orgMark Brown, tiwai, wang.yi59,
	xue.zhihong

The patch

   ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git 

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From c152f8491a8d9a4b25afd65a86eb5e55e2a8c380 Mon Sep 17 00:00:00 2001
From: Wen Yang <wen.yang99@zte.com.cn>
Date: Wed, 10 Jul 2019 15:25:09 +0800
Subject: [PATCH] ASoC: audio-graph-card: fix an use-after-free in
 graph_get_dai_id()

After calling of_node_put() on the node variable, it is still being
used, which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.

Fixes: a0c426fe1433 ("ASoC: simple-card-utils: check "reg" property on asoc_simple_card_get_dai_id()")
Link: https://lore.kernel.org/r/1562743509-30496-5-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/generic/audio-graph-card.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index bddfcfd7bedf..343ede8042c3 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -63,6 +63,7 @@ static int graph_get_dai_id(struct device_node *ep)
 	struct device_node *endpoint;
 	struct of_endpoint info;
 	int i, id;
+	u32 *reg;
 	int ret;
 
 	/* use driver specified DAI ID if exist */
@@ -83,8 +84,9 @@ static int graph_get_dai_id(struct device_node *ep)
 			return info.id;
 
 		node = of_get_parent(ep);
+		reg = of_get_property(node, "reg", NULL);
 		of_node_put(node);
-		if (of_get_property(node, "reg", NULL))
+		if (reg)
 			return info.port;
 	}
 	node = of_graph_get_port_parent(ep);
-- 
2.20.1

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Applied "ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()" to the asoc tree
  2019-07-10  7:25 ` [PATCH 3/4] ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm() Wen Yang
@ 2019-07-10 15:34   ` Mark Brown
  0 siblings, 0 replies; 10+ messages in thread
From: Mark Brown @ 2019-07-10 15:34 UTC (permalink / raw)
  To: Wen Yang
  Cc: alsa-devel, broonie, cheng.shengyu, jonathanh,
	kuninori.morimoto.gx@renesas.comKuninori Morimoto, lgirdwood,
	linux-kernel@vger.kernel.orgMark Brown, tiwai, wang.yi59,
	xue.zhihong

The patch

   ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git 

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From aa2e362cb6b3f5ca88093ada01e1a0ace8a517b2 Mon Sep 17 00:00:00 2001
From: Wen Yang <wen.yang99@zte.com.cn>
Date: Wed, 10 Jul 2019 15:25:08 +0800
Subject: [PATCH] ASoC: audio-graph-card: fix use-after-free in
 graph_dai_link_of_dpcm()

After calling of_node_put() on the ports, port, and node variables,
they are still being used, which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.

Fixes: dd98fbc558a0 ("ASoC: audio-graph-card: cleanup DAI link loop method - step1")
Link: https://lore.kernel.org/r/1562743509-30496-4-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/generic/audio-graph-card.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index e438011f5e45..bddfcfd7bedf 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -208,10 +208,6 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	dev_dbg(dev, "link_of DPCM (%pOF)\n", ep);
 
-	of_node_put(ports);
-	of_node_put(port);
-	of_node_put(node);
-
 	if (li->cpu) {
 		int is_single_links = 0;
 
@@ -229,17 +225,17 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_cpu(ep, dai_link, &is_single_links);
 		if (ret)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_cpu(dev, ep, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "fe.%s",
 						   cpus->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* card->num_links includes Codec */
 		asoc_simple_canonicalize_cpu(dai_link, is_single_links);
@@ -263,17 +259,17 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_codec(ep, dai_link);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_codec(dev, ep, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "be.%s",
 						   codecs->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* check "prefix" from top node */
 		snd_soc_of_parse_node_prefix(top, cconf, codecs->of_node,
@@ -293,19 +289,23 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	ret = asoc_simple_parse_tdm(ep, dai);
 	if (ret)
-		return ret;
+		goto out_put_node;
 
 	ret = asoc_simple_parse_daifmt(dev, cpu_ep, codec_ep,
 				       NULL, &dai_link->dai_fmt);
 	if (ret < 0)
-		return ret;
+		goto out_put_node;
 
 	dai_link->dpcm_playback		= 1;
 	dai_link->dpcm_capture		= 1;
 	dai_link->ops			= &graph_ops;
 	dai_link->init			= asoc_simple_dai_init;
 
-	return 0;
+out_put_node:
+	of_node_put(ports);
+	of_node_put(port);
+	of_node_put(node);
+	return ret;
 }
 
 static int graph_dai_link_of(struct asoc_simple_priv *priv,
-- 
2.20.1

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Applied "ASoC: simple-card: fix an use-after-free in simple_for_each_link()" to the asoc tree
  2019-07-10  7:25 ` [PATCH 2/4] ASoC: simple-card: fix an use-after-free in simple_for_each_link() Wen Yang
@ 2019-07-10 15:34   ` Mark Brown
  0 siblings, 0 replies; 10+ messages in thread
From: Mark Brown @ 2019-07-10 15:34 UTC (permalink / raw)
  To: Wen Yang
  Cc: alsa-devel, broonie, cheng.shengyu, jonathanh,
	kuninori.morimoto.gx@renesas.comKuninori Morimoto, lgirdwood,
	linux-kernel@vger.kernel.orgMark Brown, tiwai, wang.yi59,
	xue.zhihong

The patch

   ASoC: simple-card: fix an use-after-free in simple_for_each_link()

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git 

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 27862d5a3325bc531ec15e3c607e44aa0fd57f6f Mon Sep 17 00:00:00 2001
From: Wen Yang <wen.yang99@zte.com.cn>
Date: Wed, 10 Jul 2019 15:25:07 +0800
Subject: [PATCH] ASoC: simple-card: fix an use-after-free in
 simple_for_each_link()

The codec variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: d947cdfd4be2 ("ASoC: simple-card: cleanup DAI link loop method - step1")
Link: https://lore.kernel.org/r/1562743509-30496-3-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/generic/simple-card.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
index 4117e54884e5..ef849151ba56 100644
--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -364,8 +364,6 @@ static int simple_for_each_link(struct asoc_simple_priv *priv,
 			goto error;
 		}
 
-		of_node_put(codec);
-
 		/* get convert-xxx property */
 		memset(&adata, 0, sizeof(adata));
 		for_each_child_of_node(node, np)
@@ -387,11 +385,13 @@ static int simple_for_each_link(struct asoc_simple_priv *priv,
 				ret = func_noml(priv, np, codec, li, is_top);
 
 			if (ret < 0) {
+				of_node_put(codec);
 				of_node_put(np);
 				goto error;
 			}
 		}
 
+		of_node_put(codec);
 		node = of_get_next_child(top, node);
 	} while (!is_top && node);
 
-- 
2.20.1

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Applied "ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()" to the asoc tree
  2019-07-10  7:25 ` [PATCH 1/4] ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm() Wen Yang
@ 2019-07-10 15:34   ` Mark Brown
  0 siblings, 0 replies; 10+ messages in thread
From: Mark Brown @ 2019-07-10 15:34 UTC (permalink / raw)
  To: Wen Yang
  Cc: alsa-devel, broonie, cheng.shengyu, jonathanh,
	kuninori.morimoto.gx@renesas.comKuninori Morimoto, lgirdwood,
	linux-kernel@vger.kernel.orgMark Brown, tiwai, wang.yi59,
	xue.zhihong

The patch

   ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git 

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 724808ad556c15e9473418d082f8aae81dd267f6 Mon Sep 17 00:00:00 2001
From: Wen Yang <wen.yang99@zte.com.cn>
Date: Wed, 10 Jul 2019 15:25:06 +0800
Subject: [PATCH] ASoC: simple-card: fix an use-after-free in
 simple_dai_link_of_dpcm()

The node variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: cfc652a73331 ("ASoC: simple-card: tidyup prefix for snd_soc_codec_conf")
Link: https://lore.kernel.org/r/1562743509-30496-2-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/generic/simple-card.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
index e5cde0d5e63c..4117e54884e5 100644
--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -124,8 +124,6 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	li->link++;
 
-	of_node_put(node);
-
 	/* For single DAI link & old style of DT node */
 	if (is_top)
 		prefix = PREFIX;
@@ -147,17 +145,17 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_cpu(np, dai_link, &is_single_links);
 		if (ret)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_cpu(dev, np, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "fe.%s",
 						   cpus->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		asoc_simple_canonicalize_cpu(dai_link, is_single_links);
 	} else {
@@ -180,17 +178,17 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_codec(np, dai_link);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_codec(dev, np, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "be.%s",
 						   codecs->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* check "prefix" from top node */
 		snd_soc_of_parse_node_prefix(top, cconf, codecs->of_node,
@@ -208,19 +206,21 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	ret = asoc_simple_parse_tdm(np, dai);
 	if (ret)
-		return ret;
+		goto out_put_node;
 
 	ret = asoc_simple_parse_daifmt(dev, node, codec,
 				       prefix, &dai_link->dai_fmt);
 	if (ret < 0)
-		return ret;
+		goto out_put_node;
 
 	dai_link->dpcm_playback		= 1;
 	dai_link->dpcm_capture		= 1;
 	dai_link->ops			= &simple_ops;
 	dai_link->init			= asoc_simple_dai_init;
 
-	return 0;
+out_put_node:
+	of_node_put(node);
+	return ret;
 }
 
 static int simple_dai_link_of(struct asoc_simple_priv *priv,
-- 
2.20.1

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-10  7:25 [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Wen Yang
2019-07-10  7:25 ` [PATCH 1/4] ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm() Wen Yang
2019-07-10 15:34   ` Applied "ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()" to the asoc tree Mark Brown
2019-07-10  7:25 ` [PATCH 2/4] ASoC: simple-card: fix an use-after-free in simple_for_each_link() Wen Yang
2019-07-10 15:34   ` Applied "ASoC: simple-card: fix an use-after-free in simple_for_each_link()" to the asoc tree Mark Brown
2019-07-10  7:25 ` [PATCH 3/4] ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm() Wen Yang
2019-07-10 15:34   ` Applied "ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()" to the asoc tree Mark Brown
2019-07-10  7:25 ` [PATCH 4/4] ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id() Wen Yang
2019-07-10 15:34   ` Applied "ASoC: audio-graph-card: fix an use-after-free in graph_get_dai_id()" to the asoc tree Mark Brown
2019-07-10  8:07 ` [PATCH 0/4] Fix some use-after-free problems in sound/soc/generic Kuninori Morimoto

Alsa-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/alsa-devel/0 alsa-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 alsa-devel alsa-devel/ https://lore.kernel.org/alsa-devel \
		alsa-devel@alsa-project.org
	public-inbox-index alsa-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.alsa-project.alsa-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git