Alsa-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe
@ 2019-07-13  3:46 Wen Yang
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
                   ` (2 more replies)
  0 siblings, 3 replies; 13+ messages in thread
From: Wen Yang @ 2019-07-13  3:46 UTC (permalink / raw)
  To: krzk
  Cc: sbkim73, s.nawrocki, lgirdwood, broonie, perex, tiwai,
	alsa-devel, linux-kernel, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

We developed a coccinelle SmPL to detect sound/soc/samsung/odroid.c and
found some use-after-free problems.
This patch series fixes those problems.

Wen Yang (2):
  ASoC: samsung: odroid: fix an use-after-free issue for codec
  ASoC: samsung: odroid: fix a double-free issue for cpu_dai

 sound/soc/samsung/odroid.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Sangbeom Kim <sbkim73@samsung.com>
Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org

-- 
2.9.5

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec
  2019-07-13  3:46 [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Wen Yang
@ 2019-07-13  3:46 ` Wen Yang
  2019-07-14  8:47   ` Markus Elfring
                     ` (3 more replies)
  2019-07-13  3:46 ` [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai Wen Yang
  2019-07-14 10:07 ` [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Markus Elfring
  2 siblings, 4 replies; 13+ messages in thread
From: Wen Yang @ 2019-07-13  3:46 UTC (permalink / raw)
  To: krzk
  Cc: sbkim73, s.nawrocki, lgirdwood, broonie, perex, tiwai,
	alsa-devel, linux-kernel, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

The codec variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Sangbeom Kim <sbkim73@samsung.com>
Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/samsung/odroid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index dfb6e46..64ebe89 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -284,9 +284,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
 	}
 
 	of_node_put(cpu);
-	of_node_put(codec);
 	if (ret < 0)
-		return ret;
+		goto err_put_node;
 
 	ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link);
 	if (ret < 0)
@@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
 		goto err_put_clk_i2s;
 	}
 
+	of_node_put(codec);
 	return 0;
 
 err_put_clk_i2s:
@@ -326,6 +326,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
 err_put_cpu_dai:
 	of_node_put(cpu_dai);
 	snd_soc_of_put_dai_link_codecs(codec_link);
+err_put_node:
+	of_node_put(codec);
 	return ret;
 }
 
-- 
2.9.5

^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
  2019-07-13  3:46 [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Wen Yang
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
@ 2019-07-13  3:46 ` Wen Yang
  2019-07-14 12:47   ` [2/2] " Markus Elfring
                     ` (2 more replies)
  2019-07-14 10:07 ` [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Markus Elfring
  2 siblings, 3 replies; 13+ messages in thread
From: Wen Yang @ 2019-07-13  3:46 UTC (permalink / raw)
  To: krzk
  Cc: sbkim73, s.nawrocki, lgirdwood, broonie, perex, tiwai,
	alsa-devel, linux-kernel, xue.zhihong, wang.yi59, cheng.shengyu,
	Wen Yang

The cpu_dai variable is still being used after the of_node_put() call,
which may result in double-free:

        of_node_put(cpu_dai);            ---> released here

        ret = devm_snd_soc_register_card(dev, card);
        if (ret < 0) {
...
                goto err_put_clk_i2s;    --> jump to err_put_clk_i2s
...

err_put_clk_i2s:
        clk_put(priv->clk_i2s_bus);
err_put_sclk:
        clk_put(priv->sclk_i2s);
err_put_cpu_dai:
        of_node_put(cpu_dai);            --> double-free here

Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Sangbeom Kim <sbkim73@samsung.com>
Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/samsung/odroid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index 64ebe89..f0f5fa9 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -308,7 +308,6 @@ static int odroid_audio_probe(struct platform_device *pdev)
 		ret = PTR_ERR(priv->clk_i2s_bus);
 		goto err_put_sclk;
 	}
-	of_node_put(cpu_dai);
 
 	ret = devm_snd_soc_register_card(dev, card);
 	if (ret < 0) {
@@ -316,6 +315,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
 		goto err_put_clk_i2s;
 	}
 
+	of_node_put(cpu_dai);
 	of_node_put(codec);
 	return 0;
 
-- 
2.9.5

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
@ 2019-07-14  8:47   ` Markus Elfring
  2019-07-14 10:55   ` [1/2] " Markus Elfring
                     ` (2 subsequent siblings)
  3 siblings, 0 replies; 13+ messages in thread
From: Markus Elfring @ 2019-07-14  8:47 UTC (permalink / raw)
  To: Wen Yang, Krzysztof Kozlowski, alsa-devel
  Cc: Cheng Shengyu, Jaroslav Kysela, Liam Girdwood, Mark Brown,
	Sangbeom Kim, Sylwester Nawrocki, Takashi Iwai, Xue Zhihong,
	Yi Wang, LKML, kernel-janitors

> @@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)

>  		goto err_put_clk_i2s;

>  	}

>

> +	of_node_put(codec);


I would prefer to avoid a bit of duplicate source code also at this place.
Thus I would find a statement like “goto put_node;” more appropriate here.


>  	return 0;

>

>  err_put_clk_i2s:



Regards,
Markus

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe
  2019-07-13  3:46 [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Wen Yang
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
  2019-07-13  3:46 ` [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai Wen Yang
@ 2019-07-14 10:07 ` Markus Elfring
  2 siblings, 0 replies; 13+ messages in thread
From: Markus Elfring @ 2019-07-14 10:07 UTC (permalink / raw)
  To: Wen Yang, alsa-devel
  Cc: Cheng Shengyu, Jaroslav Kysela, Krzysztof Kozlowski,
	Liam Girdwood, Mark Brown, Sangbeom Kim, Sylwester Nawrocki,
	Takashi Iwai, Xue Zhihong, Yi Wang, LKML, kernel-janitors

Would a subject like “ASoC: samsung: odroid: Fix handling of device node references
in odroid_audio_probe” be more appropriate (instead of using the abbreviation “err”)?


> We developed a coccinelle SmPL to detect …

* I would find a slightly different wording better.

* How do you think about to convert this information into software attributions
  for the update steps?

Regards,
Markus

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
  2019-07-14  8:47   ` Markus Elfring
@ 2019-07-14 10:55   ` Markus Elfring
  2019-07-16  9:06   ` [PATCH 1/2] " Krzysztof Kozlowski
  2019-07-16 18:18   ` Applied "ASoC: samsung: odroid: fix an use-after-free issue for codec" to the asoc tree Mark Brown
  3 siblings, 0 replies; 13+ messages in thread
From: Markus Elfring @ 2019-07-14 10:55 UTC (permalink / raw)
  To: Wen Yang, alsa-devel
  Cc: kernel-janitors, LKML, Cheng Shengyu, Jaroslav Kysela,
	Krzysztof Kozlowski, Liam Girdwood, Mark Brown, Sangbeom Kim,
	Sylwester Nawrocki, Takashi Iwai, Xue Zhihong, Yi Wang

> Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")

* Can it be that this commit identification is relevant more for the second update step?

* Was the handling of device node references questionable already before this change?

Regards,
Markus

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
  2019-07-13  3:46 ` [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai Wen Yang
@ 2019-07-14 12:47   ` Markus Elfring
  2019-07-15  1:49     ` wen.yang99
  2019-07-16  9:06   ` [PATCH 2/2] " Krzysztof Kozlowski
  2019-07-16 18:18   ` Applied "ASoC: samsung: odroid: fix a double-free issue for cpu_dai" to the asoc tree Mark Brown
  2 siblings, 1 reply; 13+ messages in thread
From: Markus Elfring @ 2019-07-14 12:47 UTC (permalink / raw)
  To: Wen Yang, alsa-devel
  Cc: kernel-janitors, LKML, Cheng Shengyu, Jaroslav Kysela,
	Krzysztof Kozlowski, Liam Girdwood, Mark Brown, Sangbeom Kim,
	Sylwester Nawrocki, Takashi Iwai, Xue Zhihong, Yi Wang

> The cpu_dai variable is still being used after the of_node_put() call,

Such an implementation detail is questionable.
https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory


> which may result in double-free:

This consequence is also undesirable.
https://cwe.mitre.org/data/definitions/415.html


Now I wonder if two update steps are really appropriate as a fix
instead of using a single update step for the desired correction
in this software module.
Should a commit (including previous ones) usually be correct by itself?

Regards,
Markus

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
  2019-07-14 12:47   ` [2/2] " Markus Elfring
@ 2019-07-15  1:49     ` wen.yang99
  2019-07-15  6:40       ` [alsa-devel] " Markus Elfring
  0 siblings, 1 reply; 13+ messages in thread
From: wen.yang99 @ 2019-07-15  1:49 UTC (permalink / raw)
  To: Markus.Elfring
  Cc: wang.yi59, alsa-devel, xue.zhihong, lgirdwood, sbkim73, tiwai,
	kernel-janitors, linux-kernel, krzk, broonie, s.nawrocki,
	cheng.shengyu

> > The cpu_dai variable is still being used after the of_node_put() call,
> 
> Such an implementation detail is questionable.
> https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory
> 
> 
> > which may result in double-free:
> 
> This consequence is also undesirable.
> https://cwe.mitre.org/data/definitions/415.html
> 
> 
> Now I wonder if two update steps are really appropriate as a fix
> instead of using a single update step for the desired correction
> in this software module.
> Should a commit (including previous ones) usually be correct by itself?

Thanks.
These two updates fix two different bugs.

One of them is the use-after-free issue introduced by bc3cf17b575a:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=bc3cf17b575a7a97b4af7ddcf86133175da7a582

-       ret = snd_soc_of_get_dai_link_codecs(dev, codec, link);
+       cpu_dai = of_parse_phandle(cpu, "sound-dai", 0);
+       of_node_put(cpu);
+       of_node_put(codec);
+
+       ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link);
        if (ret < 0)
                goto err_put_codec_n;

and the other is the double-free issue introduced by d832d2b246c5:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/sound/soc/samsung/odroid.c?id=d832d2b246c516eacb2d0ba53ec17ed59c3cd62b#n318
and n303, n308.

So we sent two patches to fix them separately.

--
Regards,
Wen

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [alsa-devel] [2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
  2019-07-15  1:49     ` wen.yang99
@ 2019-07-15  6:40       ` Markus Elfring
  0 siblings, 0 replies; 13+ messages in thread
From: Markus Elfring @ 2019-07-15  6:40 UTC (permalink / raw)
  To: Wen Yang, alsa-devel, kernel-janitors
  Cc: Yi Wang, Xue Zhihong, Sangbeom Kim, linux-kernel, Takashi Iwai,
	Liam Girdwood, Krzysztof Kozlowski, Mark Brown,
	Sylwester Nawrocki, Cheng Shengyu

> These two updates fix two different bugs.

I can follow this view to some degree.


> and the other is the double-free issue

This programming error affects also the use of data structures which became invalid.
https://cwe.mitre.org/data/definitions/415.html#oc_415_Notes


> So we sent two patches to fix them separately.

You would like to fix something according to two variables (of the data type “device_node *”)
in the same function implementation.
Please combine these corrections in an update step under a topic like
“ASoC: samsung: odroid: Fix handling of device node references in odroid_audio_probe()”.
(The previous update step would contain still a known programming mistake otherwise,
wouldn't it?)

Regards,
Markus
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
  2019-07-14  8:47   ` Markus Elfring
  2019-07-14 10:55   ` [1/2] " Markus Elfring
@ 2019-07-16  9:06   ` Krzysztof Kozlowski
  2019-07-16 18:18   ` Applied "ASoC: samsung: odroid: fix an use-after-free issue for codec" to the asoc tree Mark Brown
  3 siblings, 0 replies; 13+ messages in thread
From: Krzysztof Kozlowski @ 2019-07-16  9:06 UTC (permalink / raw)
  To: Wen Yang
  Cc: sbkim73, s.nawrocki, lgirdwood, broonie, perex, tiwai,
	alsa-devel, linux-kernel, xue.zhihong, wang.yi59, cheng.shengyu

On Sat, 13 Jul 2019 at 05:48, Wen Yang <wen.yang99@zte.com.cn> wrote:
>
> The codec variable is still being used after the of_node_put() call,
> which may result in use-after-free.
>
> Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
> Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
> Cc: Krzysztof Kozlowski <krzk@kernel.org>
> Cc: Sangbeom Kim <sbkim73@samsung.com>
> Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
> Cc: Liam Girdwood <lgirdwood@gmail.com>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Jaroslav Kysela <perex@perex.cz>
> Cc: Takashi Iwai <tiwai@suse.com>
> Cc: alsa-devel@alsa-project.org
> Cc: linux-kernel@vger.kernel.org
> ---
>  sound/soc/samsung/odroid.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>

Best regards,
Krzysztof

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
  2019-07-13  3:46 ` [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai Wen Yang
  2019-07-14 12:47   ` [2/2] " Markus Elfring
@ 2019-07-16  9:06   ` Krzysztof Kozlowski
  2019-07-16 18:18   ` Applied "ASoC: samsung: odroid: fix a double-free issue for cpu_dai" to the asoc tree Mark Brown
  2 siblings, 0 replies; 13+ messages in thread
From: Krzysztof Kozlowski @ 2019-07-16  9:06 UTC (permalink / raw)
  To: Wen Yang
  Cc: sbkim73, s.nawrocki, lgirdwood, broonie, perex, tiwai,
	alsa-devel, linux-kernel, xue.zhihong, wang.yi59, cheng.shengyu

On Sat, 13 Jul 2019 at 05:48, Wen Yang <wen.yang99@zte.com.cn> wrote:
>
> The cpu_dai variable is still being used after the of_node_put() call,
> which may result in double-free:
>
>         of_node_put(cpu_dai);            ---> released here
>
>         ret = devm_snd_soc_register_card(dev, card);
>         if (ret < 0) {
> ...
>                 goto err_put_clk_i2s;    --> jump to err_put_clk_i2s
> ...
>
> err_put_clk_i2s:
>         clk_put(priv->clk_i2s_bus);
> err_put_sclk:
>         clk_put(priv->sclk_i2s);
> err_put_cpu_dai:
>         of_node_put(cpu_dai);            --> double-free here
>
> Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance")
> Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
> Cc: Krzysztof Kozlowski <krzk@kernel.org>
> Cc: Sangbeom Kim <sbkim73@samsung.com>
> Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
> Cc: Liam Girdwood <lgirdwood@gmail.com>
> Cc: Mark Brown <broonie@kernel.org>
> Cc: Jaroslav Kysela <perex@perex.cz>
> Cc: Takashi Iwai <tiwai@suse.com>
> Cc: alsa-devel@alsa-project.org
> Cc: linux-kernel@vger.kernel.org
> ---
>  sound/soc/samsung/odroid.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>

Best regards,
Krzysztof

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Applied "ASoC: samsung: odroid: fix a double-free issue for cpu_dai" to the asoc tree
  2019-07-13  3:46 ` [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai Wen Yang
  2019-07-14 12:47   ` [2/2] " Markus Elfring
  2019-07-16  9:06   ` [PATCH 2/2] " Krzysztof Kozlowski
@ 2019-07-16 18:18   ` Mark Brown
  2 siblings, 0 replies; 13+ messages in thread
From: Mark Brown @ 2019-07-16 18:18 UTC (permalink / raw)
  To: Wen Yang; +Cc: alsa-devel, broonie, cheng.shengyu, Jaroslav Kysela, krzk

The patch

   ASoC: samsung: odroid: fix a double-free issue for cpu_dai

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.3

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 2abee12c0ab1924a69993d2c063a39a952e7d836 Mon Sep 17 00:00:00 2001
From: Wen Yang <wen.yang99@zte.com.cn>
Date: Sat, 13 Jul 2019 11:46:15 +0800
Subject: [PATCH] ASoC: samsung: odroid: fix a double-free issue for cpu_dai

The cpu_dai variable is still being used after the of_node_put() call,
which may result in double-free:

        of_node_put(cpu_dai);            ---> released here

        ret = devm_snd_soc_register_card(dev, card);
        if (ret < 0) {
...
                goto err_put_clk_i2s;    --> jump to err_put_clk_i2s
...

err_put_clk_i2s:
        clk_put(priv->clk_i2s_bus);
err_put_sclk:
        clk_put(priv->sclk_i2s);
err_put_cpu_dai:
        of_node_put(cpu_dai);            --> double-free here

Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Sangbeom Kim <sbkim73@samsung.com>
Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
Link: https://lore.kernel.org/r/1562989575-33785-3-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/samsung/odroid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index 64ebe895cdd7..f0f5fa9c27d3 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -308,7 +308,6 @@ static int odroid_audio_probe(struct platform_device *pdev)
 		ret = PTR_ERR(priv->clk_i2s_bus);
 		goto err_put_sclk;
 	}
-	of_node_put(cpu_dai);
 
 	ret = devm_snd_soc_register_card(dev, card);
 	if (ret < 0) {
@@ -316,6 +315,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
 		goto err_put_clk_i2s;
 	}
 
+	of_node_put(cpu_dai);
 	of_node_put(codec);
 	return 0;
 
-- 
2.20.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Applied "ASoC: samsung: odroid: fix an use-after-free issue for codec" to the asoc tree
  2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
                     ` (2 preceding siblings ...)
  2019-07-16  9:06   ` [PATCH 1/2] " Krzysztof Kozlowski
@ 2019-07-16 18:18   ` Mark Brown
  3 siblings, 0 replies; 13+ messages in thread
From: Mark Brown @ 2019-07-16 18:18 UTC (permalink / raw)
  To: Wen Yang; +Cc: alsa-devel, broonie, cheng.shengyu, Jaroslav Kysela, krzk

The patch

   ASoC: samsung: odroid: fix an use-after-free issue for codec

has been applied to the asoc tree at

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.3

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.  

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 9b6d104a6b150bd4d3e5b039340e1f6b20c2e3c1 Mon Sep 17 00:00:00 2001
From: Wen Yang <wen.yang99@zte.com.cn>
Date: Sat, 13 Jul 2019 11:46:14 +0800
Subject: [PATCH] ASoC: samsung: odroid: fix an use-after-free issue for codec

The codec variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Sangbeom Kim <sbkim73@samsung.com>
Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
Link: https://lore.kernel.org/r/1562989575-33785-2-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
---
 sound/soc/samsung/odroid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index dfb6e460e7eb..64ebe895cdd7 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -284,9 +284,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
 	}
 
 	of_node_put(cpu);
-	of_node_put(codec);
 	if (ret < 0)
-		return ret;
+		goto err_put_node;
 
 	ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link);
 	if (ret < 0)
@@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
 		goto err_put_clk_i2s;
 	}
 
+	of_node_put(codec);
 	return 0;
 
 err_put_clk_i2s:
@@ -326,6 +326,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
 err_put_cpu_dai:
 	of_node_put(cpu_dai);
 	snd_soc_of_put_dai_link_codecs(codec_link);
+err_put_node:
+	of_node_put(codec);
 	return ret;
 }
 
-- 
2.20.1

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, back to index

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-13  3:46 [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Wen Yang
2019-07-13  3:46 ` [PATCH 1/2] ASoC: samsung: odroid: fix an use-after-free issue for codec Wen Yang
2019-07-14  8:47   ` Markus Elfring
2019-07-14 10:55   ` [1/2] " Markus Elfring
2019-07-16  9:06   ` [PATCH 1/2] " Krzysztof Kozlowski
2019-07-16 18:18   ` Applied "ASoC: samsung: odroid: fix an use-after-free issue for codec" to the asoc tree Mark Brown
2019-07-13  3:46 ` [PATCH 2/2] ASoC: samsung: odroid: fix a double-free issue for cpu_dai Wen Yang
2019-07-14 12:47   ` [2/2] " Markus Elfring
2019-07-15  1:49     ` wen.yang99
2019-07-15  6:40       ` [alsa-devel] " Markus Elfring
2019-07-16  9:06   ` [PATCH 2/2] " Krzysztof Kozlowski
2019-07-16 18:18   ` Applied "ASoC: samsung: odroid: fix a double-free issue for cpu_dai" to the asoc tree Mark Brown
2019-07-14 10:07 ` [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe Markus Elfring

Alsa-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/alsa-devel/0 alsa-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 alsa-devel alsa-devel/ https://lore.kernel.org/alsa-devel \
		alsa-devel@alsa-project.org
	public-inbox-index alsa-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.alsa-project.alsa-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git