[PATCH 3.18 11/57] ASoC: simple-card: Fix crash in asoc_simple_card_unref() - Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Geert Uytterhoeven <geert+renesas@glider.be>,
	Mark Brown <broonie@kernel.org>
Subject: [PATCH 3.18 11/57] ASoC: simple-card: Fix crash in asoc_simple_card_unref()
Date: Tue,  3 Feb 2015 15:14:02 -0800	[thread overview]
Message-ID: <20150203231213.419783777@linuxfoundation.org> (raw)
In-Reply-To: <20150203231211.486950145@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 7ddfdb5c5a5b51bdd2cb749d8341d763b079d520 upstream.

If asoc_simple_card_probe() fails, asoc_simple_card_unref() may be
called before dev_set_drvdata(), causing a NULL pointer dereference in
asoc_simple_card_unref():

    Unable to handle kernel NULL pointer dereference at virtual address 000000d4
    ...
    PC is at asoc_simple_card_unref+0x14/0x48
    LR is at asoc_simple_card_probe+0x3d4/0x40c

This typically happens because asoc_simple_card_parse_of() returns
-EPROBE_DEFER, but other failure modes are possible.
devm_snd_soc_register_card()/snd_soc_register_card() may fail either
before or after dev_set_drvdata().

Pass a snd_soc_card pointer instead of a platform_device pointer to
asoc_simple_card_unref() to fix this.

Note that if CONFIG_OF_DYNAMIC=n, of_node_put() is a dummy, and gcc may
optimize away the loop over card->dai_link, never actually dereferencing
card, and thus avoiding the crash...

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Fixes: e512e001dafa54e5 ("ASoC: simple-card: Fix the reference count of device nodes")
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/generic/simple-card.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -453,9 +453,8 @@ static int asoc_simple_card_parse_of(str
 }
 
 /* Decrease the reference count of the device nodes */
-static int asoc_simple_card_unref(struct platform_device *pdev)
+static int asoc_simple_card_unref(struct snd_soc_card *card)
 {
-	struct snd_soc_card *card = platform_get_drvdata(pdev);
 	struct snd_soc_dai_link *dai_link;
 	struct device_node *np;
 	int num_links;
@@ -562,7 +561,7 @@ static int asoc_simple_card_probe(struct
 		return ret;
 
 err:
-	asoc_simple_card_unref(pdev);
+	asoc_simple_card_unref(&priv->snd_card);
 	return ret;
 }
 
@@ -578,7 +577,7 @@ static int asoc_simple_card_remove(struc
 		snd_soc_jack_free_gpios(&simple_card_mic_jack, 1,
 					&simple_card_mic_jack_gpio);
 
-	return asoc_simple_card_unref(pdev);
+	return asoc_simple_card_unref(card);
 }
 
 static const struct of_device_id asoc_simple_of_match[] = {


