From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161498AbbBCXxE (ORCPT ); Tue, 3 Feb 2015 18:53:04 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:54974 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754312AbbBCXPS (ORCPT ); Tue, 3 Feb 2015 18:15:18 -0500 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Geert Uytterhoeven , Mark Brown Subject: [PATCH 3.18 11/57] ASoC: simple-card: Fix crash in asoc_simple_card_unref() Date: Tue, 3 Feb 2015 15:14:02 -0800 Message-Id: <20150203231213.419783777@linuxfoundation.org> X-Mailer: git-send-email 2.2.2 In-Reply-To: <20150203231211.486950145@linuxfoundation.org> References: <20150203231211.486950145@linuxfoundation.org> User-Agent: quilt/0.63-1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Geert Uytterhoeven commit 7ddfdb5c5a5b51bdd2cb749d8341d763b079d520 upstream. If asoc_simple_card_probe() fails, asoc_simple_card_unref() may be called before dev_set_drvdata(), causing a NULL pointer dereference in asoc_simple_card_unref(): Unable to handle kernel NULL pointer dereference at virtual address 000000d4 ... PC is at asoc_simple_card_unref+0x14/0x48 LR is at asoc_simple_card_probe+0x3d4/0x40c This typically happens because asoc_simple_card_parse_of() returns -EPROBE_DEFER, but other failure modes are possible. devm_snd_soc_register_card()/snd_soc_register_card() may fail either before or after dev_set_drvdata(). Pass a snd_soc_card pointer instead of a platform_device pointer to asoc_simple_card_unref() to fix this. Note that if CONFIG_OF_DYNAMIC=n, of_node_put() is a dummy, and gcc may optimize away the loop over card->dai_link, never actually dereferencing card, and thus avoiding the crash... Signed-off-by: Geert Uytterhoeven Fixes: e512e001dafa54e5 ("ASoC: simple-card: Fix the reference count of device nodes") Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman --- sound/soc/generic/simple-card.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/sound/soc/generic/simple-card.c +++ b/sound/soc/generic/simple-card.c @@ -453,9 +453,8 @@ static int asoc_simple_card_parse_of(str } /* Decrease the reference count of the device nodes */ -static int asoc_simple_card_unref(struct platform_device *pdev) +static int asoc_simple_card_unref(struct snd_soc_card *card) { - struct snd_soc_card *card = platform_get_drvdata(pdev); struct snd_soc_dai_link *dai_link; struct device_node *np; int num_links; @@ -562,7 +561,7 @@ static int asoc_simple_card_probe(struct return ret; err: - asoc_simple_card_unref(pdev); + asoc_simple_card_unref(&priv->snd_card); return ret; } @@ -578,7 +577,7 @@ static int asoc_simple_card_remove(struc snd_soc_jack_free_gpios(&simple_card_mic_jack, 1, &simple_card_mic_jack_gpio); - return asoc_simple_card_unref(pdev); + return asoc_simple_card_unref(card); } static const struct of_device_id asoc_simple_of_match[] = {