From: Dan Carpenter <dan.carpenter@oracle.com>
To: Patrick Lai <plai@codeaurora.org>,
Dinghao Liu <dinghao.liu@zju.edu.cn>,
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: alsa-devel@alsa-project.org,
Banajit Goswami <bgoswami@codeaurora.org>,
kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>
Subject: [PATCH] ASoC: qcom: common: Fix refcounting in qcom_snd_parse_of()
Date: Thu, 05 Nov 2020 12:51:54 +0000 [thread overview]
Message-ID: <20201105125154.GA176426@mwanda> (raw)
There are two issues in this function.
1) We can't drop the refrences on "cpu", "codec" and "platform" before
we take the reference. This doesn't cause a problem on the first
iteration because those pointers start as NULL so the of_node_put()
is a no-op. But on the subsequent iterations, it will lead to a use
after free.
2) If the devm_kzalloc() allocation failed then the code returned
directly instead of cleaning up.
Fixes: c1e6414cdc37 ("ASoC: qcom: common: Fix refcount imbalance on error")
Fixes: 1e36ea360ab9 ("ASoC: qcom: common: use modern dai_link style")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
sound/soc/qcom/common.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c
index 54660f126d09..09af00700700 100644
--- a/sound/soc/qcom/common.c
+++ b/sound/soc/qcom/common.c
@@ -58,7 +58,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
dlc = devm_kzalloc(dev, 2 * sizeof(*dlc), GFP_KERNEL);
if (!dlc) {
ret = -ENOMEM;
- goto err;
+ goto err_put_np;
}
link->cpus = &dlc[0];
@@ -70,7 +70,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
ret = of_property_read_string(np, "link-name", &link->name);
if (ret) {
dev_err(card->dev, "error getting codec dai_link name\n");
- goto err;
+ goto err_put_np;
}
cpu = of_get_child_by_name(np, "cpu");
@@ -130,8 +130,10 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
} else {
/* DPCM frontend */
dlc = devm_kzalloc(dev, sizeof(*dlc), GFP_KERNEL);
- if (!dlc)
- return -ENOMEM;
+ if (!dlc) {
+ ret = -ENOMEM;
+ goto err;
+ }
link->codecs = dlc;
link->num_codecs = 1;
@@ -158,10 +160,11 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
return 0;
err:
- of_node_put(np);
of_node_put(cpu);
of_node_put(codec);
of_node_put(platform);
+err_put_np:
+ of_node_put(np);
return ret;
}
EXPORT_SYMBOL(qcom_snd_parse_of);
--
2.28.0
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Patrick Lai <plai@codeaurora.org>,
Dinghao Liu <dinghao.liu@zju.edu.cn>,
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: alsa-devel@alsa-project.org,
Banajit Goswami <bgoswami@codeaurora.org>,
kernel-janitors@vger.kernel.org, Takashi Iwai <tiwai@suse.com>,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>
Subject: [PATCH] ASoC: qcom: common: Fix refcounting in qcom_snd_parse_of()
Date: Thu, 5 Nov 2020 15:51:54 +0300 [thread overview]
Message-ID: <20201105125154.GA176426@mwanda> (raw)
There are two issues in this function.
1) We can't drop the refrences on "cpu", "codec" and "platform" before
we take the reference. This doesn't cause a problem on the first
iteration because those pointers start as NULL so the of_node_put()
is a no-op. But on the subsequent iterations, it will lead to a use
after free.
2) If the devm_kzalloc() allocation failed then the code returned
directly instead of cleaning up.
Fixes: c1e6414cdc37 ("ASoC: qcom: common: Fix refcount imbalance on error")
Fixes: 1e36ea360ab9 ("ASoC: qcom: common: use modern dai_link style")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
sound/soc/qcom/common.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c
index 54660f126d09..09af00700700 100644
--- a/sound/soc/qcom/common.c
+++ b/sound/soc/qcom/common.c
@@ -58,7 +58,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
dlc = devm_kzalloc(dev, 2 * sizeof(*dlc), GFP_KERNEL);
if (!dlc) {
ret = -ENOMEM;
- goto err;
+ goto err_put_np;
}
link->cpus = &dlc[0];
@@ -70,7 +70,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
ret = of_property_read_string(np, "link-name", &link->name);
if (ret) {
dev_err(card->dev, "error getting codec dai_link name\n");
- goto err;
+ goto err_put_np;
}
cpu = of_get_child_by_name(np, "cpu");
@@ -130,8 +130,10 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
} else {
/* DPCM frontend */
dlc = devm_kzalloc(dev, sizeof(*dlc), GFP_KERNEL);
- if (!dlc)
- return -ENOMEM;
+ if (!dlc) {
+ ret = -ENOMEM;
+ goto err;
+ }
link->codecs = dlc;
link->num_codecs = 1;
@@ -158,10 +160,11 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
return 0;
err:
- of_node_put(np);
of_node_put(cpu);
of_node_put(codec);
of_node_put(platform);
+err_put_np:
+ of_node_put(np);
return ret;
}
EXPORT_SYMBOL(qcom_snd_parse_of);
--
2.28.0
next reply other threads:[~2020-11-05 12:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 12:51 Dan Carpenter [this message]
2020-11-05 12:51 ` [PATCH] ASoC: qcom: common: Fix refcounting in qcom_snd_parse_of() Dan Carpenter
2020-11-10 21:38 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201105125154.GA176426@mwanda \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=bgoswami@codeaurora.org \
--cc=broonie@kernel.org \
--cc=dinghao.liu@zju.edu.cn \
--cc=kernel-janitors@vger.kernel.org \
--cc=kuninori.morimoto.gx@renesas.com \
--cc=lgirdwood@gmail.com \
--cc=plai@codeaurora.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.