From patchwork Fri Jan 11 00:21:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Curtis Malainey <cujomalainey@chromium.org>
X-Patchwork-Id: 10757085
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D6B3213B5
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Fri, 11 Jan 2019 00:22:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C2EF9299A3
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Fri, 11 Jan 2019 00:22:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B63C829A1A; Fri, 11 Jan 2019 00:22:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B7C18299A3
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Fri, 11 Jan 2019 00:22:13 +0000 (UTC)
Received: from alsa0.perex.cz (localhost [127.0.0.1])
	by alsa0.perex.cz (Postfix) with ESMTP id 5D5F7267546;
	Fri, 11 Jan 2019 01:22:11 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa0.perex.cz (Postfix, from userid 1000)
 id EF003267561; Fri, 11 Jan 2019 01:22:08 +0100 (CET)
Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com
 [209.85.210.199])
 by alsa0.perex.cz (Postfix) with ESMTP id 6C2362674DE
 for <alsa-devel@alsa-project.org>; Fri, 11 Jan 2019 01:22:06 +0100 (CET)
Received: by mail-pf1-f199.google.com with SMTP id 68so8997701pfr.6
 for <alsa-devel@alsa-project.org>; Thu, 10 Jan 2019 16:22:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
 s=google;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=XX+1Kdivh4XT8SGrwf01CqdKEu1rsbdP04/SygvmffM=;
 b=Ta06NrG0y9w8skT6x2iFkAf8Jr85W4BfTcL4IPMyunCsOvlDVXpHB0SHuwZAlYIlyd
 6SziYrYcCiunG/gHMQGm2/8GqGmOVI1j8d/NChSPe7s0FQRkjHBZLISwhg+bD/PxXioi
 Oe4CmKvBbFoLwrB/leZY8y3sAzm5VbEaqKTr4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=XX+1Kdivh4XT8SGrwf01CqdKEu1rsbdP04/SygvmffM=;
 b=ag88KjbkhrzoDjZwrnUS2qemU1akDsadjuS4HeRJTbMiD0Er2t8B4bjj4IEI8QsX4l
 c/HuLY9nYib6uX69dVeCYH/4GhZHXYEXHydKk/vMUbowtzoI0dXsxwAHtJMmTF0OhkXo
 XreL+i3+0nfIzxqFgaeOMLelnxT+XWI1MAIg9457rvwJrbVQEMntc6+rGW1gHDXdhonJ
 Luy9sUDV0fxSHHQU93T7zXVng4+KETUMUgNGUhp8aYgdfvf1ph2eG52+ns03nSnx2EqE
 pQvMdVGqu494qitChKxMbaLIW9lbOb52l/XwxFz17baRXfpt+F7E+C6EAnxNyQdsblNW
 KU0w==
X-Gm-Message-State: AJcUukdI9jYKBILA9LM6NswwXJ+dDtZ5lyxD8gxEfv7IPbSPEmg5usm6
 WSFlhqPkhcHBAYXi26v6YbqnuFDvo8+x/f4=
X-Google-Smtp-Source: 
 ALg8bN4FAq4k9FuMrvRuKrdszEHvHt9m+PTXx3qkQgEThVPZfwTAN96NxyssanTMIODwOfXdz6GWgeDIBuYtswiT
X-Received: by 2002:a17:902:9045:: with SMTP id
 w5mr2868149plz.109.1547166124879;
 Thu, 10 Jan 2019 16:22:04 -0800 (PST)
Date: Thu, 10 Jan 2019 16:21:04 -0800
In-Reply-To: <20190110223302.85927-1-cujomalainey@chromium.org>
Message-Id: <20190111002104.121379-1-cujomalainey@chromium.org>
Mime-Version: 1.0
References: <20190110223302.85927-1-cujomalainey@chromium.org>
X-Mailer: git-send-email 2.20.1.97.g81188d93c3-goog
From: Curtis Malainey <cujomalainey@chromium.org>
To: alsa-devel@alsa-project.org
Cc: Curtis Malainey <cujomalainey@chromium.org>,
 Mark Brown <broonie@kernel.org>, Takashi Iwai <tiwai@suse.com>,
 Liam Girdwood <lgirdwood@gmail.com>
Subject: [alsa-devel] [PATCH v2] ASoC: soc-core: fix init platform memory
	handling
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
X-Virus-Scanned: ClamAV using ClamSMTP

snd_soc_init_platform initializes pointers to snd_soc_dai_link which is
statically allocated and it does this by devm_kzalloc. In the event of
an EPROBE_DEFER the memory will be freed and the pointers are left
dangling. snd_soc_init_platform sees the dangling pointers and assumes
they are pointing to initialized memory and does not reallocate them on
the second probe attempt which results in a use after free bug since
devm has freed the memory from the first probe attempt.

Since the intention for snd_soc_dai_link->platform is that it can be set
statically by the machine driver we need to respect the pointer in the
event we did not set it but still catch dangling pointers. The solution
is to add a flag to track whether the pointer was dynamically allocated
or not.

Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
---
 include/sound/soc.h  |  6 ++++++
 sound/soc/soc-core.c | 11 ++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/include/sound/soc.h b/include/sound/soc.h
index 8ec1de856ee7e..e665f111b0d27 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -985,6 +985,12 @@ struct snd_soc_dai_link {
 	/* Do not create a PCM for this DAI link (Backend link) */
 	unsigned int ignore:1;
 
+	/*
+	 * This driver uses legacy platform naming. Set by the core, machine
+	 * drivers should not modify this value.
+	 */
+	unsigned int legacy_platform:1;
+
 	struct list_head list; /* DAI link list of the soc card */
 	struct snd_soc_dobj dobj; /* For topology */
 };
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 0934b36645b3e..cdcc417c94ca1 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1034,17 +1034,18 @@ static int snd_soc_init_platform(struct snd_soc_card *card,
 	 * this function should be removed in the future
 	 */
 	/* convert Legacy platform link */
-	if (!platform) {
+	if (!platform || dai_link->legacy_platform) {
 		platform = devm_kzalloc(card->dev,
 				sizeof(struct snd_soc_dai_link_component),
 				GFP_KERNEL);
 		if (!platform)
 			return -ENOMEM;
 
-		dai_link->platform	= platform;
-		platform->name		= dai_link->platform_name;
-		platform->of_node	= dai_link->platform_of_node;
-		platform->dai_name	= NULL;
+		dai_link->platform	  = platform;
+		dai_link->legacy_platform = 1;
+		platform->name		  = dai_link->platform_name;
+		platform->of_node	  = dai_link->platform_of_node;
+		platform->dai_name	  = NULL;
 	}
 
 	/* if there's no platform we match on the empty platform */