From patchwork Thu Jan 10 22:33:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Curtis Malainey X-Patchwork-Id: 10757023 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 280711399 for ; Thu, 10 Jan 2019 22:33:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 13DAF29B82 for ; Thu, 10 Jan 2019 22:33:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 07A7029C32; Thu, 10 Jan 2019 22:33:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 138E129B82 for ; Thu, 10 Jan 2019 22:33:21 +0000 (UTC) Received: from alsa0.perex.cz (localhost [127.0.0.1]) by alsa0.perex.cz (Postfix) with ESMTP id 8C4BB267563; Thu, 10 Jan 2019 23:33:19 +0100 (CET) X-Original-To: alsa-devel@alsa-project.org Delivered-To: alsa-devel@alsa-project.org Received: by alsa0.perex.cz (Postfix, from userid 1000) id BEB8726757C; Thu, 10 Jan 2019 23:33:17 +0100 (CET) Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) by alsa0.perex.cz (Postfix) with ESMTP id 43A7E267551 for ; Thu, 10 Jan 2019 23:33:14 +0100 (CET) Received: by mail-io1-f70.google.com with SMTP id h7so11373635iof.19 for ; Thu, 10 Jan 2019 14:33:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:message-id:mime-version:subject:from:to:cc; bh=XX+1Kdivh4XT8SGrwf01CqdKEu1rsbdP04/SygvmffM=; b=EQhKEMhsqnLeeGbGc9ELjAiJs/hdxw4FNl0KQNCEFFoAuXhGSX6RWOs3ZenrNTmVKG f6uqiRbjIB/IU7N+KHjjcbFVQowC5wvTvV5ftizxz5ZVVg2aNekhU5TT5wucg+z4tF1u uN/Dd3RdL5/yIpCFmUCZjYQS20C0KO5vNTbjE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=XX+1Kdivh4XT8SGrwf01CqdKEu1rsbdP04/SygvmffM=; b=fcIcg8EDEJF3i7yjrIgFKd9sD2YRWl1LFIanEI1WT3GDxHHw4UxCQW9OC12rySmbbD OGxVd9P6O4VoeT9tNyrLYRnFyMWVwGHjE9KKMj2PIirxrl6+OuoZP6XpmL3iMlNeJC6X Gcs36HsgQA/rbvr32Ob6JRDEwQf+gCQ2j+r3e9KZououOAdPPCIUFHN4n4gj++N7k6ps tmdKKS8+65M728C3lIg9GlGOQVt1g8ALOr1lAPVXCc7wzfdIBCeq4yc9ipHPB3rpkB2x 6ahH2stX7eKn0zmllRdKxHxN2SBLw0qiQvCbBr6zczGKOFQ7CrvsoRATvKY0oK6bEIHl yREg== X-Gm-Message-State: AJcUukcFVGOvQKhO82lSTU2QyQDxWHgzB6ZvsnAFe6JNnRon+9KOhckS 2rw8N82BSEEg2GTUGKNBvYe3tUt0CCCdekE= X-Google-Smtp-Source: ALg8bN4hyfCANh/cJKW8NMbfNskscWGA9UThvRYzarQmxwEGO13ioOr+zI9EerZK6/Doru/F/VS/Np8Ld3eC0pI3 X-Received: by 2002:a24:6504:: with SMTP id u4mr0itb.25.1547159593998; Thu, 10 Jan 2019 14:33:13 -0800 (PST) Date: Thu, 10 Jan 2019 14:33:02 -0800 Message-Id: <20190110223302.85927-1-cujomalainey@chromium.org> Mime-Version: 1.0 X-Mailer: git-send-email 2.20.1.97.g81188d93c3-goog From: Curtis Malainey To: alsa-devel@alsa-project.org Cc: Curtis Malainey Subject: [alsa-devel] [PATCH] ASoC: soc-core: fix init platform memory handling X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: alsa-devel-bounces@alsa-project.org X-Virus-Scanned: ClamAV using ClamSMTP snd_soc_init_platform initializes pointers to snd_soc_dai_link which is statically allocated and it does this by devm_kzalloc. In the event of an EPROBE_DEFER the memory will be freed and the pointers are left dangling. snd_soc_init_platform sees the dangling pointers and assumes they are pointing to initialized memory and does not reallocate them on the second probe attempt which results in a use after free bug since devm has freed the memory from the first probe attempt. Since the intention for snd_soc_dai_link->platform is that it can be set statically by the machine driver we need to respect the pointer in the event we did not set it but still catch dangling pointers. The solution is to add a flag to track whether the pointer was dynamically allocated or not. Signed-off-by: Curtis Malainey --- include/sound/soc.h | 6 ++++++ sound/soc/soc-core.c | 11 ++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/sound/soc.h b/include/sound/soc.h index 8ec1de856ee7e..e665f111b0d27 100644 --- a/include/sound/soc.h +++ b/include/sound/soc.h @@ -985,6 +985,12 @@ struct snd_soc_dai_link { /* Do not create a PCM for this DAI link (Backend link) */ unsigned int ignore:1; + /* + * This driver uses legacy platform naming. Set by the core, machine + * drivers should not modify this value. + */ + unsigned int legacy_platform:1; + struct list_head list; /* DAI link list of the soc card */ struct snd_soc_dobj dobj; /* For topology */ }; diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index 0934b36645b3e..cdcc417c94ca1 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -1034,17 +1034,18 @@ static int snd_soc_init_platform(struct snd_soc_card *card, * this function should be removed in the future */ /* convert Legacy platform link */ - if (!platform) { + if (!platform || dai_link->legacy_platform) { platform = devm_kzalloc(card->dev, sizeof(struct snd_soc_dai_link_component), GFP_KERNEL); if (!platform) return -ENOMEM; - dai_link->platform = platform; - platform->name = dai_link->platform_name; - platform->of_node = dai_link->platform_of_node; - platform->dai_name = NULL; + dai_link->platform = platform; + dai_link->legacy_platform = 1; + platform->name = dai_link->platform_name; + platform->of_node = dai_link->platform_of_node; + platform->dai_name = NULL; } /* if there's no platform we match on the empty platform */