From patchwork Tue Mar 26 17:23:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guenter Roeck <linux@roeck-us.net>
X-Patchwork-Id: 10871715
Return-Path: <alsa-devel-bounces@alsa-project.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5EBE01390
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Tue, 26 Mar 2019 17:31:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 494AC28AA1
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Tue, 26 Mar 2019 17:31:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3D9D328CA8; Tue, 26 Mar 2019 17:31:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 39EE628AA1
	for <patchwork-alsa-devel@patchwork.kernel.org>;
 Tue, 26 Mar 2019 17:31:23 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by alsa0.perex.cz (Postfix) with ESMTPS id 1987A87E;
	Tue, 26 Mar 2019 18:23:53 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 1987A87E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
	s=default; t=1553621083;
	bh=npn9y3LcQ+f6HhqzFfX6QWBkBTkDWpHvw5x5pePzwM8=;
	h=From:To:Date:Cc:Subject:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe:From;
	b=ZWeLmzew4VJ6/oZRkaZt6qUUFCkWNmgPgptOVAUibhlE8+h/sdTZ/8HPyEJhjHdVf
	 KxCNbSE1CV0RmkbeARzGtXuQixukbaGiT0QxQXBwtwPSEaRUfe6arPMGtzveIcBezA
	 gtKick24hCeHpv88d6KEsYcPgXRn3BhdkAIUoduk=
Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1])
	by alsa1.perex.cz (Postfix) with ESMTP id 94DE3F89622;
	Tue, 26 Mar 2019 18:23:52 +0100 (CET)
X-Original-To: alsa-devel@alsa-project.org
Delivered-To: alsa-devel@alsa-project.org
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id 6F096F8963B; Tue, 26 Mar 2019 18:23:50 +0100 (CET)
Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com
 [IPv6:2607:f8b0:4864:20::642])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id CD2B2F801D9
 for <alsa-devel@alsa-project.org>; Tue, 26 Mar 2019 18:23:44 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz CD2B2F801D9
Authentication-Results: alsa1.perex.cz;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Ddjgq39Y"
Received: by mail-pl1-x642.google.com with SMTP id y6so1945802plt.1
 for <alsa-devel@alsa-project.org>; Tue, 26 Mar 2019 10:23:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:from:to:cc:subject:date:message-id;
 bh=l19F8lJd5IdArfySDoFtGyFlcftIi55XoMtqQbgctkY=;
 b=Ddjgq39Yp+OUaC/VdMUmib8F9+AVVPOeJWFH/q0LHlRbcU3bEVtW4HgJ6dCmMUSyRN
 8QhEexMOLLjL1VHeT4Nyw2fOWBrDs8HNWf12octbjiSI6MdUAUODcmgBkD3Xm7w0GxdR
 Kfiugswwo3myJ2tGRvwr/T0cDYE1zMjwxVzI7PIJWNyP15dg2Cvo7hjgTaVvc9ZjoZ+9
 7vwe3VgwMmhiuJrT67wsnh56w1w2dx+Sip0kki3aDl5OR0VzH1u9b+hxypsrTK3/ix/7
 hRDDbiRpVEsSkN4/fnnsAHvO6hxYip6Jqay5RPgevM3hAnJ7bF5RTUmF9Syd8RDPirAe
 ZhSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
 bh=l19F8lJd5IdArfySDoFtGyFlcftIi55XoMtqQbgctkY=;
 b=d/emk6gzkWvKWEH32g6ZEimny1KIZ5eMfMqWtTE/P7j3gYr7xabx24DR7XJKQ0EmEW
 9mgRwUsjAAqO2ApecM52ta05C7ccjAcyUPTD158VsrF9yMFxFNn8SJb4RaxoIXKRy4mF
 1fDxD1Ab+a3817pToeQI64qHkWS58LtTTSXyo1xSy94Bu81ORVA53BoVvDSHQLzVgSpk
 BqviJTpYYlo+shPHaTnO/jjL9FIfhqSWJhIYPi45XQvrlDFzVKnhy7tCDblCKn7e09Bp
 EiNXtFAURGJanHqiAMh706ZrDsPgTGHELQJYdNKfTGLYLupQ6HTuhoiLiiaYJjaJ0vDw
 nslw==
X-Gm-Message-State: APjAAAUldWz1iD4HiiUIevunFvKkYztrtjTu+S0CMwRQ0cIwgls10/xR
 aFgDPk+Ldv2odTTzz5nGglM=
X-Google-Smtp-Source: 
 APXvYqwqye670U+s9/HlBGXx39l4yXubaJAPM4MZp+yU2Sp4IU+zXuXF7VeO9TbRzaLuDsW/U7NSTw==
X-Received: by 2002:a17:902:142:: with SMTP id
 60mr32336145plb.191.1553621022777;
 Tue, 26 Mar 2019 10:23:42 -0700 (PDT)
Received: from localhost ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c])
 by smtp.gmail.com with ESMTPSA id v12sm4310670pfe.148.2019.03.26.10.23.40
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 26 Mar 2019 10:23:41 -0700 (PDT)
From: Guenter Roeck <linux@roeck-us.net>
To: Mark Brown <broonie@kernel.org>
Date: Tue, 26 Mar 2019 10:23:38 -0700
Message-Id: <1553621018-8944-1-git-send-email-linux@roeck-us.net>
X-Mailer: git-send-email 2.7.4
Cc: alsa-devel@alsa-project.org, Liam Girdwood <lgirdwood@gmail.com>,
 linux-kernel@vger.kernel.org, Takashi Iwai <tiwai@suse.com>,
 Curtis Malainey <cujomalainey@chromium.org>,
 Guenter Roeck <linux@roeck-us.net>
Subject: [alsa-devel] [PATCH] ASoC: core: Fix use-after-free after deferred
	card registration
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: 
 <https://mailman.alsa-project.org/mailman/options/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: 
 <https://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>
X-Virus-Scanned: ClamAV using ClamSMTP

If snd_soc_register_card() fails because one of its links fails
to instantiate with -EPROBE_DEFER, and the to-be-registered link
is a legacy link, a subsequent retry will trigger a use-after-free
and quite often a system crash.

Example:

byt-max98090 byt-max98090: ASoC: failed to init link Baytrail Audio
byt-max98090 byt-max98090: snd_soc_register_card failed -517
....
BUG: KASAN: use-after-free in snd_soc_init_platform+0x233/0x312
Read of size 8 at addr ffff888067c43070 by task kworker/1:1/23

snd_soc_init_platform() allocates memory attached to the card device.
This memory is released when the card device is released. However,
the pointer to the memory (dai_link->platforms) is only cleared from
soc_cleanup_platform(), which is called from soc_cleanup_card_resources(),
but not if snd_soc_register_card() fails early.

Add the missing call to soc_cleanup_platform() in the error handling
code of snd_soc_register_card() to fix the problem.

Fixes: 78a24e10cd94 ("ASoC: soc-core: clear platform pointers on error")
Cc: Curtis Malainey <cujomalainey@chromium.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
---
 sound/soc/soc-core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 93d316d5bf8e..6bf9884d0863 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2799,6 +2799,7 @@ int snd_soc_register_card(struct snd_soc_card *card)
 		if (ret) {
 			dev_err(card->dev, "ASoC: failed to init link %s\n",
 				link->name);
+			soc_cleanup_platform(card);
 			mutex_unlock(&client_mutex);
 			return ret;
 		}