2017-08-11 12:36:14

by Anton Vasilyev

[permalink] [raw]
Subject: [PATCH v2] ASoC: samsung: i2s: Null pointer dereference on samsung_i2s_remove

If (quirks & QUIRK_SEC_DAI == 0) then samsung_i2s_probe() doesn't allocate
sec_dai and pri_dai->sec_dai remains Null, but samsung_i2s_remove()
permorms pri_dai->sec_dai dereference in any case.

The patch adds sec_dai check on Null before derefence at
samsung_i2s_remove().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <[email protected]>
---
v2: Drop initialization of sec_dai at samsung_i2s_remove as Sylwester
Nawrocki suggest.
---
sound/soc/samsung/i2s.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c
index af3ba4d..6f896e3 100644
--- a/sound/soc/samsung/i2s.c
+++ b/sound/soc/samsung/i2s.c
@@ -1376,13 +1376,9 @@ static int samsung_i2s_probe(struct platform_device *pdev)

static int samsung_i2s_remove(struct platform_device *pdev)
{
- struct i2s_dai *pri_dai, *sec_dai;
+ struct i2s_dai *pri_dai;

pri_dai = dev_get_drvdata(&pdev->dev);
- sec_dai = pri_dai->sec_dai;
-
- pri_dai->sec_dai = NULL;
- sec_dai->pri_dai = NULL;

pm_runtime_get_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
--
2.7.4


2017-08-11 13:00:33

by Sylwester Nawrocki

[permalink] [raw]
Subject: Re: [PATCH v2] ASoC: samsung: i2s: Null pointer dereference on samsung_i2s_remove

On 08/11/2017 02:35 PM, Anton Vasilyev wrote:
> If (quirks & QUIRK_SEC_DAI == 0) then samsung_i2s_probe() doesn't allocate
> sec_dai and pri_dai->sec_dai remains Null, but samsung_i2s_remove()
> permorms pri_dai->sec_dai dereference in any case.
^^^^^^^^
Still you have a typo here. ;)

> The patch adds sec_dai check on Null before derefence at
> samsung_i2s_remove().
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Anton Vasilyev<[email protected]>

Reviewed-by: Sylwester Nawrocki <[email protected]>

2017-08-16 16:02:19

by Mark Brown

[permalink] [raw]
Subject: Applied "ASoC: samsung: i2s: Null pointer dereference on samsung_i2s_remove" to the asoc tree

The patch

ASoC: samsung: i2s: Null pointer dereference on samsung_i2s_remove

has been applied to the asoc tree at

git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

>From 7b814a7d4e83b0917efef9dd11a8c095371f987c Mon Sep 17 00:00:00 2001
From: Anton Vasilyev <[email protected]>
Date: Tue, 15 Aug 2017 15:19:54 +0300
Subject: [PATCH] ASoC: samsung: i2s: Null pointer dereference on
samsung_i2s_remove

If (quirks & QUIRK_SEC_DAI == 0) then samsung_i2s_probe() doesn't allocate
sec_dai and pri_dai->sec_dai remains Null, but samsung_i2s_remove()
performs pri_dai->sec_dai dereference in any case.

The patch removes useless reinitialization of sec_dai at
samsung_i2s_remove(), because resources are under devm control.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <[email protected]>
Acked-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
---
sound/soc/samsung/i2s.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/sound/soc/samsung/i2s.c b/sound/soc/samsung/i2s.c
index daf7b892c967..10a4da06c0a1 100644
--- a/sound/soc/samsung/i2s.c
+++ b/sound/soc/samsung/i2s.c
@@ -1388,13 +1388,9 @@ static int samsung_i2s_probe(struct platform_device *pdev)

static int samsung_i2s_remove(struct platform_device *pdev)
{
- struct i2s_dai *pri_dai, *sec_dai;
+ struct i2s_dai *pri_dai;

pri_dai = dev_get_drvdata(&pdev->dev);
- sec_dai = pri_dai->sec_dai;
-
- pri_dai->sec_dai = NULL;
- sec_dai->pri_dai = NULL;

pm_runtime_get_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
--
2.13.3