We developed a coccinelle SmPL to detect sound/soc/samsung/odroid.c and
found some use-after-free problems.
This patch series fixes those problems.
Wen Yang (2):
ASoC: samsung: odroid: fix an use-after-free issue for codec
ASoC: samsung: odroid: fix a double-free issue for cpu_dai
sound/soc/samsung/odroid.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Cc: Krzysztof Kozlowski <[email protected]>
Cc: Sangbeom Kim <[email protected]>
Cc: Sylwester Nawrocki <[email protected]>
Cc: Liam Girdwood <[email protected]>
Cc: Mark Brown <[email protected]>
Cc: Jaroslav Kysela <[email protected]>
Cc: Takashi Iwai <[email protected]>
Cc: [email protected]
Cc: [email protected]
--
2.9.5
The cpu_dai variable is still being used after the of_node_put() call,
which may result in double-free:
of_node_put(cpu_dai); ---> released here
ret = devm_snd_soc_register_card(dev, card);
if (ret < 0) {
...
goto err_put_clk_i2s; --> jump to err_put_clk_i2s
...
err_put_clk_i2s:
clk_put(priv->clk_i2s_bus);
err_put_sclk:
clk_put(priv->sclk_i2s);
err_put_cpu_dai:
of_node_put(cpu_dai); --> double-free here
Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance")
Signed-off-by: Wen Yang <[email protected]>
Cc: Krzysztof Kozlowski <[email protected]>
Cc: Sangbeom Kim <[email protected]>
Cc: Sylwester Nawrocki <[email protected]>
Cc: Liam Girdwood <[email protected]>
Cc: Mark Brown <[email protected]>
Cc: Jaroslav Kysela <[email protected]>
Cc: Takashi Iwai <[email protected]>
Cc: [email protected]
Cc: [email protected]
---
sound/soc/samsung/odroid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index 64ebe89..f0f5fa9 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -308,7 +308,6 @@ static int odroid_audio_probe(struct platform_device *pdev)
ret = PTR_ERR(priv->clk_i2s_bus);
goto err_put_sclk;
}
- of_node_put(cpu_dai);
ret = devm_snd_soc_register_card(dev, card);
if (ret < 0) {
@@ -316,6 +315,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
goto err_put_clk_i2s;
}
+ of_node_put(cpu_dai);
of_node_put(codec);
return 0;
--
2.9.5
The codec variable is still being used after the of_node_put() call,
which may result in use-after-free.
Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
Signed-off-by: Wen Yang <[email protected]>
Cc: Krzysztof Kozlowski <[email protected]>
Cc: Sangbeom Kim <[email protected]>
Cc: Sylwester Nawrocki <[email protected]>
Cc: Liam Girdwood <[email protected]>
Cc: Mark Brown <[email protected]>
Cc: Jaroslav Kysela <[email protected]>
Cc: Takashi Iwai <[email protected]>
Cc: [email protected]
Cc: [email protected]
---
sound/soc/samsung/odroid.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index dfb6e46..64ebe89 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -284,9 +284,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
}
of_node_put(cpu);
- of_node_put(codec);
if (ret < 0)
- return ret;
+ goto err_put_node;
ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link);
if (ret < 0)
@@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
goto err_put_clk_i2s;
}
+ of_node_put(codec);
return 0;
err_put_clk_i2s:
@@ -326,6 +326,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
err_put_cpu_dai:
of_node_put(cpu_dai);
snd_soc_of_put_dai_link_codecs(codec_link);
+err_put_node:
+ of_node_put(codec);
return ret;
}
--
2.9.5
> @@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
> goto err_put_clk_i2s;
> }
>
> + of_node_put(codec);
I would prefer to avoid a bit of duplicate source code also at this place.
Thus I would find a statement like “goto put_node;” more appropriate here.
> return 0;
>
> err_put_clk_i2s:
Regards,
Markus
Would a subject like “ASoC: samsung: odroid: Fix handling of device node references
in odroid_audio_probe” be more appropriate (instead of using the abbreviation “err”)?
> We developed a coccinelle SmPL to detect …
* I would find a slightly different wording better.
* How do you think about to convert this information into software attributions
for the update steps?
Regards,
Markus
> Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
* Can it be that this commit identification is relevant more for the second update step?
* Was the handling of device node references questionable already before this change?
Regards,
Markus
> The cpu_dai variable is still being used after the of_node_put() call,
Such an implementation detail is questionable.
https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory
> which may result in double-free:
This consequence is also undesirable.
https://cwe.mitre.org/data/definitions/415.html
Now I wonder if two update steps are really appropriate as a fix
instead of using a single update step for the desired correction
in this software module.
Should a commit (including previous ones) usually be correct by itself?
Regards,
Markus
On Sat, 13 Jul 2019 at 05:48, Wen Yang <[email protected]> wrote:
>
> The codec variable is still being used after the of_node_put() call,
> which may result in use-after-free.
>
> Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
> Signed-off-by: Wen Yang <[email protected]>
> Cc: Krzysztof Kozlowski <[email protected]>
> Cc: Sangbeom Kim <[email protected]>
> Cc: Sylwester Nawrocki <[email protected]>
> Cc: Liam Girdwood <[email protected]>
> Cc: Mark Brown <[email protected]>
> Cc: Jaroslav Kysela <[email protected]>
> Cc: Takashi Iwai <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> ---
> sound/soc/samsung/odroid.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Best regards,
Krzysztof
On Sat, 13 Jul 2019 at 05:48, Wen Yang <[email protected]> wrote:
>
> The cpu_dai variable is still being used after the of_node_put() call,
> which may result in double-free:
>
> of_node_put(cpu_dai); ---> released here
>
> ret = devm_snd_soc_register_card(dev, card);
> if (ret < 0) {
> ...
> goto err_put_clk_i2s; --> jump to err_put_clk_i2s
> ...
>
> err_put_clk_i2s:
> clk_put(priv->clk_i2s_bus);
> err_put_sclk:
> clk_put(priv->sclk_i2s);
> err_put_cpu_dai:
> of_node_put(cpu_dai); --> double-free here
>
> Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance")
> Signed-off-by: Wen Yang <[email protected]>
> Cc: Krzysztof Kozlowski <[email protected]>
> Cc: Sangbeom Kim <[email protected]>
> Cc: Sylwester Nawrocki <[email protected]>
> Cc: Liam Girdwood <[email protected]>
> Cc: Mark Brown <[email protected]>
> Cc: Jaroslav Kysela <[email protected]>
> Cc: Takashi Iwai <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> ---
> sound/soc/samsung/odroid.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Best regards,
Krzysztof
The patch
ASoC: samsung: odroid: fix an use-after-free issue for codec
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.3
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
From 9b6d104a6b150bd4d3e5b039340e1f6b20c2e3c1 Mon Sep 17 00:00:00 2001
From: Wen Yang <[email protected]>
Date: Sat, 13 Jul 2019 11:46:14 +0800
Subject: [PATCH] ASoC: samsung: odroid: fix an use-after-free issue for codec
The codec variable is still being used after the of_node_put() call,
which may result in use-after-free.
Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
Signed-off-by: Wen Yang <[email protected]>
Cc: Krzysztof Kozlowski <[email protected]>
Cc: Sangbeom Kim <[email protected]>
Cc: Sylwester Nawrocki <[email protected]>
Cc: Liam Girdwood <[email protected]>
Cc: Mark Brown <[email protected]>
Cc: Jaroslav Kysela <[email protected]>
Cc: Takashi Iwai <[email protected]>
Cc: [email protected]
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
---
sound/soc/samsung/odroid.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index dfb6e460e7eb..64ebe895cdd7 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -284,9 +284,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
}
of_node_put(cpu);
- of_node_put(codec);
if (ret < 0)
- return ret;
+ goto err_put_node;
ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link);
if (ret < 0)
@@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
goto err_put_clk_i2s;
}
+ of_node_put(codec);
return 0;
err_put_clk_i2s:
@@ -326,6 +326,8 @@ static int odroid_audio_probe(struct platform_device *pdev)
err_put_cpu_dai:
of_node_put(cpu_dai);
snd_soc_of_put_dai_link_codecs(codec_link);
+err_put_node:
+ of_node_put(codec);
return ret;
}
--
2.20.1
The patch
ASoC: samsung: odroid: fix a double-free issue for cpu_dai
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.3
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
From 2abee12c0ab1924a69993d2c063a39a952e7d836 Mon Sep 17 00:00:00 2001
From: Wen Yang <[email protected]>
Date: Sat, 13 Jul 2019 11:46:15 +0800
Subject: [PATCH] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
The cpu_dai variable is still being used after the of_node_put() call,
which may result in double-free:
of_node_put(cpu_dai); ---> released here
ret = devm_snd_soc_register_card(dev, card);
if (ret < 0) {
...
goto err_put_clk_i2s; --> jump to err_put_clk_i2s
...
err_put_clk_i2s:
clk_put(priv->clk_i2s_bus);
err_put_sclk:
clk_put(priv->sclk_i2s);
err_put_cpu_dai:
of_node_put(cpu_dai); --> double-free here
Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance")
Signed-off-by: Wen Yang <[email protected]>
Cc: Krzysztof Kozlowski <[email protected]>
Cc: Sangbeom Kim <[email protected]>
Cc: Sylwester Nawrocki <[email protected]>
Cc: Liam Girdwood <[email protected]>
Cc: Mark Brown <[email protected]>
Cc: Jaroslav Kysela <[email protected]>
Cc: Takashi Iwai <[email protected]>
Cc: [email protected]
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
---
sound/soc/samsung/odroid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c
index 64ebe895cdd7..f0f5fa9c27d3 100644
--- a/sound/soc/samsung/odroid.c
+++ b/sound/soc/samsung/odroid.c
@@ -308,7 +308,6 @@ static int odroid_audio_probe(struct platform_device *pdev)
ret = PTR_ERR(priv->clk_i2s_bus);
goto err_put_sclk;
}
- of_node_put(cpu_dai);
ret = devm_snd_soc_register_card(dev, card);
if (ret < 0) {
@@ -316,6 +315,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
goto err_put_clk_i2s;
}
+ of_node_put(cpu_dai);
of_node_put(codec);
return 0;
--
2.20.1