Add the missing unlock before return from function
gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Wang Hai <[email protected]>
---
drivers/staging/greybus/audio_helper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
index 237531ba60f3..293675dbea10 100644
--- a/drivers/staging/greybus/audio_helper.c
+++ b/drivers/staging/greybus/audio_helper.c
@@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
if (!w) {
dev_err(dapm->dev, "%s: widget not found\n",
widget->name);
+ mutex_unlock(&dapm->card->dapm_mutex);
return -EINVAL;
}
widget++;
--
2.17.1
On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
> Add the missing unlock before return from function
> gbaudio_dapm_free_controls() in the error handling case.
>
> Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module")
> Reported-by: Hulk Robot <[email protected]>
> Signed-off-by: Wang Hai <[email protected]>
> ---
> drivers/staging/greybus/audio_helper.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
> index 237531ba60f3..293675dbea10 100644
> --- a/drivers/staging/greybus/audio_helper.c
> +++ b/drivers/staging/greybus/audio_helper.c
> @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
> if (!w) {
> dev_err(dapm->dev, "%s: widget not found\n",
> widget->name);
> + mutex_unlock(&dapm->card->dapm_mutex);
> return -EINVAL;
> }
> widget++;
This superficially looks correct, but there seems to be another bug in
this function. It can be used free an array of widgets, but if one of
them isn't found we just leak the rest. Perhaps that return should
rather be "widget++; continue;".
Vaibhav?
Johan
?? 2020/12/4 16:40, Johan Hovold д??:
> On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
>> Add the missing unlock before return from function
>> gbaudio_dapm_free_controls() in the error handling case.
>>
>> Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module")
>> Reported-by: Hulk Robot <[email protected]>
>> Signed-off-by: Wang Hai <[email protected]>
>> ---
>> drivers/staging/greybus/audio_helper.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
>> index 237531ba60f3..293675dbea10 100644
>> --- a/drivers/staging/greybus/audio_helper.c
>> +++ b/drivers/staging/greybus/audio_helper.c
>> @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
>> if (!w) {
>> dev_err(dapm->dev, "%s: widget not found\n",
>> widget->name);
>> + mutex_unlock(&dapm->card->dapm_mutex);
>> return -EINVAL;
>> }
>> widget++;
> This superficially looks correct, but there seems to be another bug in
> this function. It can be used free an array of widgets, but if one of
> them isn't found we just leak the rest. Perhaps that return should
> rather be "widget++; continue;".
>
I think this is a good idea, should I send a v2 patch?
>
On Fri, Dec 04, 2020 at 05:19:25PM +0800, wanghai (M) wrote:
>
> 在 2020/12/4 16:40, Johan Hovold 写道:
> > On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
> >> Add the missing unlock before return from function
> >> gbaudio_dapm_free_controls() in the error handling case.
> >>
> >> Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module")
> >> Reported-by: Hulk Robot <[email protected]>
> >> Signed-off-by: Wang Hai <[email protected]>
> >> ---
> >> drivers/staging/greybus/audio_helper.c | 1 +
> >> 1 file changed, 1 insertion(+)
> >>
> >> diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
> >> index 237531ba60f3..293675dbea10 100644
> >> --- a/drivers/staging/greybus/audio_helper.c
> >> +++ b/drivers/staging/greybus/audio_helper.c
> >> @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
> >> if (!w) {
> >> dev_err(dapm->dev, "%s: widget not found\n",
> >> widget->name);
> >> + mutex_unlock(&dapm->card->dapm_mutex);
> >> return -EINVAL;
> >> }
> >> widget++;
> > This superficially looks correct, but there seems to be another bug in
> > this function. It can be used free an array of widgets, but if one of
> > them isn't found we just leak the rest. Perhaps that return should
> > rather be "widget++; continue;".
> >
> I think this is a good idea, should I send a v2 patch?
Let's just wait a bit and see what Vaibhav or Mark says first.
Johan
On Fri, Dec 4, 2020 at 2:10 PM Johan Hovold <[email protected]> wrote:
>
> On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
> > Add the missing unlock before return from function
> > gbaudio_dapm_free_controls() in the error handling case.
> >
> > Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module")
> > Reported-by: Hulk Robot <[email protected]>
> > Signed-off-by: Wang Hai <[email protected]>
> > ---
> > drivers/staging/greybus/audio_helper.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
> > index 237531ba60f3..293675dbea10 100644
> > --- a/drivers/staging/greybus/audio_helper.c
> > +++ b/drivers/staging/greybus/audio_helper.c
> > @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
> > if (!w) {
> > dev_err(dapm->dev, "%s: widget not found\n",
> > widget->name);
> > + mutex_unlock(&dapm->card->dapm_mutex);
> > return -EINVAL;
> > }
> > widget++;
>
> This superficially looks correct, but there seems to be another bug in
> this function. It can be used free an array of widgets, but if one of
> them isn't found we just leak the rest. Perhaps that return should
> rather be "widget++; continue;".
>
> Vaibhav?
Thanks Wang for sharing the patch. As already pointed by Johan, this
function indeed has another bug as well.
Pls feel free to share the patch as suggested above.
--
vaibhav
>
> Johan
在 2020/12/5 2:02, Vaibhav Agarwal 写道:
> On Fri, Dec 4, 2020 at 2:10 PM Johan Hovold <[email protected]> wrote:
>> On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
>>> Add the missing unlock before return from function
>>> gbaudio_dapm_free_controls() in the error handling case.
>>>
>>> Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module")
>>> Reported-by: Hulk Robot <[email protected]>
>>> Signed-off-by: Wang Hai <[email protected]>
>>> ---
>>> drivers/staging/greybus/audio_helper.c | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
>>> index 237531ba60f3..293675dbea10 100644
>>> --- a/drivers/staging/greybus/audio_helper.c
>>> +++ b/drivers/staging/greybus/audio_helper.c
>>> @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
>>> if (!w) {
>>> dev_err(dapm->dev, "%s: widget not found\n",
>>> widget->name);
>>> + mutex_unlock(&dapm->card->dapm_mutex);
>>> return -EINVAL;
>>> }
>>> widget++;
>> This superficially looks correct, but there seems to be another bug in
>> this function. It can be used free an array of widgets, but if one of
>> them isn't found we just leak the rest. Perhaps that return should
>> rather be "widget++; continue;".
>>
>> Vaibhav?
> Thanks Wang for sharing the patch. As already pointed by Johan, this
> function indeed has another bug as well.
> Pls feel free to share the patch as suggested above.
I just sent another patch
"[PATCH] staging: greybus: audio: Fix possible leak free widgets in
gbaudio_dapm_free_controls"
> Johan
> .
>