Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4918588imc;
        Mon, 25 Feb 2019 13:37:17 -0800 (PST)
X-Google-Smtp-Source: AHgI3IaDCblpl+mb+TF0ZuIE92A4W0Ytt4rzSRr71qmCcJCgoCWKdgYBikb/mfEs/SMp/w9W2vjY
X-Received: by 2002:a63:3dc8:: with SMTP id k191mr19841580pga.368.1551130637582;
        Mon, 25 Feb 2019 13:37:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551130637; cv=none;
        d=google.com; s=arc-20160816;
        b=Xcr9nWraIJ0csBxJNIbEFDG5bX9kzRBqNcCkNSDDyh1VvwI2VWi6PfCreqJZfxNYmw
         vql5GeDgDC23bsMscJRKb/aiBeBZuzbz7fuXDh53nto16qc+qawbk9USNFSgv0VsjTFh
         ZIEG8xJ5GcbLes/qFcNO6r9f+OrTT/pZ+dJHfa/nUG2qlVXnqZBP24t7mO6Zeki/PX57
         nahBlfoh459mRHR6tJAjC3Dfj7FNUncr51rubRX8P9wwria8W+ta9+nZSvR39+l1lKJi
         c8GQfZnNbaosHsP9xrDie8rElVyCKbmqStRP0SkI5VbynOMXdL+2M4zGUyoqIJBRkZ5/
         WRFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=gjjhywPZTvQgLC2EcDI++mmTjEhL8Gc0ZQwhqO0zcC0=;
        b=VxO5N1ZZq+XHgrooHj8atMUq6P0gjUQIiZ4HBBdJIJH54ph8wS8rEEi3xODVzYDiHf
         9PK/8Uz+Ig7NalJ7XMpe1I7x3calo/U+vpqyIZAz1YZ0P/UcrC3bvTS5YTFgUdNCLKU/
         if2SChQk+awNaMoEYO673pERDSMJuj7q8IMQdKVu2a/G9D6Y8boGYX28X4Qo1HYQpeMH
         uUFCS/1T9aQpMnaOLTjhn6X0Kxy+bLGoeo5LsLjUjmocgAgCoM8zZ3sL5Y/0kZL8W7Sn
         M49yA8C0DHnXqdsDxxb005t8axZso7RvTYYvFHSQ09W+BItY49WSIQtw388S2wX9b/zR
         j7Zw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ZZj5plKX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q14si10199346pls.204.2019.02.25.13.37.02;
        Mon, 25 Feb 2019 13:37:17 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ZZj5plKX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732920AbfBYVg1 (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Mon, 25 Feb 2019 16:36:27 -0500
Received: from mail.kernel.org ([198.145.29.99]:43234 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727745AbfBYVgZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Feb 2019 16:36:25 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9B4F020578;
        Mon, 25 Feb 2019 21:36:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1551130584;
        bh=KZaLNCiOm+MZ/b/Lb/gdnzSf9sbtz8PV7X/K5lYA+WA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ZZj5plKXB9/CCgD9sAJc0fNrxvM7a8yTGQSPZ8vfGmpQ7mJTRrqvn0/8qXRaAUeLF
         i8R78xL4y7UMhYysg9UfOfOKAhuTb/JEHz6BnX1P3SaW8t1BlETOtEb9IBDL6LPatp
         0T2jl3FnrJi8pjYdt6vuyEBRvv0CRLnAL6YKaSb0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Curtis Malainey <cujomalainey@chromium.org>,
        Mark Brown <broonie@kernel.org>,
        Jon Hunter <jonathanh@nvidia.com>
Subject: [PATCH 4.20 167/183] ASoC: soc-core: fix init platform memory handling
Date:   Mon, 25 Feb 2019 22:12:20 +0100
Message-Id: <20190225195123.288103931@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190225195054.748060397@linuxfoundation.org>
References: <20190225195054.748060397@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Curtis Malainey <cujomalainey@chromium.org>

commit 09ac6a817bd687e7f5dac00470262efdd72f9319 upstream.

snd_soc_init_platform initializes pointers to snd_soc_dai_link which is
statically allocated and it does this by devm_kzalloc. In the event of
an EPROBE_DEFER the memory will be freed and the pointers are left
dangling. snd_soc_init_platform sees the dangling pointers and assumes
they are pointing to initialized memory and does not reallocate them on
the second probe attempt which results in a use after free bug since
devm has freed the memory from the first probe attempt.

Since the intention for snd_soc_dai_link->platform is that it can be set
statically by the machine driver we need to respect the pointer in the
event we did not set it but still catch dangling pointers. The solution
is to add a flag to track whether the pointer was dynamically allocated
or not.

Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/sound/soc.h  |    6 ++++++
 sound/soc/soc-core.c |   11 ++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -985,6 +985,12 @@ struct snd_soc_dai_link {
 	/* Do not create a PCM for this DAI link (Backend link) */
 	unsigned int ignore:1;
 
+	/*
+	 * This driver uses legacy platform naming. Set by the core, machine
+	 * drivers should not modify this value.
+	 */
+	unsigned int legacy_platform:1;
+
 	struct list_head list; /* DAI link list of the soc card */
 	struct snd_soc_dobj dobj; /* For topology */
 };
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -1034,17 +1034,18 @@ static int snd_soc_init_platform(struct
 	 * this function should be removed in the future
 	 */
 	/* convert Legacy platform link */
-	if (!platform) {
+	if (!platform || dai_link->legacy_platform) {
 		platform = devm_kzalloc(card->dev,
 				sizeof(struct snd_soc_dai_link_component),
 				GFP_KERNEL);
 		if (!platform)
 			return -ENOMEM;
 
-		dai_link->platform	= platform;
-		platform->name		= dai_link->platform_name;
-		platform->of_node	= dai_link->platform_of_node;
-		platform->dai_name	= NULL;
+		dai_link->platform	  = platform;
+		dai_link->legacy_platform = 1;
+		platform->name		  = dai_link->platform_name;
+		platform->of_node	  = dai_link->platform_of_node;
+		platform->dai_name	  = NULL;
 	}
 
 	/* if there's no platform we match on the empty platform */