Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8886617ybi;
        Wed, 10 Jul 2019 01:03:13 -0700 (PDT)
X-Google-Smtp-Source: APXvYqya+K+jHlN7ELN3c+vc6x7hFERAJ6gyT0aAwkR/7fj9gFZh3CSmhd4yeKW5aHh0olGmPF4o
X-Received: by 2002:a17:90a:c596:: with SMTP id l22mr5494978pjt.46.1562745793242;
        Wed, 10 Jul 2019 01:03:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562745793; cv=none;
        d=google.com; s=arc-20160816;
        b=GVAD6E7K8RP0IWwScQ+3YIf/5bJ8ND2iQa2pWX9CEOPKsrakknNQcekZG+Uz71W9kr
         Y3dHiEvqqLbMf45YGMXUXSg6HtUFxCw/xwEO8Kg/ZQ4MtNXRYheY+uffJybRzauMAP1E
         50BNCcrBUk2IXruoxK5UooV0bSjvc8tWMl96NXC3+Dttzg8Pw6wB0lcarmzw4UA7s9mF
         LpoodZKrHU2nOm9UwRXpVNCIeSSoPxGb5EL4lhqKrOoyWVgtYNDZomuVR5fzcQKXZNmA
         iRkGAgCDq+Rs/NWyzl+mNHSWV0EaO4FvAMqX6sszkRYVpZmTt0pUOJIndoytjSX0w2Gb
         LHFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=TWKqGDNYk6kOs7D+LR8DTOMWWQse86erAOT2DHAGFCc=;
        b=0W7zx/aWccjWx5ybXiOB7qBfQ20Macy6P4TwTIw6/qn9JAHYZiW7haUWHgg1SbnnC7
         1xhItxu74RiJybuBopOydsKSl/sM6kWv62Kwt50LCGDwZBHg7a4kq6//UrSoeG60dJS1
         mmrEoMzEdt2Rfjc2NB+FTxqHCwBOo+BYx64b2m+qIjaBVTzWQ1IS2ARO8gTy6D8N0/1p
         DDv8u6H7Sk3DX6uJ437w78xFZNRa7/LRHDhNw4vX+e5sCigvyGBHz+bYtQkvHC6bm/Ms
         BkMGj1Z5BjeHoiLanq8Cmu/090SiYnLtNMPPLDM0ltf1GJOdKwC/gusEVPFRwDOY4LIy
         foUA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i1si1571053pfr.203.2019.07.10.01.02.57;
        Wed, 10 Jul 2019 01:03:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727256AbfGJH3R (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 10 Jul 2019 03:29:17 -0400
Received: from mxhk.zte.com.cn ([63.217.80.70]:40250 "EHLO mxhk.zte.com.cn"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727121AbfGJH3O (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Jul 2019 03:29:14 -0400
Received: from mse-fl2.zte.com.cn (unknown [10.30.14.239])
        by Forcepoint Email with ESMTPS id BC38497FDA05B15CB01F;
        Wed, 10 Jul 2019 15:29:11 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239])
        by mse-fl2.zte.com.cn with ESMTP id x6A7RXF1070833;
        Wed, 10 Jul 2019 15:27:33 +0800 (GMT-8)
        (envelope-from wen.yang99@zte.com.cn)
Received: from fox-host8.localdomain ([10.74.120.8])
          by szsmtp06.zte.com.cn (Lotus Domino Release 8.5.3FP6)
          with ESMTP id 2019071015275236-2237133 ;
          Wed, 10 Jul 2019 15:27:52 +0800 
From:   Wen Yang <wen.yang99@zte.com.cn>
To:     lgirdwood@gmail.com
Cc:     broonie@kernel.org, perex@perex.cz, tiwai@suse.com,
        kuninori.morimoto.gx@renesas.com, alsa-devel@alsa-project.org,
        linux-kernel@vger.kernel.org, jonathanh@nvidia.com,
        xue.zhihong@zte.com.cn, wang.yi59@zte.com.cn,
        cheng.shengyu@zte.com.cn, Wen Yang <wen.yang99@zte.com.cn>
Subject: [PATCH 3/4] ASoC: audio-graph-card: fix use-after-free in graph_dai_link_of_dpcm()
Date:   Wed, 10 Jul 2019 15:25:08 +0800
Message-Id: <1562743509-30496-4-git-send-email-wen.yang99@zte.com.cn>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1562743509-30496-1-git-send-email-wen.yang99@zte.com.cn>
References: <1562743509-30496-1-git-send-email-wen.yang99@zte.com.cn>
X-MIMETrack: Itemize by SMTP Server on SZSMTP06/server/zte_ltd(Release 8.5.3FP6|November
 21, 2013) at 2019-07-10 15:27:52,
        Serialize by Router on notes_smtp/zte_ltd(Release 9.0.1FP7|August  17, 2016) at
 2019-07-10 15:27:37,
        Serialize complete at 2019-07-10 15:27:37
X-MAIL: mse-fl2.zte.com.cn x6A7RXF1070833
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

After calling of_node_put() on the ports, port, and node variables,
they are still being used, which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.

Fixes: dd98fbc558a0 ("ASoC: audio-graph-card: cleanup DAI link loop method - step1")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
---
 sound/soc/generic/audio-graph-card.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index 30a4e83..31fc83d 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -208,10 +208,6 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	dev_dbg(dev, "link_of DPCM (%pOF)\n", ep);
 
-	of_node_put(ports);
-	of_node_put(port);
-	of_node_put(node);
-
 	if (li->cpu) {
 		int is_single_links = 0;
 
@@ -229,17 +225,17 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_cpu(ep, dai_link, &is_single_links);
 		if (ret)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_cpu(dev, ep, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "fe.%s",
 						   cpus->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* card->num_links includes Codec */
 		asoc_simple_canonicalize_cpu(dai_link, is_single_links);
@@ -263,17 +259,17 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 		ret = asoc_simple_parse_codec(ep, dai_link);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_parse_clk_codec(dev, ep, dai_link, dai);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		ret = asoc_simple_set_dailink_name(dev, dai_link,
 						   "be.%s",
 						   codecs->dai_name);
 		if (ret < 0)
-			return ret;
+			goto out_put_node;
 
 		/* check "prefix" from top node */
 		snd_soc_of_parse_node_prefix(top, cconf, codecs->of_node,
@@ -293,19 +289,23 @@ static int graph_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
 	ret = asoc_simple_parse_tdm(ep, dai);
 	if (ret)
-		return ret;
+		goto out_put_node;
 
 	ret = asoc_simple_parse_daifmt(dev, cpu_ep, codec_ep,
 				       NULL, &dai_link->dai_fmt);
 	if (ret < 0)
-		return ret;
+		goto out_put_node;
 
 	dai_link->dpcm_playback		= 1;
 	dai_link->dpcm_capture		= 1;
 	dai_link->ops			= &graph_ops;
 	dai_link->init			= asoc_simple_dai_init;
 
-	return 0;
+out_put_node:
+	of_node_put(ports);
+	of_node_put(port);
+	of_node_put(node);
+	return ret;
 }
 
 static int graph_dai_link_of(struct asoc_simple_priv *priv,
-- 
2.9.5