Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp935129ybt; Wed, 17 Jun 2020 18:20:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzLc1oin/3PgsuH9WAIXFY7OPMsg9y3MhL8CXX5NUtQGqulQk6+C1tOaY9d1W4Mh6hT85OS X-Received: by 2002:a17:906:470a:: with SMTP id y10mr1811454ejq.535.1592443240166; Wed, 17 Jun 2020 18:20:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592443240; cv=none; d=google.com; s=arc-20160816; b=D6KjW/SV7m61fRH2RpRT0aDfhu0Pb3BFvvTyKDErumxbGAaFMU6s/AdkDfvxYppCKK pwPfhTq8ObHugdoKZiYP4eXpuA1B4M7/zMM1Ydzf3EgVp/p4mews9aeWGJlwkRa83snJ A5VEfOFGs1FDc1Wu08+5MBRI9utaBZr7zzrR4p2CrT9jgF+IL5lGfkNZWFUG+G18Mbx1 KTsz0si1tddqy1Fs0HMypMIJkiaDmZRmq/GuTjsHCLSrz/nrWbdrZnBqFz4Eavw44qmV z+n3F/IkoIS8xgDxBgSBD5r+7n2HUoy6QgGoxhpIoSe/FuqMutukaWEDLVwqIkDHX4av 1WSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PjyfjcVZvTO9wwovXJ1o+1+fpLIHPi01gqlt67Lndyo=; b=BPefMJr5IP8t+wLDgFFrNxOgsUTsibr5qW0LTlJtO/0aKME/Fh4MLU/8vVWeo+G3XT +xso23Ff5tBCpFAg1gnPNtnkDCF09rH205HafD7dkCHf68nHIYhZkZkslWWLKau9vGC1 bIbfAC6Qgizhf9BWMUO4RrcKcc69jzJAkmSRt3791Nn5Oemk/4wT/vZ/SgXMkVNle6G4 fZq3kts8BFamKlV2UT31IIBBfd/eyJBXGOj5Fkpzxj7b17EUKuQJjDO3eiWebK4rdNwx zatWbNmF97rUjqViFZutP6jsyPfAvgA4MXGNAUi4ohzu6jO9N6ybAXrtv1YQl62FIHct chDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="rSqBk/p2"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a13si934112ejb.241.2020.06.17.18.20.18; Wed, 17 Jun 2020 18:20:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="rSqBk/p2"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729019AbgFRBQo (ORCPT + 99 others); Wed, 17 Jun 2020 21:16:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:44080 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728903AbgFRBO2 (ORCPT ); Wed, 17 Jun 2020 21:14:28 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B79BD20EDD; Thu, 18 Jun 2020 01:14:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592442867; bh=xS/sOfYhQmXqBYyWzUfT3F1aKVDn9c/U3LLDYZoLQBo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rSqBk/p2Gpech5rbXDPzjkIRxoMPl9bf7930YnJRV7z2ak/2B+BbGz3mJydyIAw3C gZZKz5ugKpWL01EpY/51YLmT+v390duizNr9GeuRJiHYVuquT/x7YDHzWF3CZsuNbO /Uv59FhObY/tjp2SxTpciV9o9xMDRCmyBzKku3jg= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Charles Keepax , Mark Brown , Sasha Levin , alsa-devel@alsa-project.org Subject: [PATCH AUTOSEL 5.7 294/388] ASoC: dapm: Move dai_link widgets to runtime to fix use after free Date: Wed, 17 Jun 2020 21:06:31 -0400 Message-Id: <20200618010805.600873-294-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200618010805.600873-1-sashal@kernel.org> References: <20200618010805.600873-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Charles Keepax [ Upstream commit f4aa5e214eeaf7f1c7f157526a5aa29784cb6a1f ] The newly added CODEC to CODEC DAI link widget pointers in snd_soc_dai_link are better placed in snd_soc_pcm_runtime. snd_soc_dai_link is really intended for static configuration of the DAI, and the runtime for dynamic data. The snd_soc_dai_link structures are not destroyed if the card is unbound. The widgets are cleared up on unbind, however if the card is rebound as the snd_soc_dai_link structures are reused these pointers will be left at their old values, causing access to freed memory. Fixes: 595571cca4de ("ASoC: dapm: Fix regression introducing multiple copies of DAI widgets") Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20200526161930.30759-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin --- include/sound/soc.h | 6 +++--- sound/soc/soc-dapm.c | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/sound/soc.h b/include/sound/soc.h index e0371e70242d..8e480efeda2a 100644 --- a/include/sound/soc.h +++ b/include/sound/soc.h @@ -790,9 +790,6 @@ struct snd_soc_dai_link { const struct snd_soc_pcm_stream *params; unsigned int num_params; - struct snd_soc_dapm_widget *playback_widget; - struct snd_soc_dapm_widget *capture_widget; - unsigned int dai_fmt; /* format to set on init */ enum snd_soc_dpcm_trigger trigger[2]; /* trigger type for DPCM */ @@ -1156,6 +1153,9 @@ struct snd_soc_pcm_runtime { struct snd_soc_dai **cpu_dais; unsigned int num_cpus; + struct snd_soc_dapm_widget *playback_widget; + struct snd_soc_dapm_widget *capture_widget; + struct delayed_work delayed_work; void (*close_delayed_work_func)(struct snd_soc_pcm_runtime *rtd); #ifdef CONFIG_DEBUG_FS diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index e2632841b321..c0aa64ff8e32 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4340,16 +4340,16 @@ static void dapm_connect_dai_pair(struct snd_soc_card *card, codec = codec_dai->playback_widget; if (playback_cpu && codec) { - if (dai_link->params && !dai_link->playback_widget) { + if (dai_link->params && !rtd->playback_widget) { substream = streams[SNDRV_PCM_STREAM_PLAYBACK].substream; dai = snd_soc_dapm_new_dai(card, substream, "playback"); if (IS_ERR(dai)) goto capture; - dai_link->playback_widget = dai; + rtd->playback_widget = dai; } dapm_connect_dai_routes(&card->dapm, cpu_dai, playback_cpu, - dai_link->playback_widget, + rtd->playback_widget, codec_dai, codec); } @@ -4358,16 +4358,16 @@ static void dapm_connect_dai_pair(struct snd_soc_card *card, codec = codec_dai->capture_widget; if (codec && capture_cpu) { - if (dai_link->params && !dai_link->capture_widget) { + if (dai_link->params && !rtd->capture_widget) { substream = streams[SNDRV_PCM_STREAM_CAPTURE].substream; dai = snd_soc_dapm_new_dai(card, substream, "capture"); if (IS_ERR(dai)) return; - dai_link->capture_widget = dai; + rtd->capture_widget = dai; } dapm_connect_dai_routes(&card->dapm, codec_dai, codec, - dai_link->capture_widget, + rtd->capture_widget, cpu_dai, capture_cpu); } } -- 2.25.1