Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9078610pxu; Mon, 28 Dec 2020 06:08:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwXcPEEcoo+lYn31xNtDuau5kcwBEwJLEo9XkJbSTwJmfzFoO/zPzUAqTxzWpXQal1S3t58 X-Received: by 2002:a17:906:578e:: with SMTP id k14mr510521ejq.90.1609164491568; Mon, 28 Dec 2020 06:08:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609164491; cv=none; d=google.com; s=arc-20160816; b=ZLJB9nw8v5Ht8ldTkTd++Q4j7dULnbQj00tlgzJZRE/WIamXRK2qmtW4EUnz4WbXx4 +yO+xefAs6wCC2Dl6N9LD8VZ9R0QYrJ7/xdcTU3XJjwiA+IbZ8naUY2GDJZtI61J1FMr JapVxqcHC7ZFFwoQ/v6ANha/SeDIEkoh0ftZKEkWYvFZ/cpuYSBU8hCOS07m6LubK1if Z1uacjmXWTaHfmhW0is6+A+/szsA4n/FRnrng59qrhWeoLoYbrAD9nleVCOlV2kDfetR 3xxvUYySw10Srx0EhEzvogHGAqiYn6p9W/1qnW7raNLolJrMxJgRh3JnUCdQ9AlYFW1f RP3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZtHK2555mEG1gVcfu2brfh4mCnsGVL801m31JzRHCfs=; b=iHDtJz3Rx4ztWxlhIN/Dc3pGGJEnXMRtNBCg4KYH9xyatvBO3EI7FYFMo/MVubfJ8A LDwTOh+tZ2pusSsOQ21S8x+XvYr5wGToT6wgL1CHAe/9EGZfag0MaByospw7TeqhqUVY imnPL5RuWPQ/JUNyDN0ayloWTery0lt/M2EsXp8jY3igXrZH0wJHn1MW+EiNXtFHizZ5 +uUfMsqodU+hheWjgNKMI+nK1IpP90jyQSJ+K0ppJdOx5qB3ep73JGvRliND0NM3iSF0 yL4CNMfX94SN06KGpmS7fpWOXPENE/CyaD/Rep9tN2wu6z9kvCUprEvpx/dg5xnAMjSs pH+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Mb7qh44L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p9si18125296ejg.481.2020.12.28.06.07.47; Mon, 28 Dec 2020 06:08:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Mb7qh44L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437498AbgL1OEx (ORCPT + 99 others); Mon, 28 Dec 2020 09:04:53 -0500 Received: from mail.kernel.org ([198.145.29.99]:39106 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2437407AbgL1OEt (ORCPT ); Mon, 28 Dec 2020 09:04:49 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id B94EA207AB; Mon, 28 Dec 2020 14:04:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1609164248; bh=+cmMv0uMJrujWPoK3N8mcTeU9YsK9TRbgsnMpu+2CUU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Mb7qh44LpD43DGSF3zeLgOf+nU8Ajc5i660eYvZQJ78pklv5IPU645yHmX6GUPoX3 dVu295efgLWmoUNdRQgsJ2SaBKD1z8fTzFh6fq3/zDQPBeZzZkXbCzhCM2QpLpS39n PtV5xrKUre2iVnc8sljK/XcGLa2FT70wydpZTVTo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Mark Brown , Sasha Levin Subject: [PATCH 5.10 083/717] ASoC: qcom: common: Fix refcounting in qcom_snd_parse_of() Date: Mon, 28 Dec 2020 13:41:21 +0100 Message-Id: <20201228125024.962206587@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201228125020.963311703@linuxfoundation.org> References: <20201228125020.963311703@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 4e59dd249cd513a211e2ecce2cb31f4e29a5ce5b ] There are two issues in this function. 1) We can't drop the refrences on "cpu", "codec" and "platform" before we take the reference. This doesn't cause a problem on the first iteration because those pointers start as NULL so the of_node_put() is a no-op. But on the subsequent iterations, it will lead to a use after free. 2) If the devm_kzalloc() allocation failed then the code returned directly instead of cleaning up. Fixes: c1e6414cdc37 ("ASoC: qcom: common: Fix refcount imbalance on error") Fixes: 1e36ea360ab9 ("ASoC: qcom: common: use modern dai_link style") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20201105125154.GA176426@mwanda Signed-off-by: Mark Brown Signed-off-by: Sasha Levin --- sound/soc/qcom/common.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c index 54660f126d09e..09af007007007 100644 --- a/sound/soc/qcom/common.c +++ b/sound/soc/qcom/common.c @@ -58,7 +58,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card) dlc = devm_kzalloc(dev, 2 * sizeof(*dlc), GFP_KERNEL); if (!dlc) { ret = -ENOMEM; - goto err; + goto err_put_np; } link->cpus = &dlc[0]; @@ -70,7 +70,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card) ret = of_property_read_string(np, "link-name", &link->name); if (ret) { dev_err(card->dev, "error getting codec dai_link name\n"); - goto err; + goto err_put_np; } cpu = of_get_child_by_name(np, "cpu"); @@ -130,8 +130,10 @@ int qcom_snd_parse_of(struct snd_soc_card *card) } else { /* DPCM frontend */ dlc = devm_kzalloc(dev, sizeof(*dlc), GFP_KERNEL); - if (!dlc) - return -ENOMEM; + if (!dlc) { + ret = -ENOMEM; + goto err; + } link->codecs = dlc; link->num_codecs = 1; @@ -158,10 +160,11 @@ int qcom_snd_parse_of(struct snd_soc_card *card) return 0; err: - of_node_put(np); of_node_put(cpu); of_node_put(codec); of_node_put(platform); +err_put_np: + of_node_put(np); return ret; } EXPORT_SYMBOL(qcom_snd_parse_of); -- 2.27.0