Received: by 2002:a05:7412:3b8b:b0:fc:a2b0:25d7 with SMTP id nd11csp2621257rdb;
        Mon, 12 Feb 2024 10:30:36 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCU5000MnWmIymk+nQXzv5CA1hHSYaCuUiI3GUex9a1pPFmyAnRIeQioGnfd2l7GLtIyEqWMhES3PA0KN7iSoxmsiph1/dvW1QugLLTMdw==
X-Google-Smtp-Source: AGHT+IGmiI8FUS7e7QMiYeTnTsD7kCXfz8ApXO5yhO32lRwg+zNKsHt1a5YXAOZqixel1G5h4y6V
X-Received: by 2002:a17:902:9f98:b0:1d9:95c5:296e with SMTP id g24-20020a1709029f9800b001d995c5296emr4984480plq.53.1707762636654;
        Mon, 12 Feb 2024 10:30:36 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707762636; cv=pass;
        d=google.com; s=arc-20160816;
        b=uUrEC80rueTF7NrLq81v5qJUVUR6C7a9asftVl2SsJW1xCxjRe3Ynn+BWLOw3eoUey
         SKn5l90cPp3jr4KLeE7l55dGoOQy4VE3Sfb+Db6/DmRyGbwr8sKtyw8dCigJKsuzR44o
         EUCy39zDPxAPvt5s5vjIZPSDiS9vYdP9YHKEXoOrmdpFW6KZLOJ4ABPEywgHrSnmqyw1
         EHWFovGOzQi6+nfcrBTdKoHdUeTyPcvxzkGSgYufOIEpw0E55vE0ufyOsb4eFZaOlrY0
         Qaz1lnwHFkcI8ERjwJBgXipiJSy77HKerWkXYo4hvAJlAcTDwiZfluFjMrFS0X2EJAHO
         e51g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id:dkim-signature;
        bh=9usBa3VcDKgxeI5kGLld7IhxeswKlW/9j3AK7/XuUGk=;
        fh=Q+UJgIjC7NybGf22W+KhB2RcEu5J43zRy45W3Rwc7CA=;
        b=EXPTBPkVb0NMeBc9ncHcpJHtC13pcHcoMYL2bGQmVi+hQrNbtYA6HuuxCWanUkf3Lp
         1FqFZtF10ootoSqKul2gzIz/7OSFm75KtlGpFv6XGitR64s/xY9yloub1lbh5cEk6sRK
         EUy0aN4jx55/MipwJmW81R0xg59TPkmZlbHdeGON9ZYkmZVW+WXO92U13KNEJBSWlBDP
         I/6D2o33krgEQ5yJgW4QEZemnwTYjTjFjJot5bsC13gXXv5ed8AXAT7N1mMATVyahyad
         VKO9mKrKnAOApqIjvhxq1CAPhiIzGIor4f0JCcSDqJFV58uVfYdViQwnI9yKG52+0mzZ
         Rdgg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b="U+/QJb0K";
       arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com);
       spf=pass (google.com: domain of linux-kernel+bounces-61846-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-61846-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Forwarded-Encrypted: i=2; AJvYcCU8RoaYFk5gCpBOHmdBfwf1f3srhdsMe0NNfjbjIE8B+S6+s8/I6OcjvKfEvtr3iBpSSWlO/jwRwt0azFsl2+CyHUxdyhE819/5irqFPA==
Return-Path: <linux-kernel+bounces-61846-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id l17-20020a170903121100b001d904edeccdsi615898plh.292.2024.02.12.10.30.36
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 12 Feb 2024 10:30:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-61846-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b="U+/QJb0K";
       arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com);
       spf=pass (google.com: domain of linux-kernel+bounces-61846-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-61846-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 90F94B228EC
	for <linux.lists.archive@gmail.com>; Mon, 12 Feb 2024 14:54:11 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 989273B794;
	Mon, 12 Feb 2024 14:54:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="U+/QJb0K"
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCD993B297
	for <linux-kernel@vger.kernel.org>; Mon, 12 Feb 2024 14:54:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.18
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707749643; cv=none; b=GYseEp11QpVIVeJnO3VuKEYjvS9/q6PFLM9xsVKTpW3GjDCpcXuINm15eqoL06Ae7PBpn2+yyDZ1hu0n5hx2kMyHCgz7CBLiJlgEJYtN7BiHfmxr31o1JAq/HK3r0WK+C+PzNB9kXOurgenfjg9n4AxaMcmzK0FsY5puV+1pRk8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707749643; c=relaxed/simple;
	bh=NkwRjZxa0/AtcMo1/jowb91fxYW5bjzaFfRIJf9CD1c=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=L4RY/+sN1CwuS/0jB2kmMr+MEEHXTSFDEZlvCFY/7yDJFHEiofj0M/vXxNNs3xb+axczrR4tqDt04QhScwb+sN/1IATBMKid4boWIB2NnoZpf09CWmAp5v1UNpIrEwSOECVovNG2d95CuGlzSM0/Kkwn26hct1T8LQ0RZ4XSgZI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=U+/QJb0K; arc=none smtp.client-ip=198.175.65.18
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1707749641; x=1739285641;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=NkwRjZxa0/AtcMo1/jowb91fxYW5bjzaFfRIJf9CD1c=;
  b=U+/QJb0KTe/PKY4JBQTcVN96WLE+oPyKeCpAgtEF5XuwlT1XH0Ollcyn
   Z3Wo0q5pcuIiUethJytxqC1Yiz9GYx5eeEDZ+8PxETtN4qZKfXrVXBFey
   +3UKak5HjbQdVrzuAfYJzBMysJoK8UHgyPecrrcWo2ST3xYjz8FXH6dja
   tTa8n8bg5UrIPVQy/+k3lupqg8+8ps0u/ILR3HOOlu1V6ihmnaEA5mkGb
   TTrmEKwSb+i5F8w4i3tWqdfGKuHbzrr1mbK04UXPUYyO3LgDPcw6H20A7
   5/vaNlpNW3Kkdygczef1PM4z752TnB0Hj6txRJ7cZcXR+AG0luFMduLG7
   w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10982"; a="1850455"
X-IronPort-AV: E=Sophos;i="6.06,264,1705392000"; 
   d="scan'208";a="1850455"
Received: from fmviesa009.fm.intel.com ([10.60.135.149])
  by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2024 06:54:01 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.06,264,1705392000"; 
   d="scan'208";a="2582267"
Received: from rvarada-mobl.amr.corp.intel.com (HELO [10.212.76.202]) ([10.212.76.202])
  by fmviesa009-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Feb 2024 06:54:00 -0800
Message-ID: <83c8bfa3-4377-4198-b48e-351f9a9f63ed@linux.intel.com>
Date: Mon, 12 Feb 2024 08:49:11 -0600
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH] soundwire: fix double free of pointer
Content-Language: en-US
To: Daniil Dulov <d.dulov@aladdin.ru>, Vinod Koul <vkoul@kernel.org>
Cc: Bard Liao <yung-chuan.liao@linux.intel.com>,
 Sanyog Kale <sanyog.r.kale@intel.com>, alsa-devel@alsa-project.org,
 linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
References: <20240211150937.4058-1-d.dulov@aladdin.ru>
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
In-Reply-To: <20240211150937.4058-1-d.dulov@aladdin.ru>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit



On 2/11/24 09:09, Daniil Dulov wrote:
> If sdw_ml_sync_bank_switch() returns error not on the first iteration,
> it leads to freeing prevously freed memory. So, set the pointer to NULL
> after each successful bank switch.
> 
> Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
> ---
>  drivers/soundwire/stream.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
> index 304ff2ee7d75..d650e6f0f8e7 100644
> --- a/drivers/soundwire/stream.c
> +++ b/drivers/soundwire/stream.c
> @@ -833,6 +833,7 @@ static int do_bank_switch(struct sdw_stream_runtime *stream)
>  				"multi link bank switch failed: %d\n", ret);
>  			goto error;
>  		}
> +		bus->defer_msg.msg = NULL;
>  
>  		if (multi_link)
>  			mutex_unlock(&bus->msg_lock);

Not following what the issue is...

On success, sdw_ml_sync_bank_switch() frees the buffers with

	if (bus->defer_msg.msg) {
		kfree(bus->defer_msg.msg->buf);
		kfree(bus->defer_msg.msg);
		bus->defer_msg.msg = NULL;
	}

So if there is an issue on the second iteration, then the loop will
detect already freed memory in the previous iteration and skip it:

                /* Check if bank switch was successful */
		ret = sdw_ml_sync_bank_switch(bus);
		if (ret < 0) {
			dev_err(bus->dev,
				"multi link bank switch failed: %d\n", ret);
			goto error;
		}

error:
	list_for_each_entry(m_rt, &stream->master_list, stream_node) {
		bus = m_rt->bus;
		if (bus->defer_msg.msg) { <<<< TEST FOR FREED MEMORY
			kfree(bus->defer_msg.msg->buf);
			kfree(bus->defer_msg.msg);
			bus->defer_msg.msg = NULL;
		}
	}

It could very well be that I need more coffee on this post-SuperBowl
Monday morning, but I just don't see the problem.