[alsa-devel] [PATCH 0/2] ASoC: samsung: odroid: fix err handling of odroid_audio_probe
We developed a coccinelle SmPL to detect sound/soc/samsung/odroid.c and found some use-after-free problems. This patch series fixes those problems.
Wen Yang (2): ASoC: samsung: odroid: fix an use-after-free issue for codec ASoC: samsung: odroid: fix a double-free issue for cpu_dai
sound/soc/samsung/odroid.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org
The codec variable is still being used after the of_node_put() call, which may result in use-after-free.
Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI") Signed-off-by: Wen Yang wen.yang99@zte.com.cn Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org --- sound/soc/samsung/odroid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c index dfb6e46..64ebe89 100644 --- a/sound/soc/samsung/odroid.c +++ b/sound/soc/samsung/odroid.c @@ -284,9 +284,8 @@ static int odroid_audio_probe(struct platform_device *pdev) }
of_node_put(cpu); - of_node_put(codec); if (ret < 0) - return ret; + goto err_put_node;
ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link); if (ret < 0) @@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev) goto err_put_clk_i2s; }
+ of_node_put(codec); return 0;
err_put_clk_i2s: @@ -326,6 +326,8 @@ static int odroid_audio_probe(struct platform_device *pdev) err_put_cpu_dai: of_node_put(cpu_dai); snd_soc_of_put_dai_link_codecs(codec_link); +err_put_node: + of_node_put(codec); return ret; }
@@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev)
goto err_put_clk_i2s;
}
- of_node_put(codec);
I would prefer to avoid a bit of duplicate source code also at this place. Thus I would find a statement like “goto put_node;” more appropriate here.
return 0;
err_put_clk_i2s:
Regards, Markus
Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI")
* Can it be that this commit identification is relevant more for the second update step?
* Was the handling of device node references questionable already before this change?
Regards, Markus
On Sat, 13 Jul 2019 at 05:48, Wen Yang wen.yang99@zte.com.cn wrote:
The codec variable is still being used after the of_node_put() call, which may result in use-after-free.
Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI") Signed-off-by: Wen Yang wen.yang99@zte.com.cn Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org
sound/soc/samsung/odroid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Krzysztof Kozlowski krzk@kernel.org
Best regards, Krzysztof
The patch
ASoC: samsung: odroid: fix an use-after-free issue for codec
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.3
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
From 9b6d104a6b150bd4d3e5b039340e1f6b20c2e3c1 Mon Sep 17 00:00:00 2001
From: Wen Yang wen.yang99@zte.com.cn Date: Sat, 13 Jul 2019 11:46:14 +0800 Subject: [PATCH] ASoC: samsung: odroid: fix an use-after-free issue for codec
The codec variable is still being used after the of_node_put() call, which may result in use-after-free.
Fixes: bc3cf17b575a ("ASoC: samsung: odroid: Add support for secondary CPU DAI") Signed-off-by: Wen Yang wen.yang99@zte.com.cn Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/1562989575-33785-2-git-send-email-wen.yang99@zte.c... Signed-off-by: Mark Brown broonie@kernel.org --- sound/soc/samsung/odroid.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c index dfb6e460e7eb..64ebe895cdd7 100644 --- a/sound/soc/samsung/odroid.c +++ b/sound/soc/samsung/odroid.c @@ -284,9 +284,8 @@ static int odroid_audio_probe(struct platform_device *pdev) }
of_node_put(cpu); - of_node_put(codec); if (ret < 0) - return ret; + goto err_put_node;
ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link); if (ret < 0) @@ -317,6 +316,7 @@ static int odroid_audio_probe(struct platform_device *pdev) goto err_put_clk_i2s; }
+ of_node_put(codec); return 0;
err_put_clk_i2s: @@ -326,6 +326,8 @@ static int odroid_audio_probe(struct platform_device *pdev) err_put_cpu_dai: of_node_put(cpu_dai); snd_soc_of_put_dai_link_codecs(codec_link); +err_put_node: + of_node_put(codec); return ret; }
The cpu_dai variable is still being used after the of_node_put() call, which may result in double-free:
of_node_put(cpu_dai); ---> released here
ret = devm_snd_soc_register_card(dev, card); if (ret < 0) { ... goto err_put_clk_i2s; --> jump to err_put_clk_i2s ...
err_put_clk_i2s: clk_put(priv->clk_i2s_bus); err_put_sclk: clk_put(priv->sclk_i2s); err_put_cpu_dai: of_node_put(cpu_dai); --> double-free here
Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance") Signed-off-by: Wen Yang wen.yang99@zte.com.cn Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org --- sound/soc/samsung/odroid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c index 64ebe89..f0f5fa9 100644 --- a/sound/soc/samsung/odroid.c +++ b/sound/soc/samsung/odroid.c @@ -308,7 +308,6 @@ static int odroid_audio_probe(struct platform_device *pdev) ret = PTR_ERR(priv->clk_i2s_bus); goto err_put_sclk; } - of_node_put(cpu_dai);
ret = devm_snd_soc_register_card(dev, card); if (ret < 0) { @@ -316,6 +315,7 @@ static int odroid_audio_probe(struct platform_device *pdev) goto err_put_clk_i2s; }
+ of_node_put(cpu_dai); of_node_put(codec); return 0;
The cpu_dai variable is still being used after the of_node_put() call,
Such an implementation detail is questionable. https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+m...
which may result in double-free:
This consequence is also undesirable. https://cwe.mitre.org/data/definitions/415.html
Now I wonder if two update steps are really appropriate as a fix instead of using a single update step for the desired correction in this software module. Should a commit (including previous ones) usually be correct by itself?
Regards, Markus
The cpu_dai variable is still being used after the of_node_put() call,
Such an implementation detail is questionable. https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+m...
which may result in double-free:
This consequence is also undesirable. https://cwe.mitre.org/data/definitions/415.html
Now I wonder if two update steps are really appropriate as a fix instead of using a single update step for the desired correction in this software module. Should a commit (including previous ones) usually be correct by itself?
Thanks. These two updates fix two different bugs.
One of them is the use-after-free issue introduced by bc3cf17b575a: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?...
- ret = snd_soc_of_get_dai_link_codecs(dev, codec, link); + cpu_dai = of_parse_phandle(cpu, "sound-dai", 0); + of_node_put(cpu); + of_node_put(codec); + + ret = snd_soc_of_get_dai_link_codecs(dev, codec, codec_link); if (ret < 0) goto err_put_codec_n;
and the other is the double-free issue introduced by d832d2b246c5: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/sou... and n303, n308.
So we sent two patches to fix them separately.
-- Regards, Wen
These two updates fix two different bugs.
I can follow this view to some degree.
and the other is the double-free issue
This programming error affects also the use of data structures which became invalid. https://cwe.mitre.org/data/definitions/415.html#oc_415_Notes
So we sent two patches to fix them separately.
You would like to fix something according to two variables (of the data type “device_node *”) in the same function implementation. Please combine these corrections in an update step under a topic like “ASoC: samsung: odroid: Fix handling of device node references in odroid_audio_probe()”. (The previous update step would contain still a known programming mistake otherwise, wouldn't it?)
Regards, Markus
On Sat, 13 Jul 2019 at 05:48, Wen Yang wen.yang99@zte.com.cn wrote:
The cpu_dai variable is still being used after the of_node_put() call, which may result in double-free:
of_node_put(cpu_dai); ---> released here ret = devm_snd_soc_register_card(dev, card); if (ret < 0) {... goto err_put_clk_i2s; --> jump to err_put_clk_i2s ...
err_put_clk_i2s: clk_put(priv->clk_i2s_bus); err_put_sclk: clk_put(priv->sclk_i2s); err_put_cpu_dai: of_node_put(cpu_dai); --> double-free here
Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance") Signed-off-by: Wen Yang wen.yang99@zte.com.cn Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org
sound/soc/samsung/odroid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Krzysztof Kozlowski krzk@kernel.org
Best regards, Krzysztof
The patch
ASoC: samsung: odroid: fix a double-free issue for cpu_dai
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.3
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
From 2abee12c0ab1924a69993d2c063a39a952e7d836 Mon Sep 17 00:00:00 2001
From: Wen Yang wen.yang99@zte.com.cn Date: Sat, 13 Jul 2019 11:46:15 +0800 Subject: [PATCH] ASoC: samsung: odroid: fix a double-free issue for cpu_dai
The cpu_dai variable is still being used after the of_node_put() call, which may result in double-free:
of_node_put(cpu_dai); ---> released here
ret = devm_snd_soc_register_card(dev, card); if (ret < 0) { ... goto err_put_clk_i2s; --> jump to err_put_clk_i2s ...
err_put_clk_i2s: clk_put(priv->clk_i2s_bus); err_put_sclk: clk_put(priv->sclk_i2s); err_put_cpu_dai: of_node_put(cpu_dai); --> double-free here
Fixes: d832d2b246c5 ("ASoC: samsung: odroid: Fix of_node refcount unbalance") Signed-off-by: Wen Yang wen.yang99@zte.com.cn Cc: Krzysztof Kozlowski krzk@kernel.org Cc: Sangbeom Kim sbkim73@samsung.com Cc: Sylwester Nawrocki s.nawrocki@samsung.com Cc: Liam Girdwood lgirdwood@gmail.com Cc: Mark Brown broonie@kernel.org Cc: Jaroslav Kysela perex@perex.cz Cc: Takashi Iwai tiwai@suse.com Cc: alsa-devel@alsa-project.org Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/1562989575-33785-3-git-send-email-wen.yang99@zte.c... Signed-off-by: Mark Brown broonie@kernel.org --- sound/soc/samsung/odroid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/samsung/odroid.c b/sound/soc/samsung/odroid.c index 64ebe895cdd7..f0f5fa9c27d3 100644 --- a/sound/soc/samsung/odroid.c +++ b/sound/soc/samsung/odroid.c @@ -308,7 +308,6 @@ static int odroid_audio_probe(struct platform_device *pdev) ret = PTR_ERR(priv->clk_i2s_bus); goto err_put_sclk; } - of_node_put(cpu_dai);
ret = devm_snd_soc_register_card(dev, card); if (ret < 0) { @@ -316,6 +315,7 @@ static int odroid_audio_probe(struct platform_device *pdev) goto err_put_clk_i2s; }
+ of_node_put(cpu_dai); of_node_put(codec); return 0;
Would a subject like “ASoC: samsung: odroid: Fix handling of device node references in odroid_audio_probe” be more appropriate (instead of using the abbreviation “err”)?
We developed a coccinelle SmPL to detect …
* I would find a slightly different wording better.
* How do you think about to convert this information into software attributions for the update steps?
Regards, Markus
participants (5)
-
Krzysztof Kozlowski -
Mark Brown -
Markus Elfring -
Wen Yang -
wen.yang99@zte.com.cn