diff mbox series

most: fix a memleak in audio_probe_channel

Message ID	20240122172044.3840976-1-alexious@zju.edu.cn
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel+bounces-33789-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; From: Zhipeng Lu <alexious@zju.edu.cn> To: alexious@zju.edu.cn Cc: Parthiban Veerasooran <parthiban.veerasooran@microchip.com>, Christian Gromm <christian.gromm@microchip.com>, Dan Carpenter <error27@gmail.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, linux-kernel@vger.kernel.org Subject: [PATCH] most: fix a memleak in audio_probe_channel Date: Tue, 23 Jan 2024 01:20:44 +0800 Message-Id: <20240122172044.3840976-1-alexious@zju.edu.cn> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	most: fix a memleak in audio_probe_channel \| most: fix a memleak in audio_probe_channel

Commit Message

Zhipeng Lu Jan. 22, 2024, 5:20 p.m. UTC

  When get_channel fails, audio_probe_channel should free adpt like all
its following error-handling paths after get_channel. Otherwise there
could be a memleak.

Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
---
 drivers/most/most_snd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Dan Carpenter Jan. 23, 2024, 6:04 a.m. UTC | #1

On Tue, Jan 23, 2024 at 01:20:44AM +0800, Zhipeng Lu wrote:
> When get_channel fails, audio_probe_channel should free adpt like all
> its following error-handling paths after get_channel. Otherwise there
> could be a memleak.
> 
> Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
> Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> ---
>  drivers/most/most_snd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
> index 45d762804c5e..6cccc9c26796 100644
> --- a/drivers/most/most_snd.c
> +++ b/drivers/most/most_snd.c
> @@ -564,7 +564,8 @@ static int audio_probe_channel(struct most_interface *iface, int channel_id,
>  	if (get_channel(iface, channel_id)) {
>  		pr_err("channel (%s:%d) is already linked\n",
>  		       iface->description, channel_id);
> -		return -EEXIST;
> +		ret = -EEXIST;
> +		goto err_free_adpt;

No, this doesn't work.  Someone should add a comment here explaining
why.

This function is a bit complicated because we sometimes allocate "adpt"
and sometimes we don't.  Why can we not make it consistently one way or
the other?  This is not my code and I don't know.  But presumably there
is a good reason.  I looked up the previous discussion of this and found
this thread.

https://lore.kernel.org/all/78cc59b31042f865e947a2c09a5d10cc60ddc01c.camel@microchip.com/

Anyway, in the end, we're trying to clean up and on the other error
paths we're allowed to free "adpt" even though we didn't allocate it.

However once it's got a channel linked then we cannot.  At that stage
"adpt" is already added to the &iface->p->channel_list list.  The
release_adapter() adapter function will free it without removing it from
the list so it leads to a use after free.

However, memory on this path is not leaked as your commit message says.
"adpt" is still on the lists.  The stuff is in a messed up state so the
user will need to tear it all down manually and recreate the
configuration.  Quoting the email I linked to, "This
involves the call to mdev_link_destroy_link_store() that cleans up
everything."

So we can't apply your patch because it leads to a use after free.  But
we could apply a patch which adds a comment like:

	/*
	 * This error path doesn't leak.  If the channel is already set
	 * up then something has gone badly wrong.  The user will have
	 * to tear everything down and reconfigure from scratch.  The
	 * memory will be released via mdev_link_destroy_link_store().
	 *
	 */

regards,
dan carpenter

Zhipeng Lu Jan. 29, 2024, 12:56 p.m. UTC | #2

> On Tue, Jan 23, 2024 at 01:20:44AM +0800, Zhipeng Lu wrote:
> > When get_channel fails, audio_probe_channel should free adpt like all
> > its following error-handling paths after get_channel. Otherwise there
> > could be a memleak.
> > 
> > Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
> > Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
> > ---
> >  drivers/most/most_snd.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
> > index 45d762804c5e..6cccc9c26796 100644
> > --- a/drivers/most/most_snd.c
> > +++ b/drivers/most/most_snd.c
> > @@ -564,7 +564,8 @@ static int audio_probe_channel(struct most_interface *iface, int channel_id,
> >  	if (get_channel(iface, channel_id)) {
> >  		pr_err("channel (%s:%d) is already linked\n",
> >  		       iface->description, channel_id);
> > -		return -EEXIST;
> > +		ret = -EEXIST;
> > +		goto err_free_adpt;
> 
> No, this doesn't work.  Someone should add a comment here explaining
> why.
> 
> This function is a bit complicated because we sometimes allocate "adpt"
> and sometimes we don't.  Why can we not make it consistently one way or
> the other?  This is not my code and I don't know.  But presumably there
> is a good reason.  I looked up the previous discussion of this and found
> this thread.
> 
> https://lore.kernel.org/all/78cc59b31042f865e947a2c09a5d10cc60ddc01c.camel@microchip.com/
> 
> Anyway, in the end, we're trying to clean up and on the other error
> paths we're allowed to free "adpt" even though we didn't allocate it.
> 
> However once it's got a channel linked then we cannot.  At that stage
> "adpt" is already added to the &iface->p->channel_list list.  The
> release_adapter() adapter function will free it without removing it from
> the list so it leads to a use after free.
> 
> However, memory on this path is not leaked as your commit message says.
> "adpt" is still on the lists.  The stuff is in a messed up state so the
> user will need to tear it all down manually and recreate the
> configuration.  Quoting the email I linked to, "This
> involves the call to mdev_link_destroy_link_store() that cleans up
> everything."
> 
> So we can't apply your patch because it leads to a use after free.  But
> we could apply a patch which adds a comment like:
> 
> 	/*
> 	 * This error path doesn't leak.  If the channel is already set
> 	 * up then something has gone badly wrong.  The user will have
> 	 * to tear everything down and reconfigure from scratch.  The
> 	 * memory will be released via mdev_link_destroy_link_store().
> 	 *
> 	 */
> 

Thank you for your correction and advise. 
We would like to submit a new patch to add such comment.\

Regards,
Zhipeng.


> regards,
> dan carpenter

diff mbox series

Patch

diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
index 45d762804c5e..6cccc9c26796 100644
--- a/drivers/most/most_snd.c
+++ b/drivers/most/most_snd.c
@@ -564,7 +564,8 @@  static int audio_probe_channel(struct most_interface *iface, int channel_id,
 	if (get_channel(iface, channel_id)) {
 		pr_err("channel (%s:%d) is already linked\n",
 		       iface->description, channel_id);
-		return -EEXIST;
+		ret = -EEXIST;
+		goto err_free_adpt;
 	}
 
 	if (cfg->direction == MOST_CH_TX) {