| Message ID | 20240211150937.4058-1-d.dulov@aladdin.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-60826-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:50ea:b0:106:860b:bbdd with SMTP id
r10csp1974010dyd;
Sun, 11 Feb 2024 07:21:29 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFxIs04EECOYaQmkJBIB3yNHsa82bAFrCBRwIbXtCoQXytyrYWIqCKWzgYRd+bpLGX1cYGJ
X-Received: by 2002:a05:6a21:1646:b0:19e:b89c:3cf5 with SMTP id
no6-20020a056a21164600b0019eb89c3cf5mr3357816pzb.21.1707664889552;
Sun, 11 Feb 2024 07:21:29 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707664889; cv=pass;
d=google.com; s=arc-20160816;
b=vPsSULZB8dZCYUV3xHlk9CTtBHb8YKHHZDsw7LKRevlgZdMIXQEBXjHTURy4kgwLDG
MsaMqGHghLpmxDJFCuYdXLCkfCgk1pXjFjlELmZHBu0JPbZPamVrW5X9K77ITkd4NsQs
Ia0eVrwvgHCpigEIT0vQVxsH3+kVUZtKo0OGVCjw3zA+RvKF5zus25rnwdSnk/IaZSMF
viSsoKEMNxua/KkvH0h6K37xzwMlWOcJBPJuINnEK3JOOOxMsvm1bkkh2TjjFjqAKeZg
MhwoeaMnxr5D/Lx4viCWHJNKmkJX51Y0IuS9KDBHFlay178kvpU4f5VjG+3Wx3q2iRPN
zz+g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from;
bh=UQLto9M69hUu9N6gVri5jwZoeEZKMbFdJyKjTeLwQBk=;
fh=GhdvY9oTzn84LONA8xf/CKV1JMiZpcXfZyz+5nl23/U=;
b=ER23TcrE1hiwX4zrf+G13K3ae1Y13DZqed/sJ56ciyRRnFViP0mzqBVbKxbGggu4zt
DmLahjFv18fri1K5bI+WZtV+klffgrDcSP+Oi/+EskG59ai3XZR0WKiktK0Rak/MEpbm
iWcUKSvEyupcolxd1zb1EaWTaaJXYgVmuFHevCkd5oMYyh3uGp0pJ2muXmJXZUTPIygO
I1FOj0VuhgSWlGIyPrJF6UIcSO4cZo8Oy4ACa3ezgZYyaaKR2oELZHy01S9lpDCJzELV
Gg+tUeNUGp8CXs5KMpq135yUBtWS+W89cgV+TXIGRKtDF/203eaQ5zo7LI7QnnhWROwy
uh2g==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
arc=pass (i=1 spf=pass spfdomain=aladdin.ru dmarc=pass
fromdomain=aladdin.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-60826-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-60826-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru
X-Forwarded-Encrypted: i=2;
AJvYcCUaqOv8SW+IwMkhn77Y8+sFCTnOTEMiLd1vIkl2buLr/tAdwfCHQk5bXRas6VLfubDUDUO8FkStmGBOZ6LlsIkUDaEkxQ==
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
[2604:1380:45e3:2400::1])
by mx.google.com with ESMTPS id
x8-20020a17090aca0800b002972b816341si630928pjt.166.2024.02.11.07.21.29
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 11 Feb 2024 07:21:29 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-60826-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
arc=pass (i=1 spf=pass spfdomain=aladdin.ru dmarc=pass
fromdomain=aladdin.ru);
spf=pass (google.com: domain of
linux-kernel+bounces-60826-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45e3:2400::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-60826-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aladdin.ru
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id 64E342847D0
for <ouuuleilei@gmail.com>; Sun, 11 Feb 2024 15:11:40 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id CDFA45D49D;
Sun, 11 Feb 2024 15:09:48 +0000 (UTC)
Received: from mail-out.aladdin-rd.ru (mail-out.aladdin-rd.ru [91.199.251.16])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA4F75D46D
for <linux-kernel@vger.kernel.org>; Sun, 11 Feb 2024 15:09:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=91.199.251.16
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1707664187; cv=none;
b=lhIjVEVh+ZGBWof9WadLZu7v7AqN6AYxW+v9t963EMQmdgFP0nWAxZKjjJlI3kbowygHGBc60HAFSIPbQtBiUbkTV8Y2b2RQZsOYu/o8EgjSyneE3XTqIF8JD7BPmnjXah2HEFyCCqbpxdQof8K5lJqsr7MNM7QkkMdLLhLfp3E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1707664187; c=relaxed/simple;
bh=oM+ZoyIjXDNRxwrDc/pX5Se6omq6E/r+S5nA28fWjWk=;
h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=Goon192eMW4T7kuPCZ3nlBOSiTXo/aWqbOx2JsGqooB9KWe04DYiX+u8wBXfcCrRYZfbmLbGeECkwi0xN8M3fLEP8I3wJyhBNg/Bq/QYA09DXT4NIyBb4e646QVZkjvlpmOV/4XtUSBY2Vkqn007qBH+LmprJ0iqCZj+ozlP02Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=aladdin.ru;
spf=pass smtp.mailfrom=aladdin.ru; arc=none smtp.client-ip=91.199.251.16
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=aladdin.ru
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=aladdin.ru
From: Daniil Dulov <d.dulov@aladdin.ru>
To: Vinod Koul <vkoul@kernel.org>
CC: Daniil Dulov <d.dulov@aladdin.ru>, Bard Liao
<yung-chuan.liao@linux.intel.com>, Pierre-Louis Bossart
<pierre-louis.bossart@linux.intel.com>, Sanyog Kale
<sanyog.r.kale@intel.com>, <alsa-devel@alsa-project.org>,
<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH] soundwire: fix double free of pointer
Date: Sun, 11 Feb 2024 07:09:37 -0800
Message-ID: <20240211150937.4058-1-d.dulov@aladdin.ru>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: EXCH-2016-04.aladdin.ru (192.168.1.104) To
EXCH-2016-01.aladdin.ru (192.168.1.101)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1790616419156904998
X-GMAIL-MSGID: 1790616419156904998
|
| Series |
soundwire: fix double free of pointer
|
|
Commit Message
Daniil Dulov
Feb. 11, 2024, 3:09 p.m. UTC
If sdw_ml_sync_bank_switch() returns error not on the first iteration,
it leads to freeing prevously freed memory. So, set the pointer to NULL
after each successful bank switch.
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
drivers/soundwire/stream.c | 1 +
1 file changed, 1 insertion(+)
Comments
On 2/11/24 09:09, Daniil Dulov wrote: > If sdw_ml_sync_bank_switch() returns error not on the first iteration, > it leads to freeing prevously freed memory. So, set the pointer to NULL > after each successful bank switch. > > Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> > --- > drivers/soundwire/stream.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c > index 304ff2ee7d75..d650e6f0f8e7 100644 > --- a/drivers/soundwire/stream.c > +++ b/drivers/soundwire/stream.c > @@ -833,6 +833,7 @@ static int do_bank_switch(struct sdw_stream_runtime *stream) > "multi link bank switch failed: %d\n", ret); > goto error; > } > + bus->defer_msg.msg = NULL; > > if (multi_link) > mutex_unlock(&bus->msg_lock); Not following what the issue is... On success, sdw_ml_sync_bank_switch() frees the buffers with if (bus->defer_msg.msg) { kfree(bus->defer_msg.msg->buf); kfree(bus->defer_msg.msg); bus->defer_msg.msg = NULL; } So if there is an issue on the second iteration, then the loop will detect already freed memory in the previous iteration and skip it: /* Check if bank switch was successful */ ret = sdw_ml_sync_bank_switch(bus); if (ret < 0) { dev_err(bus->dev, "multi link bank switch failed: %d\n", ret); goto error; } error: list_for_each_entry(m_rt, &stream->master_list, stream_node) { bus = m_rt->bus; if (bus->defer_msg.msg) { <<<< TEST FOR FREED MEMORY kfree(bus->defer_msg.msg->buf); kfree(bus->defer_msg.msg); bus->defer_msg.msg = NULL; } } It could very well be that I need more coffee on this post-SuperBowl Monday morning, but I just don't see the problem.
diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c index 304ff2ee7d75..d650e6f0f8e7 100644 --- a/drivers/soundwire/stream.c +++ b/drivers/soundwire/stream.c @@ -833,6 +833,7 @@ static int do_bank_switch(struct sdw_stream_runtime *stream) "multi link bank switch failed: %d\n", ret); goto error; } + bus->defer_msg.msg = NULL; if (multi_link) mutex_unlock(&bus->msg_lock);