From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Geert Uytterhoeven <geert+renesas@glider.be>,
Mark Brown <broonie@kernel.org>
Subject: [PATCH 3.18 11/57] ASoC: simple-card: Fix crash in asoc_simple_card_unref()
Date: Tue, 3 Feb 2015 15:14:02 -0800 [thread overview]
Message-ID: <20150203231213.419783777@linuxfoundation.org> (raw)
In-Reply-To: <20150203231211.486950145@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 7ddfdb5c5a5b51bdd2cb749d8341d763b079d520 upstream.
If asoc_simple_card_probe() fails, asoc_simple_card_unref() may be
called before dev_set_drvdata(), causing a NULL pointer dereference in
asoc_simple_card_unref():
Unable to handle kernel NULL pointer dereference at virtual address 000000d4
...
PC is at asoc_simple_card_unref+0x14/0x48
LR is at asoc_simple_card_probe+0x3d4/0x40c
This typically happens because asoc_simple_card_parse_of() returns
-EPROBE_DEFER, but other failure modes are possible.
devm_snd_soc_register_card()/snd_soc_register_card() may fail either
before or after dev_set_drvdata().
Pass a snd_soc_card pointer instead of a platform_device pointer to
asoc_simple_card_unref() to fix this.
Note that if CONFIG_OF_DYNAMIC=n, of_node_put() is a dummy, and gcc may
optimize away the loop over card->dai_link, never actually dereferencing
card, and thus avoiding the crash...
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Fixes: e512e001dafa54e5 ("ASoC: simple-card: Fix the reference count of device nodes")
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/generic/simple-card.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/sound/soc/generic/simple-card.c
+++ b/sound/soc/generic/simple-card.c
@@ -453,9 +453,8 @@ static int asoc_simple_card_parse_of(str
}
/* Decrease the reference count of the device nodes */
-static int asoc_simple_card_unref(struct platform_device *pdev)
+static int asoc_simple_card_unref(struct snd_soc_card *card)
{
- struct snd_soc_card *card = platform_get_drvdata(pdev);
struct snd_soc_dai_link *dai_link;
struct device_node *np;
int num_links;
@@ -562,7 +561,7 @@ static int asoc_simple_card_probe(struct
return ret;
err:
- asoc_simple_card_unref(pdev);
+ asoc_simple_card_unref(&priv->snd_card);
return ret;
}
@@ -578,7 +577,7 @@ static int asoc_simple_card_remove(struc
snd_soc_jack_free_gpios(&simple_card_mic_jack, 1,
&simple_card_mic_jack_gpio);
- return asoc_simple_card_unref(pdev);
+ return asoc_simple_card_unref(card);
}
static const struct of_device_id asoc_simple_of_match[] = {
next prev parent reply other threads:[~2015-02-03 23:53 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-03 23:13 [PATCH 3.18 00/57] 3.18.6-stable review Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 01/57] x86, build: replace Perl script with Shell script Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 02/57] spi: dw: Fix detecting FIFO depth Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 03/57] spi: dw-mid: fix FIFO size Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 04/57] vm: add VM_FAULT_SIGSEGV handling support Greg Kroah-Hartman
2015-02-10 8:22 ` Konstantin Khlebnikov
2015-02-10 8:22 ` Konstantin Khlebnikov
2015-02-11 3:43 ` Greg Kroah-Hartman
2015-02-11 3:43 ` Greg Kroah-Hartman
2015-02-11 3:49 ` Linus Torvalds
2015-02-11 3:49 ` Linus Torvalds
2015-02-11 4:16 ` Greg Kroah-Hartman
2015-02-11 4:16 ` Greg Kroah-Hartman
2015-02-11 5:34 ` Konstantin Khlebnikov
2015-02-11 5:34 ` Konstantin Khlebnikov
2015-02-16 9:50 ` Luis Henriques
2015-02-16 9:50 ` Luis Henriques
2015-02-16 9:50 ` Luis Henriques
2015-02-03 23:13 ` [PATCH 3.18 05/57] arc: mm: Fix build failure Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 06/57] vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 07/57] ASoC: wm8960: Fix capture sample rate from 11250 to 11025 Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 08/57] ASoC: pcm512x: Fix DSP program selection Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 09/57] ASoC: fsl_esai: Fix incorrect xDC field width of xCCR registers Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 10/57] ASoC: soc-compress.c: fix NULL dereference Greg Kroah-Hartman
2015-02-03 23:14 ` Greg Kroah-Hartman [this message]
2015-02-03 23:14 ` [PATCH 3.18 12/57] ASoC: omap-mcbsp: Correct CBM_CFS dai format configuration Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 13/57] udf: Release preallocation on last writeable close Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 14/57] can: kvaser_usb: Do not sleep in atomic context Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 15/57] can: kvaser_usb: Send correct context to URB completion Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 16/57] can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 17/57] can: kvaser_usb: Fix state handling upon BUS_ERROR events Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 18/57] powerpc/xmon: Fix another endiannes issue in RTAS call from xmon Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 19/57] ALSA: seq-dummy: remove deadlock-causing events on close Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 20/57] rbd: drop parent_ref in rbd_dev_unprobe() unconditionally Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 21/57] rbd: fix rbd_dev_parent_get() when parent_overlap == 0 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 22/57] USB: Add OTG PET device to TPL Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 23/57] usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 24/57] uas: Add no-report-opcodes quirk for Simpletech devices with id 4971:8017 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 25/57] i2c: s3c2410: fix ABBA deadlock by keeping clock prepared Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 26/57] Input: synaptics - adjust min/max for Lenovo ThinkPad X1 Carbon 2nd Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 27/57] Input: elantech - add more Fujtisu notebooks to force crc_enabled Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 28/57] Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 29/57] nfs: fix dio deadlock when O_DIRECT flag is flipped Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 30/57] NFSv4.1: Fix an Oops in nfs41_walk_client_list Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 31/57] mac80211: properly set CCK flag in radiotap Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 32/57] mac80211: only roll back station states for WDS when suspending Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 33/57] nl80211: fix per-station group key get/del and memory leak Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 34/57] pinctrl: at91: allow to have disabled gpio bank Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 35/57] ARM: mvebu: dont set the PL310 in I/O coherency mode when I/O coherency is disabled Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 36/57] dm thin: dont allow messages to be sent to a pool target in READ_ONLY or FAIL mode Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 37/57] dm cache: fix missing ERR_PTR returns and handling Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 38/57] drm/vmwgfx: Replace the hw mutex with a hw spinlock Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 41/57] spi/pxa2xx: Clear cur_chip pointer before starting next message Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 42/57] drivers/rtc/rtc-s5m.c: terminate s5m_rtc_id array with empty element Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 43/57] regulator: core: fix race condition in regulator_put() Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 44/57] drivers: net: cpsw: discard dual emac default vlan configuration Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 45/57] drm: fix fb-helper vs MST dangling connector ptrs (v2) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 46/57] drm/i915: Only fence tiled region of object Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 47/57] drm/i915: BDW Fix Halo PCI IDs marked as ULT Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 48/57] drm/i915: Init PPGTT before context enable Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 49/57] drm/i915: fix inconsistent brightness after resume Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 50/57] quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 51/57] memcg: remove extra newlines from memcg oom kill log Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 52/57] perf/x86/intel: Add model number for Airmont Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 53/57] perf/rapl: Fix crash in rapl_scale() Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 54/57] HID: rmi: Check for additional ACM registers appended to F11 data report Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 55/57] can: c_can: end pending transmission on network stop (ifdown) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 56/57] clocksource: arch_timer: Only use the virtual counter (CNTVCT) on arm64 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 57/57] xen/arm/arm64: introduce xen_arch_need_swiotlb Greg Kroah-Hartman
2015-02-04 14:03 ` [PATCH 3.18 00/57] 3.18.6-stable review Guenter Roeck
2015-02-04 19:22 ` Greg Kroah-Hartman
2015-02-04 17:30 ` Shuah Khan
2015-02-04 19:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150203231213.419783777@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@kernel.org \
--cc=geert+renesas@glider.be \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.