From: Dan Carpenter <dan.carpenter@oracle.com>
To: Cezary Rojewski <cezary.rojewski@intel.com>
Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Miaoqian Lin <linmq006@gmail.com>,
Banajit Goswami <bgoswami@codeaurora.org>,
Takashi Iwai <tiwai@suse.com>,
kernel-janitors@vger.kernel.org, alsa-devel@alsa-project.org,
Liam Girdwood <lgirdwood@gmail.com>,
Mark Brown <broonie@kernel.org>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Subject: Re: [PATCH] ASoC: qdsp6: fix a use after free bug in open()
Date: Wed, 5 Jan 2022 12:15:19 +0300 [thread overview]
Message-ID: <20220105091519.GA7674@kadam> (raw)
In-Reply-To: <a28f15cf-b8fe-3214-f353-1fe4565adb8b@intel.com>
On Fri, Dec 17, 2021 at 04:13:48PM +0100, Cezary Rojewski wrote:
> On 2021-12-17 4:00 PM, Dan Carpenter wrote:
> > This code frees "graph" and then dereferences to save the error code.
> > Save the error code first and then use gotos to unwind the allocation.
> >
> > Fixes: 59716aa3f976 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > sound/soc/qcom/qdsp6/q6apm.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c
> > index 3e007d609a9b..f424d7aa389a 100644
> > --- a/sound/soc/qcom/qdsp6/q6apm.c
> > +++ b/sound/soc/qcom/qdsp6/q6apm.c
> > @@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
> > graph = kzalloc(sizeof(*graph), GFP_KERNEL);
> > if (!graph) {
> > ret = -ENOMEM;
> > - goto err;
> > + goto put_ar_graph;
> > }
> > graph->apm = apm;
> > @@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
> > graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
> > if (IS_ERR(graph->port)) {
> > - kfree(graph);
> > ret = PTR_ERR(graph->port);
> > - goto err;
> > + goto free_graph;
> > }
> > return graph;
> > -err:
> > +
> > +free_graph:
> > + kfree(graph);
> > +put_ar_graph:
>
> Hello Dan,
>
> The patch looks good! My only suggestion is a readability improvement, but
> I'm unaware of the convention chosen for qcom directory so you may choose to
> ignore it:
>
> Function q6apm_graph_open() has two separate return paths: a happy path
> ending in 'return graph' and an error path which eventually ends with
> 'return ERR_PTR(ret)'. Current goto label-naming convention suggests it's a
> happy path nonetheless.
>
> s/free_graph/err_alloc_port/ and s/put_ar_graph/err_alloc_graph/ tells
> reader upfront that they are in the error path.
>
Generally when code is indented two tabs that's an error path. The
relevant pattern is "Do error handling, not success handling". I guess
the if (IS_ERR()) check means it's an error as well.
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Cezary Rojewski <cezary.rojewski@intel.com>
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Miaoqian Lin <linmq006@gmail.com>,
alsa-devel@alsa-project.org,
Banajit Goswami <bgoswami@codeaurora.org>,
Liam Girdwood <lgirdwood@gmail.com>,
kernel-janitors@vger.kernel.org,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Takashi Iwai <tiwai@suse.com>, Mark Brown <broonie@kernel.org>
Subject: Re: [PATCH] ASoC: qdsp6: fix a use after free bug in open()
Date: Wed, 5 Jan 2022 12:15:19 +0300 [thread overview]
Message-ID: <20220105091519.GA7674@kadam> (raw)
In-Reply-To: <a28f15cf-b8fe-3214-f353-1fe4565adb8b@intel.com>
On Fri, Dec 17, 2021 at 04:13:48PM +0100, Cezary Rojewski wrote:
> On 2021-12-17 4:00 PM, Dan Carpenter wrote:
> > This code frees "graph" and then dereferences to save the error code.
> > Save the error code first and then use gotos to unwind the allocation.
> >
> > Fixes: 59716aa3f976 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > sound/soc/qcom/qdsp6/q6apm.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c
> > index 3e007d609a9b..f424d7aa389a 100644
> > --- a/sound/soc/qcom/qdsp6/q6apm.c
> > +++ b/sound/soc/qcom/qdsp6/q6apm.c
> > @@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
> > graph = kzalloc(sizeof(*graph), GFP_KERNEL);
> > if (!graph) {
> > ret = -ENOMEM;
> > - goto err;
> > + goto put_ar_graph;
> > }
> > graph->apm = apm;
> > @@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
> > graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
> > if (IS_ERR(graph->port)) {
> > - kfree(graph);
> > ret = PTR_ERR(graph->port);
> > - goto err;
> > + goto free_graph;
> > }
> > return graph;
> > -err:
> > +
> > +free_graph:
> > + kfree(graph);
> > +put_ar_graph:
>
> Hello Dan,
>
> The patch looks good! My only suggestion is a readability improvement, but
> I'm unaware of the convention chosen for qcom directory so you may choose to
> ignore it:
>
> Function q6apm_graph_open() has two separate return paths: a happy path
> ending in 'return graph' and an error path which eventually ends with
> 'return ERR_PTR(ret)'. Current goto label-naming convention suggests it's a
> happy path nonetheless.
>
> s/free_graph/err_alloc_port/ and s/put_ar_graph/err_alloc_graph/ tells
> reader upfront that they are in the error path.
>
Generally when code is indented two tabs that's an error path. The
relevant pattern is "Do error handling, not success handling". I guess
the if (IS_ERR()) check means it's an error as well.
regards,
dan carpenter
next prev parent reply other threads:[~2022-01-05 9:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 15:00 [PATCH] ASoC: qdsp6: fix a use after free bug in open() Dan Carpenter
2021-12-17 15:00 ` Dan Carpenter
2021-12-17 15:13 ` Cezary Rojewski
2021-12-17 15:13 ` Cezary Rojewski
2022-01-05 9:15 ` Dan Carpenter [this message]
2022-01-05 9:15 ` Dan Carpenter
2021-12-21 19:12 ` Mark Brown
2021-12-21 19:12 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220105091519.GA7674@kadam \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=bgoswami@codeaurora.org \
--cc=broonie@kernel.org \
--cc=cezary.rojewski@intel.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=lgirdwood@gmail.com \
--cc=linmq006@gmail.com \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=srinivas.kandagatla@linaro.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.