From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
alsa-devel@alsa-project.org, Mark Brown <broonie@kernel.org>,
Charles Keepax <ckeepax@opensource.cirrus.com>
Subject: [PATCH AUTOSEL 5.7 294/388] ASoC: dapm: Move dai_link widgets to runtime to fix use after free
Date: Wed, 17 Jun 2020 21:06:31 -0400 [thread overview]
Message-ID: <20200618010805.600873-294-sashal@kernel.org> (raw)
In-Reply-To: <20200618010805.600873-1-sashal@kernel.org>
From: Charles Keepax <ckeepax@opensource.cirrus.com>
[ Upstream commit f4aa5e214eeaf7f1c7f157526a5aa29784cb6a1f ]
The newly added CODEC to CODEC DAI link widget pointers in
snd_soc_dai_link are better placed in snd_soc_pcm_runtime.
snd_soc_dai_link is really intended for static configuration of
the DAI, and the runtime for dynamic data. The snd_soc_dai_link
structures are not destroyed if the card is unbound. The widgets
are cleared up on unbind, however if the card is rebound as the
snd_soc_dai_link structures are reused these pointers will be left at
their old values, causing access to freed memory.
Fixes: 595571cca4de ("ASoC: dapm: Fix regression introducing multiple copies of DAI widgets")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20200526161930.30759-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/soc.h | 6 +++---
sound/soc/soc-dapm.c | 12 ++++++------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/include/sound/soc.h b/include/sound/soc.h
index e0371e70242d..8e480efeda2a 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -790,9 +790,6 @@ struct snd_soc_dai_link {
const struct snd_soc_pcm_stream *params;
unsigned int num_params;
- struct snd_soc_dapm_widget *playback_widget;
- struct snd_soc_dapm_widget *capture_widget;
-
unsigned int dai_fmt; /* format to set on init */
enum snd_soc_dpcm_trigger trigger[2]; /* trigger type for DPCM */
@@ -1156,6 +1153,9 @@ struct snd_soc_pcm_runtime {
struct snd_soc_dai **cpu_dais;
unsigned int num_cpus;
+ struct snd_soc_dapm_widget *playback_widget;
+ struct snd_soc_dapm_widget *capture_widget;
+
struct delayed_work delayed_work;
void (*close_delayed_work_func)(struct snd_soc_pcm_runtime *rtd);
#ifdef CONFIG_DEBUG_FS
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index e2632841b321..c0aa64ff8e32 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4340,16 +4340,16 @@ static void dapm_connect_dai_pair(struct snd_soc_card *card,
codec = codec_dai->playback_widget;
if (playback_cpu && codec) {
- if (dai_link->params && !dai_link->playback_widget) {
+ if (dai_link->params && !rtd->playback_widget) {
substream = streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
dai = snd_soc_dapm_new_dai(card, substream, "playback");
if (IS_ERR(dai))
goto capture;
- dai_link->playback_widget = dai;
+ rtd->playback_widget = dai;
}
dapm_connect_dai_routes(&card->dapm, cpu_dai, playback_cpu,
- dai_link->playback_widget,
+ rtd->playback_widget,
codec_dai, codec);
}
@@ -4358,16 +4358,16 @@ static void dapm_connect_dai_pair(struct snd_soc_card *card,
codec = codec_dai->capture_widget;
if (codec && capture_cpu) {
- if (dai_link->params && !dai_link->capture_widget) {
+ if (dai_link->params && !rtd->capture_widget) {
substream = streams[SNDRV_PCM_STREAM_CAPTURE].substream;
dai = snd_soc_dapm_new_dai(card, substream, "capture");
if (IS_ERR(dai))
return;
- dai_link->capture_widget = dai;
+ rtd->capture_widget = dai;
}
dapm_connect_dai_routes(&card->dapm, codec_dai, codec,
- dai_link->capture_widget,
+ rtd->capture_widget,
cpu_dai, capture_cpu);
}
}
--
2.25.1
next prev parent reply other threads:[~2020-06-18 1:27 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200618010805.600873-1-sashal@kernel.org>
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 004/388] ASoC: tegra: tegra_wm8903: Support nvidia, headset property Sasha Levin
2020-06-18 11:00 ` Mark Brown
2020-06-18 14:30 ` Sasha Levin
2020-06-18 14:39 ` Mark Brown
2020-06-21 23:33 ` Sasha Levin
2020-06-22 11:23 ` Mark Brown
2020-06-22 12:31 ` Sasha Levin
2020-06-22 13:27 ` Mark Brown
2020-06-22 14:44 ` Sasha Levin
2020-06-22 17:57 ` Mark Brown
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 007/388] ASoC: SOF: imx8: Fix randbuild error Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 013/388] ASoC: fsl_esai: Disable exception interrupt before scheduling tasklet Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 016/388] ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type Sasha Levin
2020-06-18 1:01 ` [PATCH AUTOSEL 5.7 020/388] ASoC: codecs: wm97xx: fix ac97 dependency Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 025/388] ALSA: hda/realtek - Introduce polarity for micmute LED GPIO Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 026/388] ALSA: isa/wavefront: prevent out of bounds write in ioctl Sasha Levin
2020-06-18 1:02 ` [PATCH AUTOSEL 5.7 055/388] ASoC: SOF: Do nothing when DSP PM callbacks are not set Sasha Levin
2020-06-18 11:01 ` Mark Brown
2020-06-18 11:44 ` Daniel Baluta
2020-06-18 12:13 ` Mark Brown
2020-06-18 13:56 ` Pierre-Louis Bossart
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 085/388] ASoC: qcom: q6asm-dai: kCFI fix Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 094/388] ASoC: meson: fix memory leak of links if allocation of ldata fails Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 103/388] ASoC: meson: add missing free_irq() in error path Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 124/388] ALSA: usb-audio: RME Babyface Pro mixer patch Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 130/388] ASoC: Fix wrong dependency of da7210 and wm8983 Sasha Levin
2020-06-18 11:02 ` Mark Brown
2020-06-21 23:34 ` Sasha Levin
2020-06-22 10:18 ` Mark Brown
2020-06-22 12:31 ` Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 138/388] ALSA: usb-audio: Improve frames size computation Sasha Levin
2020-06-18 1:03 ` [PATCH AUTOSEL 5.7 139/388] ALSA: usb-audio: Fix racy list management in output queue Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 147/388] slimbus: ngd: get drvdata from correct device Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 155/388] ASoC: component: suppress uninitialized-variable warning Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 157/388] ASoC: rt5682: fix I2C/Soundwire dependencies Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 160/388] ASoC: SOF: Update correct LED status at the first time usage of update_mute_led() Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 162/388] ASoC: max98373: reorder max98373_reset() in resume Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 163/388] soundwire: slave: don't init debugfs on device registration error Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 179/388] ALSA: firewire-lib: fix invalid assignment to union data for directional parameter Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 183/388] ASoC: SOF: core: fix error return code in sof_probe_continue() Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 193/388] SoC: rsnd: add interrupt support for SSI BUSIF buffer Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 194/388] ASoC: ux500: mop500: Fix some refcounted resources issues Sasha Levin
2020-06-18 1:04 ` [PATCH AUTOSEL 5.7 195/388] ASoC: ti: omap-mcbsp: Fix an error handling path in 'asoc_mcbsp_probe()' Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 209/388] ALSA: usb-audio: fixing upper volume limit for RME Babyface Pro routing crosspoints Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 210/388] ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 217/388] ASoC: codecs: rt*-sdw: fix memory leak in set_sdw_stream() Sasha Levin
2020-06-18 1:05 ` [PATCH AUTOSEL 5.7 232/388] ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT8-A tablet Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 279/388] ASoC: fix incomplete error-handling in img_i2s_in_probe Sasha Levin
2020-06-18 1:06 ` Sasha Levin [this message]
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 306/388] ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed Sasha Levin
2020-06-18 1:06 ` [PATCH AUTOSEL 5.7 307/388] ASoC: SOF: Intel: hda: fix generic hda codec support Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 362/388] ASoC: soc-pcm: dpcm: fix playback/capture checks Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 363/388] ASoC: core: only convert non DPCM link to DPCM link Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 364/388] ASoC: SOF: nocodec: conditionally set dpcm_capture/dpcm_playback flags Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 365/388] ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT10-A tablet Sasha Levin
2020-06-18 1:07 ` [PATCH AUTOSEL 5.7 366/388] ASoC: rt5645: Add platform-data for Asus T101HA Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618010805.600873-294-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alsa-devel@alsa-project.org \
--cc=broonie@kernel.org \
--cc=ckeepax@opensource.cirrus.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox