From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lars-Peter Clausen <lars@metafoo.de>
Subject: Re: [PATCH] ASoC: dapm: Fix widget double free with
 auto-disable DAPM kcontrol
Date: Tue, 15 Apr 2014 20:15:45 +0200
Message-ID: <534D7751.7030609@metafoo.de>
References: <1397570289-29215-1-git-send-email-jarkko.nikula@linux.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <alsa-devel-bounces@alsa-project.org>
Received: from smtp-out-027.synserver.de (smtp-out-049.synserver.de
 [212.40.185.49])
 by alsa0.perex.cz (Postfix) with ESMTP id 8F737264F1D
 for <alsa-devel@alsa-project.org>; Tue, 15 Apr 2014 20:15:57 +0200 (CEST)
In-Reply-To: <1397570289-29215-1-git-send-email-jarkko.nikula@linux.intel.com>
List-Unsubscribe: <http://mailman.alsa-project.org/mailman/options/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <http://mailman.alsa-project.org/mailman/listinfo/alsa-devel>,
 <mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: alsa-devel-bounces@alsa-project.org
To: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Cc: alsa-devel@alsa-project.org, Mark Brown <broonie@kernel.org>, Liam Girdwood <lgirdwood@gmail.com>, stable <stable@vger.kernel.org>
List-Id: alsa-devel@alsa-project.org

On 04/15/2014 03:58 PM, Jarkko Nikula wrote:
> Commit 9e1fda4ae158 ("ASoC: dapm: Implement mixer input auto-disable") is trying to
> free the widget it allocated by snd_soc_dapm_new_control() call in
> dapm_kcontrol_data_alloc() by adding kfree(data->widget) to dapm_kcontrol_free().
>
> This is causing a widget double free with auto-disabled DAPM kcontrols in sound card
> unregistration because widgets are already freed before dapm_kcontrol_free() is
> called.
>
> Reason for that is all widgets are added into dapm->card->widgets list in
> snd_soc_dapm_new_control() and freed in dapm_free_widgets() during execution of
> snd_soc_dapm_free().
>
> Now snd_soc_dapm_free() calls for different DAPM contexts happens before
> snd_card_free() call from where the call chain to dapm_kcontrol_free() begins:
>
> soc_cleanup_card_resources()
>    soc_remove_dai_links()
>      soc_remove_link_dais()
>        snd_soc_dapm_free(&cpu_dai->dapm)
>      soc_remove_link_components()
>        soc_remove_platform()
>          snd_soc_dapm_free(&platform->dapm)
>        soc_remove_codec()
>          snd_soc_dapm_free(&codec->dapm)
>    snd_soc_dapm_free(&card->dapm)
>    snd_card_free()
>      snd_card_do_free()
>        snd_device_free_all()
>          snd_device_free()
>            snd_ctl_dev_free()
>              snd_ctl_remove()
>                snd_ctl_free_one()
>                  dapm_kcontrol_free()
>
> This wasn't making harm with ordinary DAPM kcontrols since data->widget is NULL for
> them.
>
> Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
> Cc: stable <stable@vger.kernel.org> # 3.12+

Acked-by: Lars-Peter Clausen <lars@metafoo.de>

Thanks.

> ---
>   sound/soc/soc-dapm.c | 1 -
>   1 file changed, 1 deletion(-)
>
> diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
> index c8a780d0d057..7769b0a2bc5a 100644
> --- a/sound/soc/soc-dapm.c
> +++ b/sound/soc/soc-dapm.c
> @@ -254,7 +254,6 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget,
>   static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
>   {
>   	struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
> -	kfree(data->widget);
>   	kfree(data->wlist);
>   	kfree(data);
>   }
>