From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alsa-devel-bounces@alsa-project.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id F3011C433F5
	for <alsa-devel@archiver.kernel.org>; Tue, 12 Apr 2022 12:24:56 +0000 (UTC)
Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by alsa0.perex.cz (Postfix) with ESMTPS id 8340118C2;
	Tue, 12 Apr 2022 14:24:04 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 8340118C2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org;
	s=default; t=1649766294;
	bh=lXxEtT9MbnVIe1eajfGqyasG5kUd2IvmHjhm1sSbGoQ=;
	h=Date:From:To:Subject:In-Reply-To:References:Cc:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From;
	b=g57aLvZgxC++7eYqrNJtgObKJlcTVBRu0VJbFa4CkhDFOPrEFi4/0Tf2wTtOIA+9b
	 yE+q/4PM2Rrav53xt/nKSV8rVZb+SDFXE4pefsTHD+NuPKdn5OSj8HtabVdbIpi4/c
	 1n+AkTFQ0GN5sF8Mur6kVXnuCxBQkAwzbE9R1sNk=
Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1])
	by alsa1.perex.cz (Postfix) with ESMTP id 133BEF80134;
	Tue, 12 Apr 2022 14:24:04 +0200 (CEST)
Received: by alsa1.perex.cz (Postfix, from userid 50401)
 id CA230F80134; Tue, 12 Apr 2022 14:24:02 +0200 (CEST)
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by alsa1.perex.cz (Postfix) with ESMTPS id 13804F8011C
 for <alsa-devel@alsa-project.org>; Tue, 12 Apr 2022 14:23:55 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 13804F8011C
Authentication-Results: alsa1.perex.cz;
 dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de
 header.b="h4/RS/2i"; 
 dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de
 header.b="FavSTvcO"
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
 by smtp-out1.suse.de (Postfix) with ESMTP id 8092321607;
 Tue, 12 Apr 2022 12:23:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
 t=1649766235; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=pBXHI+1R1F5JwOGKGN5rrz5OFKaglVHeeuRdmzPM3kA=;
 b=h4/RS/2iOQWmoyT3SDHmzOqh/4qWz6VFRGBmdNu7ruUc72CQCWzxwv59tAk4069TArF0Fg
 rvyGRlgv806x61+G8hI9QFp60bnd9+TJt1vwzkXdvfeqHh/JDJy97dgqXGtoZ//PGVrX2o
 t+Ya6bLMd6a99ktbrt88kZHUXIzITNE=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1649766235;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=pBXHI+1R1F5JwOGKGN5rrz5OFKaglVHeeuRdmzPM3kA=;
 b=FavSTvcOo4343O1e+Kby1QMFsZg7prKD/aKB3/zDPRf7hI680ZpGTbj5HhJQ0Dh00kCp4h
 2mE37/Ofv5y1PMAQ==
Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42])
 by relay2.suse.de (Postfix) with ESMTP id 6AE68A3B88;
 Tue, 12 Apr 2022 12:23:55 +0000 (UTC)
Date: Tue, 12 Apr 2022 14:23:55 +0200
Message-ID: <s5hilrea3s4.wl-tiwai@suse.de>
From: Takashi Iwai <tiwai@suse.de>
To: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Subject: Re: [PATCH 1/2] ALSA: core: Add snd_card_free_on_error() helper
In-Reply-To: <YlVY08C4/maO5s93@workstation>
References: <20220412093141.8008-1-tiwai@suse.de>
 <20220412093141.8008-2-tiwai@suse.de>
 <YlVY08C4/maO5s93@workstation>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: alsa-devel@alsa-project.org, Zheyu Ma <zheyuma97@gmail.com>
X-BeenThere: alsa-devel@alsa-project.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Alsa-devel mailing list for ALSA developers -
 http://www.alsa-project.org" <alsa-devel.alsa-project.org>
List-Unsubscribe: <https://mailman.alsa-project.org/mailman/options/alsa-devel>, 
 <mailto:alsa-devel-request@alsa-project.org?subject=unsubscribe>
List-Archive: <http://mailman.alsa-project.org/pipermail/alsa-devel/>
List-Post: <mailto:alsa-devel@alsa-project.org>
List-Help: <mailto:alsa-devel-request@alsa-project.org?subject=help>
List-Subscribe: <https://mailman.alsa-project.org/mailman/listinfo/alsa-devel>, 
 <mailto:alsa-devel-request@alsa-project.org?subject=subscribe>
Errors-To: alsa-devel-bounces@alsa-project.org
Sender: "Alsa-devel" <alsa-devel-bounces@alsa-project.org>

On Tue, 12 Apr 2022 12:47:47 +0200,
Takashi Sakamoto wrote:
> 
> Hi,
> 
> On Tue, Apr 12, 2022 at 11:31:40AM +0200, Takashi Iwai wrote:
> > This is a small helper function to handle the error path more easily
> > when an error happens during the probe for the device with the
> > device-managed card.  Since devres releases in the reverser order of
> > the creations, usually snd_card_free() gets called at the last in the
> > probe error path unless it already reached snd_card_register() calls.
> > Due to this nature, when a driver expects the resource releases in
> > card->private_free, this might be called too lately.
> > 
> > As a workaround, one should call the probe like:
> > 
> >  static int __some_probe(...) { // do real probe.... }
> > 
> >  static int some_probe(...)
> >  {
> > 	return snd_card_free_on_error(dev, __some_probe(dev, ...));
> >  }
> > 
> > so that the snd_card_free() is called explicitly at the beginning of
> > the error path from the probe.
> > 
> > This function will be used in the upcoming fixes to address the
> > regressions by devres usages.
> > 
> > Fixes: e8ad415b7a55 ("ALSA: core: Add managed card creation")
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > ---
> >  include/sound/core.h |  1 +
> >  sound/core/init.c    | 28 ++++++++++++++++++++++++++++
> >  2 files changed, 29 insertions(+)
> > 
> > diff --git a/include/sound/core.h b/include/sound/core.h
> > index b7e9b58d3c78..6d4cc49584c6 100644
> > --- a/include/sound/core.h
> > +++ b/include/sound/core.h
> > @@ -284,6 +284,7 @@ int snd_card_disconnect(struct snd_card *card);
> >  void snd_card_disconnect_sync(struct snd_card *card);
> >  int snd_card_free(struct snd_card *card);
> >  int snd_card_free_when_closed(struct snd_card *card);
> > +int snd_card_free_on_error(struct device *dev, int ret);
> >  void snd_card_set_id(struct snd_card *card, const char *id);
> >  int snd_card_register(struct snd_card *card);
> >  int snd_card_info_init(void);
> > diff --git a/sound/core/init.c b/sound/core/init.c
> > index 31ba7024e3ad..726a8353201f 100644
> > --- a/sound/core/init.c
> > +++ b/sound/core/init.c
> > @@ -209,6 +209,12 @@ static void __snd_card_release(struct device *dev, void *data)
> >   * snd_card_register(), the very first devres action to call snd_card_free()
> >   * is added automatically.  In that way, the resource disconnection is assured
> >   * at first, then released in the expected order.
> > + *
> > + * If an error happens at the probe before snd_card_register() is called and
> > + * there have been other devres resources, you'd need to free the card manually
> > + * via snd_card_free() call in the error; otherwise it may lead to UAF due to
> > + * devres call orders.  You can use snd_card_free_on_error() helper for
> > + * handling it more easily.
> >   */
> >  int snd_devm_card_new(struct device *parent, int idx, const char *xid,
> >  		      struct module *module, size_t extra_size,
> > @@ -235,6 +241,28 @@ int snd_devm_card_new(struct device *parent, int idx, const char *xid,
> >  }
> >  EXPORT_SYMBOL_GPL(snd_devm_card_new);
> >  
> > +/**
> > + * snd_card_free_on_error - a small helper for handling devm probe errors
> > + * @dev: the managed device object
> > + * @ret: the return code from the probe callback
> > + *
> > + * This function handles the explicit snd_card_free() call at the error from
> > + * the probe callback.  It's just a small helper for simplifying the error
> > + * handling with the managed devices.
> > + */
> > +int snd_card_free_on_error(struct device *dev, int ret)
> > +{
> > +	struct snd_card *card;
> > +
> > +	if (!ret)
> > +		return 0;
> > +	card = devres_find(dev, __snd_card_release, NULL, NULL);
> > +	if (card)
> > +		snd_card_free(card);
> > +	return ret;
> > +}
> > +EXPORT_SYMBOL_GPL(snd_card_free_on_error);
> > +
> >  static int snd_card_init(struct snd_card *card, struct device *parent,
> >  			 int idx, const char *xid, struct module *module,
> >  			 size_t extra_size)
> > -- 
> > 2.31.1
> 
> The idea looks good itself to me. On the other hand, the name
> 'snd_card_free_on_error()' is not so suitable since it assumes that
> 'snd_devm_card_new()' is called in advance, while we have another function,
> 'snd_card_new()'.
> 
> I think it better to use 'snd_devm_card_free_on_error()' instead since
> the function doesn't work as expected in the case of 'snd_card_new()'
> (the snd_card_free() is not called because nothing found in devres).

Yeah, that came to my mind in the first implementations, too, but it
looked too long to me, so I took this term in the submitted version :)

In theory, we can extend it to retrieve the card from the device data,
too, but I don't think worth for it.


thanks,

Takashi