Re: [PATCH] soundwire: fix error handling

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
To: Nick Desaulniers <ndesaulniers@google.com>, trix@redhat.com
Cc: alsa-devel@alsa-project.org, LKML <linux-kernel@vger.kernel.org>,
	Vinod Koul <vkoul@kernel.org>,
	shreyas.nc@intel.com,
	Nathan Chancellor <natechancellor@gmail.com>,
	yung-chuan.liao@linux.intel.com,
	Sanyog Kale <sanyog.r.kale@intel.com>
Subject: Re: [PATCH] soundwire: fix error handling
Date: Mon, 31 Aug 2020 17:45:47 -0500	[thread overview]
Message-ID: <aae0bf86-5900-c437-492f-fbf23d3ff196@linux.intel.com> (raw)
In-Reply-To: <CAKwvOd=+X2AakX3kTYCvyug-MK_Y+atDbkDSRxA0pUfOatQ3mA@mail.gmail.com>



On 8/31/20 12:47 PM, Nick Desaulniers wrote:
> On Sat, Aug 29, 2020 at 8:35 AM <trix@redhat.com> wrote:
>>
>> From: Tom Rix <trix@redhat.com>
>>
>> clang static analysis flags this problem
>>
>> stream.c:844:9: warning: Use of memory after
>>    it is freed
>>          kfree(bus->defer_msg.msg->buf);
>>                ^~~~~~~~~~~~~~~~~~~~~~~
>>
>> This happens in an error handler cleaning up memory
>> allocated for elements in a list.
>>
>>          list_for_each_entry(m_rt, &stream->master_list, stream_node) {
>>                  bus = m_rt->bus;
>>
>>                  kfree(bus->defer_msg.msg->buf);
>>                  kfree(bus->defer_msg.msg);
>>          }
>>
>> And is triggered when the call to sdw_bank_switch() fails.
>> There are a two problems.
>>
>> First, when sdw_bank_switch() fails, though it frees memory it
>> does not clear bus's reference 'defer_msg.msg' to that memory.
>>
>> The second problem is the freeing msg->buf. In some cases
>> msg will be NULL so this will dereference a null pointer.
>> Need to check before freeing.
>>
>> Fixes: 99b8a5d608a6 ("soundwire: Add bank switch routine")
>> Signed-off-by: Tom Rix <trix@redhat.com>
>> ---
>>   drivers/soundwire/stream.c | 8 +++++---
>>   1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
>> index 37290a799023..6e36deb505b1 100644
>> --- a/drivers/soundwire/stream.c
>> +++ b/drivers/soundwire/stream.c
>> @@ -717,6 +717,7 @@ static int sdw_bank_switch(struct sdw_bus *bus, int m_rt_count)
>>          kfree(wbuf);
>>   error_1:
>>          kfree(wr_msg);
>> +       bus->defer_msg.msg = NULL;
> 
> This fix looks correct to me because L668 sets `bus->defer_msg.msg =
> wr_msg;`, but on error L719 frees `wr_msg`, so now
> `bus->defer_msg.msg` is a dangling pointer.
> 
>>          return ret;
>>   }
>>
>> @@ -840,9 +841,10 @@ static int do_bank_switch(struct sdw_stream_runtime *stream)
>>   error:
>>          list_for_each_entry(m_rt, &stream->master_list, stream_node) {
>>                  bus = m_rt->bus;
>> -
>> -               kfree(bus->defer_msg.msg->buf);
>> -               kfree(bus->defer_msg.msg);
>> +               if (bus->defer_msg.msg) {
>> +                       kfree(bus->defer_msg.msg->buf);
>> +                       kfree(bus->defer_msg.msg);
>> +               }
> 
> I'd prefer a conditional check for each, but sdw_ml_sync_bank_switch()
> has this same pattern, so it looks like the lifetime of these two
> match.
> 
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>

Also looks good to me.

Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>

next prev parent reply	other threads:[~2020-08-31 22:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-29 15:35 [PATCH] soundwire: fix error handling trix
2020-08-31 17:47 ` Nick Desaulniers
2020-08-31 17:48   ` Nick Desaulniers
2020-08-31 18:20     ` Tom Rix
2020-08-31 18:39       ` Nick Desaulniers
2020-08-31 18:57         ` Tom Rix
2020-08-31 22:45   ` Pierre-Louis Bossart [this message]
2020-09-01 11:02 ` Vinod Koul
2020-09-01 17:41   ` Nick Desaulniers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aae0bf86-5900-c437-492f-fbf23d3ff196@linux.intel.com \
    --to=pierre-louis.bossart@linux.intel.com \
    --cc=alsa-devel@alsa-project.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=natechancellor@gmail.com \
    --cc=ndesaulniers@google.com \
    --cc=sanyog.r.kale@intel.com \
    --cc=shreyas.nc@intel.com \
    --cc=trix@redhat.com \
    --cc=vkoul@kernel.org \
    --cc=yung-chuan.liao@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox