From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A4938EE4993
	for <stable@archiver.kernel.org>; Wed, 23 Aug 2023 14:15:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236183AbjHWOPM (ORCPT <rfc822;stable@archiver.kernel.org>);
        Wed, 23 Aug 2023 10:15:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39294 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236187AbjHWOPM (ORCPT
        <rfc822;stable@vger.kernel.org>); Wed, 23 Aug 2023 10:15:12 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D7D6E5F
        for <stable@vger.kernel.org>; Wed, 23 Aug 2023 07:15:09 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id E9B112088B;
        Wed, 23 Aug 2023 14:15:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1692800107; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=rAF64jP1YQvc0jbwt9ErHkFT28tgKrurCuDmG2KWNAI=;
        b=MVjhib8g//APwSzyIdy5RcNNrDLDm50Y8puR44G5siGDob/Ak55Z+9vGXZLd3YzEC25di9
        +xTJtZMyZAr+JovgqssyGGu6MKvOGtwszVLmKO2QGiWRXifE8Gfznted7lMU6zjaggkkm1
        uIzdXc/Hqc1xZpumApPsDxdnilMwKfg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1692800107;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=rAF64jP1YQvc0jbwt9ErHkFT28tgKrurCuDmG2KWNAI=;
        b=0q8oym04FmGME2+TVX8iHwONAM+FrDWhpyCHlffpiZQF4AIuO0SNYHA+rv31R7RqOboaBC
        OFiMGodoBmf/zGDg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id D7AE51351F;
        Wed, 23 Aug 2023 14:15:07 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id wpRXNGsU5mQDCAAAMHmgww
        (envelope-from <tiwai@suse.de>); Wed, 23 Aug 2023 14:15:07 +0000
Date:   Wed, 23 Aug 2023 16:15:07 +0200
Message-ID: <87h6ophml0.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Takashi Yano <takashi.yano@nifty.ne.jp>
Cc:     gregkh@linuxfoundation.org, patches@lists.linux.dev,
        sashal@kernel.org, stable@vger.kernel.org, tasos@tasossah.com,
        tiwai@suse.de
Subject: Re: [PATCH 6.1 110/181] ALSA: ymfpci: Create card with device-managed snd_devm_card_new()
In-Reply-To: <20230823135846.1812-1-takashi.yano@nifty.ne.jp>
References: <20230403140418.679274299@linuxfoundation.org>
        <20230823135846.1812-1-takashi.yano@nifty.ne.jp>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

On Wed, 23 Aug 2023 15:58:46 +0200,
Takashi Yano wrote:
> 
> Dear Linux Kernel Team,
> 
> I had encountered the problem that I reported to debian kernel team:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050117
> , where I was suggested to report this to upstream.
> 
> After a lot of struggle, I found that this issue occurs after the following
> commit. The problem happens if a YAMAHA YMF7x4 sound card is present AND the
> firmware is missing. Not only the shutdown/reboot problem, but the page fault,
> whose error log is being cited following the commit, also occurs in the boot
> process.
(snip)
> I looked into this problem and found the mechanism of the page fault.
> 
> 1) chip->reg_area_virt is mapped in sound/pci/ymfpci/ymfpci_main.c:
>    snd_ymfpci_create() in the initialize process of snd_ymfpci.
> 2) The initializing fails due to a lack of the firmware.
> 3) The allocated resources are released in drivers/base/devres.c:
>    release_nodes().
> 4) In the release process 3), reg_area_virt is unmapped before calling
>    sound/pci/ymfpci/ymfpci_main.c: snd_ymfpci_free().
> 5) The first register access in sound/pci/ymfpci/ymfpci_main.c:
>    snd_ymfpci_free() causes page fault because the reg_area_virt is
>    already unmapped.
> 
> Unfortunately, I am not familiar with the linux kernel code, so I am not
> sure of the appropriate way how the problem should be fixed.

Thanks for the report and the analysis.  Yes, it's the problem of the
device release, and this driver was overlooked while it's been fixed in
a few others.

Below is the fix patch.  Let me know if it works for you, then I'll
submit to the upstream and let stable branch backporting it later.


Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] ALSA: ymfpci: Fix the missing snd_card_free() call at probe
 error

Like a few other drivers, YMFPCI driver needs to clean up with
snd_card_free() call at an error path of the probe; otherwise the
other devres resources are released before the card and it results in
the UAF.

This patch uses the helper for handling the probe error gracefully.

Fixes: f33fc1576757 ("ALSA: ymfpci: Create card with device-managed snd_devm_card_new()")
Cc: <stable@vger.kernel.org>
Reported-by: Takashi Yano <takashi.yano@nifty.ne.jp>
Closes: https://lore.kernel.org/r/20230823135846.1812-1-takashi.yano@nifty.ne.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/pci/ymfpci/ymfpci.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sound/pci/ymfpci/ymfpci.c b/sound/pci/ymfpci/ymfpci.c
index b033bd290940..48444dda44de 100644
--- a/sound/pci/ymfpci/ymfpci.c
+++ b/sound/pci/ymfpci/ymfpci.c
@@ -152,8 +152,8 @@ static inline int snd_ymfpci_create_gameport(struct snd_ymfpci *chip, int dev, i
 void snd_ymfpci_free_gameport(struct snd_ymfpci *chip) { }
 #endif /* SUPPORT_JOYSTICK */
 
-static int snd_card_ymfpci_probe(struct pci_dev *pci,
-				 const struct pci_device_id *pci_id)
+static int __snd_card_ymfpci_probe(struct pci_dev *pci,
+				   const struct pci_device_id *pci_id)
 {
 	static int dev;
 	struct snd_card *card;
@@ -348,6 +348,12 @@ static int snd_card_ymfpci_probe(struct pci_dev *pci,
 	return 0;
 }
 
+static int snd_card_ymfpci_probe(struct pci_dev *pci,
+				 const struct pci_device_id *pci_id)
+{
+	return snd_card_free_on_error(&pci->dev, __snd_card_ymfpci_probe(pci, pci_id));
+}
+
 static struct pci_driver ymfpci_driver = {
 	.name = KBUILD_MODNAME,
 	.id_table = snd_ymfpci_ids,
-- 
2.35.3