The PCM runtime was freed during PMU in the case that the event hook encountered an error. However, it is also unconditionally freed during PMD. Avoid a double-free by dropping the call to kfree in the PMU hook.
Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Cc: stable@vger.kernel.org Signed-off-by: Samuel Holland samuel@sholland.org --- sound/soc/soc-dapm.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index b6378f025836..935b5375ecc5 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -3888,9 +3888,6 @@ snd_soc_dai_link_event_pre_pmu(struct snd_soc_dapm_widget *w, runtime->rate = params_rate(params);
out: - if (ret < 0) - kfree(runtime); - kfree(params); return ret; }
On Thu 13 Feb 2020 at 07:11, Samuel Holland samuel@sholland.org wrote:
The PCM runtime was freed during PMU in the case that the event hook encountered an error. However, it is also unconditionally freed during PMD. Avoid a double-free by dropping the call to kfree in the PMU hook.
Oh ... Thanks for finding this.
I thought that a widget which has failed PMU would not go through PMD, but It seems the return value dapm_seq_check_event is not checked.
This brings another question/problem: A link which has failed in PMU, could try in PMD to hw_free/shutdown a dai which has not gone through startup/hw_params, right ?
Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Cc: stable@vger.kernel.org Signed-off-by: Samuel Holland samuel@sholland.org
sound/soc/soc-dapm.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index b6378f025836..935b5375ecc5 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -3888,9 +3888,6 @@ snd_soc_dai_link_event_pre_pmu(struct snd_soc_dapm_widget *w, runtime->rate = params_rate(params); out:
- if (ret < 0)
kfree(runtime);- kfree(params); return ret;
}
On Thu 13 Feb 2020 at 12:37, Mark Brown broonie@kernel.org wrote:
On Thu, Feb 13, 2020 at 09:37:18AM +0100, Jerome Brunet wrote:
This brings another question/problem: A link which has failed in PMU, could try in PMD to hw_free/shutdown a dai which has not gone through startup/hw_params, right ?
I think so, yes.
Maybe this can be solved using the dai active counts which the codec-to-codec event is not updating. I'll try to come up with something.
The patch
ASoC: codec2codec: avoid invalid/double-free of pcm runtime
has been applied to the asoc tree at
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-5.6
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
From b6570fdb96edf45bcf71884bd2644bd73d348d1a Mon Sep 17 00:00:00 2001
From: Samuel Holland samuel@sholland.org Date: Thu, 13 Feb 2020 00:11:44 -0600 Subject: [PATCH] ASoC: codec2codec: avoid invalid/double-free of pcm runtime
The PCM runtime was freed during PMU in the case that the event hook encountered an error. However, it is also unconditionally freed during PMD. Avoid a double-free by dropping the call to kfree in the PMU hook.
Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Cc: stable@vger.kernel.org Signed-off-by: Samuel Holland samuel@sholland.org Link: https://lore.kernel.org/r/20200213061147.29386-2-samuel@sholland.org Signed-off-by: Mark Brown broonie@kernel.org --- sound/soc/soc-dapm.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index bc20ad9abf8b..8b24396675ec 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -3916,9 +3916,6 @@ snd_soc_dai_link_event_pre_pmu(struct snd_soc_dapm_widget *w, runtime->rate = params_rate(params);
out: - if (ret < 0) - kfree(runtime); - kfree(params); return ret; }
linux-stable-mirror@lists.linaro.org
-
Jerome Brunet -
Mark Brown -
Samuel Holland