[PATCH 3.12 139/182] ASoC: dapm: Fix widget double free with auto-disable DAPM kcontrol

From: Jiri Slaby
Date: Tue May 13 2014 - 05:33:57 EST

Next message: Jiri Slaby: "[PATCH 3.12 112/182] ocfs2: do not put bh when buffer_uptodate failed"
Previous message: Jiri Slaby: "[PATCH 3.12 173/182] dm: take care to copy the space map roots before locking the superblock"
In reply to: Jiri Slaby: "[PATCH 3.12 173/182] dm: take care to copy the space map roots before locking the superblock"
Next in thread: Jiri Slaby: "[PATCH 3.12 112/182] ocfs2: do not put bh when buffer_uptodate failed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jarkko Nikula <jarkko.nikula@xxxxxxxxxxxxxxx>

3.12-stable review patch. If anyone has any objections, please let me know.

===============

commit 2697e4fb9209dfe1d1b24c92d254158f63d4bc8e upstream.

Commit 9e1fda4ae158 ("ASoC: dapm: Implement mixer input auto-disable")
is trying to free the widget it allocated by snd_soc_dapm_new_control()
call in dapm_kcontrol_data_alloc() by adding kfree(data->widget) to
dapm_kcontrol_free().

This is causing a widget double free with auto-disabled DAPM kcontrols
in sound card unregistration because widgets are already freed before
dapm_kcontrol_free() is called.

Reason for that is all widgets are added into dapm->card->widgets list
in snd_soc_dapm_new_control() and freed in dapm_free_widgets() during
execution of snd_soc_dapm_free().

Now snd_soc_dapm_free() calls for different DAPM contexts happens before
snd_card_free() call from where the call chain to dapm_kcontrol_free()
begins:

soc_cleanup_card_resources()
soc_remove_dai_links()
soc_remove_link_dais()
snd_soc_dapm_free(&cpu_dai->dapm)
soc_remove_link_components()
soc_remove_platform()
snd_soc_dapm_free(&platform->dapm)
soc_remove_codec()
snd_soc_dapm_free(&codec->dapm)
snd_soc_dapm_free(&card->dapm)
snd_card_free()
snd_card_do_free()
snd_device_free_all()
snd_device_free()
snd_ctl_dev_free()
snd_ctl_remove()
snd_ctl_free_one()
dapm_kcontrol_free()

This wasn't making harm with ordinary DAPM kcontrols since data->widget is NULL for
them.

Fixes: 9e1fda4ae158 (ASoC: dapm: Implement mixer input auto-disable)
Signed-off-by: Jarkko Nikula <jarkko.nikula@xxxxxxxxxxxxxxx>
Acked-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
---
sound/soc/soc-dapm.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index b2949aed1ac2..4136cc25154e 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -251,7 +251,6 @@ static int dapm_kcontrol_data_alloc(struct snd_soc_dapm_widget *widget,
static void dapm_kcontrol_free(struct snd_kcontrol *kctl)
{
struct dapm_kcontrol_data *data = snd_kcontrol_chip(kctl);
- kfree(data->widget);
kfree(data->wlist);
kfree(data);
}
--
1.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jiri Slaby: "[PATCH 3.12 112/182] ocfs2: do not put bh when buffer_uptodate failed"
Previous message: Jiri Slaby: "[PATCH 3.12 173/182] dm: take care to copy the space map roots before locking the superblock"
In reply to: Jiri Slaby: "[PATCH 3.12 173/182] dm: take care to copy the space map roots before locking the superblock"
Next in thread: Jiri Slaby: "[PATCH 3.12 112/182] ocfs2: do not put bh when buffer_uptodate failed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]