Re: [PATCH] soundwire: fix error handling

From: Vinod Koul
Date: Tue Sep 01 2020 - 07:13:05 EST

Next message: Vinod Koul: "[PATCH v2] regmap: soundwire: remove unused header mod_devicetable.h"
Previous message: Mark Brown: "Re: [PATCH 06/10] dt-bindings: sound: samsung-i2s: Use unevaluatedProperties"
Next in thread: Nick Desaulniers: "Re: [PATCH] soundwire: fix error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Tom,

On 29-08-20, 08:35, trix@xxxxxxxxxx wrote:
> From: Tom Rix <trix@xxxxxxxxxx>
>
> clang static analysis flags this problem
>
> stream.c:844:9: warning: Use of memory after
> it is freed
> kfree(bus->defer_msg.msg->buf);
> ^~~~~~~~~~~~~~~~~~~~~~~
>
> This happens in an error handler cleaning up memory
> allocated for elements in a list.
>
> list_for_each_entry(m_rt, &stream->master_list, stream_node) {
> bus = m_rt->bus;
>
> kfree(bus->defer_msg.msg->buf);
> kfree(bus->defer_msg.msg);
> }
>
> And is triggered when the call to sdw_bank_switch() fails.
> There are a two problems.
>
> First, when sdw_bank_switch() fails, though it frees memory it
> does not clear bus's reference 'defer_msg.msg' to that memory.
>
> The second problem is the freeing msg->buf. In some cases
> msg will be NULL so this will dereference a null pointer.
> Need to check before freeing.

The change looks good to me, but the title of patch should be revised.

The patch subject should describe the patch, in this case is setting
pointer to null on cleanup, so an appropriate subject may be"
"[PATCH]: soundwire: set defer_msg to null".

Please revise subject line and update including the ack/reviews
received

Thanks
>
> Fixes: 99b8a5d608a6 ("soundwire: Add bank switch routine")
> Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
> ---
> drivers/soundwire/stream.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
> index 37290a799023..6e36deb505b1 100644
> --- a/drivers/soundwire/stream.c
> +++ b/drivers/soundwire/stream.c
> @@ -717,6 +717,7 @@ static int sdw_bank_switch(struct sdw_bus *bus, int m_rt_count)
> kfree(wbuf);
> error_1:
> kfree(wr_msg);
> + bus->defer_msg.msg = NULL;
> return ret;
> }
>
> @@ -840,9 +841,10 @@ static int do_bank_switch(struct sdw_stream_runtime *stream)
> error:
> list_for_each_entry(m_rt, &stream->master_list, stream_node) {
> bus = m_rt->bus;
> -
> - kfree(bus->defer_msg.msg->buf);
> - kfree(bus->defer_msg.msg);
> + if (bus->defer_msg.msg) {
> + kfree(bus->defer_msg.msg->buf);
> + kfree(bus->defer_msg.msg);
> + }
> }
>
> msg_unlock:
> --
> 2.18.1

--
~Vinod

Next message: Vinod Koul: "[PATCH v2] regmap: soundwire: remove unused header mod_devicetable.h"
Previous message: Mark Brown: "Re: [PATCH 06/10] dt-bindings: sound: samsung-i2s: Use unevaluatedProperties"
Next in thread: Nick Desaulniers: "Re: [PATCH] soundwire: fix error handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]