Re: [PATCH] ASoC: topology: Avoid card NULL deref in snd_soc_tplg_component_remove()

From: Amadeusz Sławiński
Date: Tue Jun 07 2022 - 03:41:14 EST

Next message: Conor Dooley: "[PATCH 1/2] spi: add support for microchip fpga spi controllers"
Previous message: Conor Dooley: "[PATCH 2/2] MAINTAINERS: add spi to PolarFire SoC entry"
In reply to: Dean Gehnert: "[PATCH] ASoC: topology: Avoid card NULL deref in snd_soc_tplg_component_remove()"
Next in thread: Dean Gehnert: "Re: [PATCH] ASoC: topology: Avoid card NULL deref in snd_soc_tplg_component_remove()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/3/2022 10:14 PM, Dean Gehnert wrote:

Don't deference card in comp->card->snd_card before checking for NULL card.

During the unloading of ASoC kernel modules, there is a kernel oops in
snd_soc_tplg_component_remove() that happens because comp->card is set to
NULL in soc_cleanup_component().

Cc: Liam Girdwood <lgirdwood@xxxxxxxxx>
Cc: Mark Brown <broonie@xxxxxxxxxx>
Cc: Jaroslav Kysela <perex@xxxxxxxx>
Cc: Takashi Iwai <tiwai@xxxxxxxx>
Cc: alsa-devel@xxxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 7e567b5ae063 ("ASoC: topology: Add missing rwsem around snd_ctl_remove() calls")
Signed-off-by: Dean Gehnert <deang@xxxxxxx>
---
sound/soc/soc-topology.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 3f9d314fba16..cf0efe1147c2 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -2613,15 +2613,18 @@ EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load);
/* remove dynamic controls from the component driver */
int snd_soc_tplg_component_remove(struct snd_soc_component *comp)
{
- struct snd_card *card = comp->card->snd_card;
+ struct snd_card *card;
struct snd_soc_dobj *dobj, *next_dobj;
int pass;
/* process the header types from end to start */
for (pass = SOC_TPLG_PASS_END; pass >= SOC_TPLG_PASS_START; pass--) {
+ card = (comp->card) ? comp->card->snd_card : NULL;
+
/* remove mixer controls */
- down_write(&card->controls_rwsem);
+ if (card)
+ down_write(&card->controls_rwsem);
list_for_each_entry_safe(dobj, next_dobj, &comp->dobj_list,
list) {

I'm pretty sure that quite a lot of operations in this list_for_each_entry_safe() loop require existing card...

And trying to investigate more closely, there is no soc_cleanup_component() mentioned in commit message, for quite a few kernel versions - seems to have been removed during v5.5-rc1.

I would say to not merge this, unless problem can be reproduced with latest kernel and even then would consider if it is a correct fix.

@@ -2660,7 +2663,8 @@ int snd_soc_tplg_component_remove(struct snd_soc_component *comp)
break;
}
}
- up_write(&card->controls_rwsem);
+ if (card)
+ up_write(&card->controls_rwsem);
}
/* let caller know if FW can be freed when no objects are left */

Next message: Conor Dooley: "[PATCH 1/2] spi: add support for microchip fpga spi controllers"
Previous message: Conor Dooley: "[PATCH 2/2] MAINTAINERS: add spi to PolarFire SoC entry"
In reply to: Dean Gehnert: "[PATCH] ASoC: topology: Avoid card NULL deref in snd_soc_tplg_component_remove()"
Next in thread: Dean Gehnert: "Re: [PATCH] ASoC: topology: Avoid card NULL deref in snd_soc_tplg_component_remove()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]