Add the missing unlock before return from function gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com --- drivers/staging/greybus/audio_helper.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c index 237531ba60f3..293675dbea10 100644 --- a/drivers/staging/greybus/audio_helper.c +++ b/drivers/staging/greybus/audio_helper.c @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm, if (!w) { dev_err(dapm->dev, "%s: widget not found\n", widget->name); + mutex_unlock(&dapm->card->dapm_mutex); return -EINVAL; } widget++;
On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
Add the missing unlock before return from function gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com
drivers/staging/greybus/audio_helper.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c index 237531ba60f3..293675dbea10 100644 --- a/drivers/staging/greybus/audio_helper.c +++ b/drivers/staging/greybus/audio_helper.c @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm, if (!w) { dev_err(dapm->dev, "%s: widget not found\n", widget->name);
mutex_unlock(&dapm->card->dapm_mutex); return -EINVAL;
This superficially looks correct, but there seems to be another bug in this function. It can be used free an array of widgets, but if one of them isn't found we just leak the rest. Perhaps that return should rather be "widget++; continue;".
Vaibhav?
Johan
在 2020/12/4 16:40, Johan Hovold 写道:
On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
Add the missing unlock before return from function gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com
drivers/staging/greybus/audio_helper.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c index 237531ba60f3..293675dbea10 100644 --- a/drivers/staging/greybus/audio_helper.c +++ b/drivers/staging/greybus/audio_helper.c @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm, if (!w) { dev_err(dapm->dev, "%s: widget not found\n", widget->name);
mutex_unlock(&dapm->card->dapm_mutex); return -EINVAL;This superficially looks correct, but there seems to be another bug in this function. It can be used free an array of widgets, but if one of them isn't found we just leak the rest. Perhaps that return should rather be "widget++; continue;".
I think this is a good idea, should I send a v2 patch?
On Fri, Dec 04, 2020 at 05:19:25PM +0800, wanghai (M) wrote:
在 2020/12/4 16:40, Johan Hovold 写道:
On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
Add the missing unlock before return from function gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com
drivers/staging/greybus/audio_helper.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c index 237531ba60f3..293675dbea10 100644 --- a/drivers/staging/greybus/audio_helper.c +++ b/drivers/staging/greybus/audio_helper.c @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm, if (!w) { dev_err(dapm->dev, "%s: widget not found\n", widget->name);
mutex_unlock(&dapm->card->dapm_mutex); return -EINVAL;This superficially looks correct, but there seems to be another bug in this function. It can be used free an array of widgets, but if one of them isn't found we just leak the rest. Perhaps that return should rather be "widget++; continue;".
I think this is a good idea, should I send a v2 patch?
Let's just wait a bit and see what Vaibhav or Mark says first.
Johan
On Fri, Dec 4, 2020 at 2:10 PM Johan Hovold johan@kernel.org wrote:
On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
Add the missing unlock before return from function gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com
drivers/staging/greybus/audio_helper.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c index 237531ba60f3..293675dbea10 100644 --- a/drivers/staging/greybus/audio_helper.c +++ b/drivers/staging/greybus/audio_helper.c @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm, if (!w) { dev_err(dapm->dev, "%s: widget not found\n", widget->name);
mutex_unlock(&dapm->card->dapm_mutex); return -EINVAL; } widget++;This superficially looks correct, but there seems to be another bug in this function. It can be used free an array of widgets, but if one of them isn't found we just leak the rest. Perhaps that return should rather be "widget++; continue;".
Vaibhav?
Thanks Wang for sharing the patch. As already pointed by Johan, this function indeed has another bug as well. Pls feel free to share the patch as suggested above.
-- vaibhav
Johan
在 2020/12/5 2:02, Vaibhav Agarwal 写道:
On Fri, Dec 4, 2020 at 2:10 PM Johan Hovold johan@kernel.org wrote:
On Fri, Dec 04, 2020 at 10:13:50AM +0800, Wang Hai wrote:
Add the missing unlock before return from function gbaudio_dapm_free_controls() in the error handling case.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio module") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com
drivers/staging/greybus/audio_helper.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c index 237531ba60f3..293675dbea10 100644 --- a/drivers/staging/greybus/audio_helper.c +++ b/drivers/staging/greybus/audio_helper.c @@ -135,6 +135,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm, if (!w) { dev_err(dapm->dev, "%s: widget not found\n", widget->name);
mutex_unlock(&dapm->card->dapm_mutex); return -EINVAL; } widget++;This superficially looks correct, but there seems to be another bug in this function. It can be used free an array of widgets, but if one of them isn't found we just leak the rest. Perhaps that return should rather be "widget++; continue;".
Vaibhav?
Thanks Wang for sharing the patch. As already pointed by Johan, this function indeed has another bug as well. Pls feel free to share the patch as suggested above.
I just sent another patch
"[PATCH] staging: greybus: audio: Fix possible leak free widgets in gbaudio_dapm_free_controls"
Johan .
-
Johan Hovold -
Vaibhav Agarwal -
Wang Hai -
wanghai (M)