diff mbox series

soundwire: stream: fix an invalid free

Message ID 20200905192613.420-1-trix@redhat.com
State New
Headers show
Series soundwire: stream: fix an invalid free | expand

Commit Message

Tom Rix Sept. 5, 2020, 7:26 p.m. UTC
From: Tom Rix <trix@redhat.com>

clang static analyzer reports this problem

stream.c:872:2: warning: Argument to kfree() is a constant
  address (18446744073709551092), which is not memory
  allocated by malloc()
        kfree(stream);
        ^~~~~~~~~~~~~

In sdw_shutdown_stream() the stream to free is set by
a call to snd_soc_dai_get_sdw_stream().  The problem block
is the check if the call was successful.

	if (!sdw_stream) {
		dev_err(rtd->dev, "no stream found...
		return;
	}

When snd_soc_dai_get_sdw_stream() fails, it does not
always return null, sometimes it returns -ENOTSUPP.

So also check for error codes.

Fixes: 4550569bd779 ("soundwire: stream: add helper to startup/shutdown streams")
Signed-off-by: Tom Rix <trix@redhat.com>
---
 drivers/soundwire/stream.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Vinod Koul Sept. 7, 2020, 2:14 p.m. UTC | #1
Hello Tom,

On 05-09-20, 12:26, trix@redhat.com wrote:
> From: Tom Rix <trix@redhat.com>
> 
> clang static analyzer reports this problem
> 
> stream.c:872:2: warning: Argument to kfree() is a constant
>   address (18446744073709551092), which is not memory
>   allocated by malloc()
>         kfree(stream);
>         ^~~~~~~~~~~~~
> 
> In sdw_shutdown_stream() the stream to free is set by
> a call to snd_soc_dai_get_sdw_stream().  The problem block
> is the check if the call was successful.
> 
> 	if (!sdw_stream) {
> 		dev_err(rtd->dev, "no stream found...
> 		return;
> 	}
> 
> When snd_soc_dai_get_sdw_stream() fails, it does not
> always return null, sometimes it returns -ENOTSUPP.
> 
> So also check for error codes.
> Fixes: 4550569bd779 ("soundwire: stream: add helper to startup/shutdown streams")
> Signed-off-by: Tom Rix <trix@redhat.com>
> ---
>  drivers/soundwire/stream.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
> index 6e36deb505b1..950231d593c2 100644
> --- a/drivers/soundwire/stream.c
> +++ b/drivers/soundwire/stream.c
> @@ -1913,7 +1913,7 @@ void sdw_shutdown_stream(void *sdw_substream)
>  
>  	sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
>  
> -	if (!sdw_stream) {
> +	if (IS_ERR_OR_NULL(sdw_stream)) {

Thanks for the patch. Please see commit 3471d2a192ba ("soundwire:
stream: fix NULL/IS_ERR confusion") in soundwire-next. This has already
been updated to IS_ERR() and Bard has already sent patches for
snd_soc_dai_get_sdw_stream() to return proper values.

So I you can rerun this on next, you should see this fixed.
Tom Rix Sept. 7, 2020, 2:25 p.m. UTC | #2
On 9/7/20 7:14 AM, Vinod Koul wrote:
> Hello Tom,
>
> On 05-09-20, 12:26, trix@redhat.com wrote:
>> From: Tom Rix <trix@redhat.com>
>>
>> clang static analyzer reports this problem
>>
>> stream.c:872:2: warning: Argument to kfree() is a constant
>>   address (18446744073709551092), which is not memory
>>   allocated by malloc()
>>         kfree(stream);
>>         ^~~~~~~~~~~~~
>>
>> In sdw_shutdown_stream() the stream to free is set by
>> a call to snd_soc_dai_get_sdw_stream().  The problem block
>> is the check if the call was successful.
>>
>> 	if (!sdw_stream) {
>> 		dev_err(rtd->dev, "no stream found...
>> 		return;
>> 	}
>>
>> When snd_soc_dai_get_sdw_stream() fails, it does not
>> always return null, sometimes it returns -ENOTSUPP.
>>
>> So also check for error codes.
>> Fixes: 4550569bd779 ("soundwire: stream: add helper to startup/shutdown streams")
>> Signed-off-by: Tom Rix <trix@redhat.com>
>> ---
>>  drivers/soundwire/stream.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
>> index 6e36deb505b1..950231d593c2 100644
>> --- a/drivers/soundwire/stream.c
>> +++ b/drivers/soundwire/stream.c
>> @@ -1913,7 +1913,7 @@ void sdw_shutdown_stream(void *sdw_substream)
>>  
>>  	sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
>>  
>> -	if (!sdw_stream) {
>> +	if (IS_ERR_OR_NULL(sdw_stream)) {
> Thanks for the patch. Please see commit 3471d2a192ba ("soundwire:
> stream: fix NULL/IS_ERR confusion") in soundwire-next. This has already
> been updated to IS_ERR() and Bard has already sent patches for
> snd_soc_dai_get_sdw_stream() to return proper values.
>
> So I you can rerun this on next, you should see this fixed.

I am working on linux-next, so I will see Bard's patch when it lands there.

Sorry for not working on soundwire-next, but since i am fixing everywhere linux-next is easiest. 

Thank you for the update.

Tom

>
Vinod Koul Sept. 7, 2020, 4:55 p.m. UTC | #3
On 07-09-20, 07:25, Tom Rix wrote:
> 
> On 9/7/20 7:14 AM, Vinod Koul wrote:
> > Hello Tom,
> >
> > On 05-09-20, 12:26, trix@redhat.com wrote:
> >> From: Tom Rix <trix@redhat.com>
> >>
> >> clang static analyzer reports this problem
> >>
> >> stream.c:872:2: warning: Argument to kfree() is a constant
> >>   address (18446744073709551092), which is not memory
> >>   allocated by malloc()
> >>         kfree(stream);
> >>         ^~~~~~~~~~~~~
> >>
> >> In sdw_shutdown_stream() the stream to free is set by
> >> a call to snd_soc_dai_get_sdw_stream().  The problem block
> >> is the check if the call was successful.
> >>
> >> 	if (!sdw_stream) {
> >> 		dev_err(rtd->dev, "no stream found...
> >> 		return;
> >> 	}
> >>
> >> When snd_soc_dai_get_sdw_stream() fails, it does not
> >> always return null, sometimes it returns -ENOTSUPP.
> >>
> >> So also check for error codes.
> >> Fixes: 4550569bd779 ("soundwire: stream: add helper to startup/shutdown streams")
> >> Signed-off-by: Tom Rix <trix@redhat.com>
> >> ---
> >>  drivers/soundwire/stream.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
> >> index 6e36deb505b1..950231d593c2 100644
> >> --- a/drivers/soundwire/stream.c
> >> +++ b/drivers/soundwire/stream.c
> >> @@ -1913,7 +1913,7 @@ void sdw_shutdown_stream(void *sdw_substream)
> >>  
> >>  	sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
> >>  
> >> -	if (!sdw_stream) {
> >> +	if (IS_ERR_OR_NULL(sdw_stream)) {
> > Thanks for the patch. Please see commit 3471d2a192ba ("soundwire:
> > stream: fix NULL/IS_ERR confusion") in soundwire-next. This has already
> > been updated to IS_ERR() and Bard has already sent patches for
> > snd_soc_dai_get_sdw_stream() to return proper values.
> >
> > So I you can rerun this on next, you should see this fixed.
> 
> I am working on linux-next, so I will see Bard's patch when it lands there.

It should be already there... And I checked, looks like there was no
linux-next for last few days and it should be back tomorrow so should be
there

> 
> Sorry for not working on soundwire-next, but since i am fixing everywhere linux-next is easiest. 

Agree, timing this time around!
diff mbox series

Patch

diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
index 6e36deb505b1..950231d593c2 100644
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -1913,7 +1913,7 @@  void sdw_shutdown_stream(void *sdw_substream)
 
 	sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
 
-	if (!sdw_stream) {
+	if (IS_ERR_OR_NULL(sdw_stream)) {
 		dev_err(rtd->dev, "no stream found for DAI %s", dai->name);
 		return;
 	}