From e5092c96c9c28f4d12811edcd02ca8eec16e748e Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Tue, 7 Oct 2014 13:41:24 +0200 Subject: ASoC: soc-dapm: fix use after free Coverity spotted the following possible use-after-free condition in dapm_create_or_share_mixmux_kcontrol(): If kcontrol is NULL, and (wname_in_long_name && kcname_in_long_name) validates to true, 'name' will be set to an allocated string, and be freed a few lines later via the 'long_name' alias. 'name', however, is used by dev_err() in case snd_ctl_add() fails. Fix this by adding a jump label that frees 'long_name' at the end of the function. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown Cc: stable@vger.kernel.org --- sound/soc/soc-dapm.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 2c456a376ade..c61cb9cedbcd 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -592,9 +592,9 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, int shared; struct snd_kcontrol *kcontrol; bool wname_in_long_name, kcname_in_long_name; - char *long_name; + char *long_name = NULL; const char *name; - int ret; + int ret = 0; prefix = soc_dapm_prefix(dapm); if (prefix) @@ -653,15 +653,17 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, kcontrol = snd_soc_cnew(&w->kcontrol_news[kci], NULL, name, prefix); - kfree(long_name); - if (!kcontrol) - return -ENOMEM; + if (!kcontrol) { + ret = -ENOMEM; + goto exit_free; + } + kcontrol->private_free = dapm_kcontrol_free; ret = dapm_kcontrol_data_alloc(w, kcontrol); if (ret) { snd_ctl_free_one(kcontrol); - return ret; + goto exit_free; } ret = snd_ctl_add(card, kcontrol); @@ -669,17 +671,18 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, dev_err(dapm->dev, "ASoC: failed to add widget %s dapm kcontrol %s: %d\n", w->name, name, ret); - return ret; + goto exit_free; } } ret = dapm_kcontrol_add_widget(kcontrol, w); - if (ret) - return ret; + if (ret == 0) + w->kcontrols[kci] = kcontrol; - w->kcontrols[kci] = kcontrol; +exit_free: + kfree(long_name); - return 0; + return ret; } /* create new dapm mixer control */ -- cgit v1.2.3-59-g8ed1b From decc27b01d584c985c231e73d3b493de6ec07af8 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Tue, 7 Oct 2014 13:41:23 +0200 Subject: ASoC: core: fix use after free in snd_soc_remove_platform() Coverity spotted an use-after-free condition in snd_soc_remove_platform(). Fix this by moving snd_soc_component_cleanup() after the debug print statement which uses the component's string. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown Cc: stable@vger.kernel.org --- sound/soc/soc-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index ae48f1013e80..d877ec57d761 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -4315,10 +4315,10 @@ void snd_soc_remove_platform(struct snd_soc_platform *platform) snd_soc_component_del_unlocked(&platform->component); mutex_unlock(&client_mutex); - snd_soc_component_cleanup(&platform->component); - dev_dbg(platform->dev, "ASoC: Unregistered platform '%s'\n", platform->component.name); + + snd_soc_component_cleanup(&platform->component); } EXPORT_SYMBOL_GPL(snd_soc_remove_platform); -- cgit v1.2.3-59-g8ed1b From 77eca3cd461da663945eceddf454466a609d8ca4 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Tue, 7 Oct 2014 13:41:25 +0200 Subject: ASoC: 88pm860x-codec: Fix possibly missing string termination Coverity spotted an issue with strncpy() in pm860x_codec_probe() which does not take the \0 termination byte into account. Fix this by making the buffers one byte larger so the can really accommodate MAX_NAME_LEN bytes long strings. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown --- sound/soc/codecs/88pm860x-codec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/codecs/88pm860x-codec.c b/sound/soc/codecs/88pm860x-codec.c index 4c3b0af39fd8..e88a6b67f781 100644 --- a/sound/soc/codecs/88pm860x-codec.c +++ b/sound/soc/codecs/88pm860x-codec.c @@ -146,7 +146,7 @@ struct pm860x_priv { struct pm860x_det det; int irq[4]; - unsigned char name[4][MAX_NAME_LEN]; + unsigned char name[4][MAX_NAME_LEN+1]; }; /* -9450dB to 0dB in 150dB steps ( mute instead of -9450dB) */ -- cgit v1.2.3-59-g8ed1b From 5c4c99f32226321e152b1462a1884ff2dfd3b3e2 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 7 Oct 2014 18:19:54 +0200 Subject: ASoC: imx-es8328: Fix missing return code in imx_es8328_probe() An error code was forgotten to be passed in the error path of imx_es8328_probe(). Signed-off-by: Takashi Iwai Signed-off-by: Mark Brown --- sound/soc/fsl/imx-es8328.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c index 653e66d150c8..9b8d11d04fbc 100644 --- a/sound/soc/fsl/imx-es8328.c +++ b/sound/soc/fsl/imx-es8328.c @@ -104,6 +104,7 @@ static int imx_es8328_probe(struct platform_device *pdev) if (ext_port > MUX_PORT_MAX || ext_port == 0) { dev_err(dev, "mux-ext-port: hardware only has %d mux ports\n", MUX_PORT_MAX); + ret = -EINVAL; goto fail; } -- cgit v1.2.3-59-g8ed1b From 2dbab9784db1c0de517922d81394d9ff4a33c544 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Tue, 7 Oct 2014 15:09:26 +0200 Subject: ASoC: simple-card: Initialize headphone and mic GPIO numbers The uninitialized default of 0 for gpio_hp_det and gpio_mic_det doesn't play well with asm-generic's gpio_is_valid(): static inline bool gpio_is_valid(int number) { return number >= 0 && number < ARCH_NR_GPIOS; } Hence on r8a7740/armadillo-legacy: sh-mobile-hdmi sh-mobile-hdmi: SH Mobile HDMI Audio Codec sh-mobile-hdmi sh-mobile-hdmi: ASoC: DAPM unknown pin Headphones sh-mobile-hdmi sh-mobile-hdmi: ASoC: DAPM unknown pin Mic Jack After that the kernel log is spammed ca. 7 times per second with: sh-mobile-hdmi sh-mobile-hdmi: ASoC: DAPM unknown pin Headphones Initialize the GPIO numbers with a negative number (-ENOENT) to fix this. Fixes: 3fe240326cc395c6 ("ASoC: simple-card: Add mic and hp detect gpios.") Signed-off-by: Geert Uytterhoeven Signed-off-by: Mark Brown --- sound/soc/generic/simple-card.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c index fcb431fe20b4..d1b7293c133e 100644 --- a/sound/soc/generic/simple-card.c +++ b/sound/soc/generic/simple-card.c @@ -501,6 +501,9 @@ static int asoc_simple_card_probe(struct platform_device *pdev) priv->snd_card.dai_link = dai_link; priv->snd_card.num_links = num_links; + priv->gpio_hp_det = -ENOENT; + priv->gpio_mic_det = -ENOENT; + /* Get room for the other properties */ priv->dai_props = devm_kzalloc(dev, sizeof(*priv->dai_props) * num_links, -- cgit v1.2.3-59-g8ed1b From 5e63dfccf34d4dbf21429c4919f33c028ff49991 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Tue, 7 Oct 2014 14:33:46 +0200 Subject: ASoC: soc-pcm: fix sig_bits determination in soc_pcm_apply_msb() In the SNDRV_PCM_STREAM_CAPTURE branch in soc_pcm_apply_msb(), look at sig_bits of the capture stream, not the playback one. Spotted by coverity. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown Cc: stable@vger.kernel.org --- sound/soc/soc-pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c index 731fdb5b5f9b..14a3df1ff1ac 100644 --- a/sound/soc/soc-pcm.c +++ b/sound/soc/soc-pcm.c @@ -352,7 +352,7 @@ static void soc_pcm_apply_msb(struct snd_pcm_substream *substream) } else { for (i = 0; i < rtd->num_codecs; i++) { codec_dai = rtd->codec_dais[i]; - if (codec_dai->driver->playback.sig_bits == 0) { + if (codec_dai->driver->capture.sig_bits == 0) { bits = 0; break; } -- cgit v1.2.3-59-g8ed1b From 960baba41f3cfb0a97bb1f0e720334156b2eff75 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 7 Oct 2014 18:19:53 +0200 Subject: ASoC: imx-es8328: Fix of_node_put() call with uninitialized object The of_node_put() calls in imx_es8328_probe() may take uninitialized pointers when reached though the early error path. This patch adds the proper NULL initialization for fixing these. Signed-off-by: Takashi Iwai Signed-off-by: Mark Brown --- sound/soc/fsl/imx-es8328.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c index 653e66d150c8..d6c55c88a069 100644 --- a/sound/soc/fsl/imx-es8328.c +++ b/sound/soc/fsl/imx-es8328.c @@ -78,7 +78,7 @@ static const struct snd_soc_dapm_widget imx_es8328_dapm_widgets[] = { static int imx_es8328_probe(struct platform_device *pdev) { struct device_node *np = pdev->dev.of_node; - struct device_node *ssi_np, *codec_np; + struct device_node *ssi_np = NULL, *codec_np = NULL; struct platform_device *ssi_pdev; struct imx_es8328_data *data; u32 int_port, ext_port; -- cgit v1.2.3-59-g8ed1b From 528a82b41fda78435976c905546c3329c86bb264 Mon Sep 17 00:00:00 2001 From: Sonny Rao Date: Wed, 8 Oct 2014 00:58:51 -0700 Subject: ASoC: rockchip-i2s: fix infinite loop in rockchip_snd_txctrl We can get into an infinite loop if the I2S_CLR register fails to clear due to a missing break statement, so add that. Signed-off-by: Sonny Rao Signed-off-by: Mark Brown --- sound/soc/rockchip/rockchip_i2s.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c index 033487c9a164..f373e37f8305 100644 --- a/sound/soc/rockchip/rockchip_i2s.c +++ b/sound/soc/rockchip/rockchip_i2s.c @@ -108,8 +108,10 @@ static void rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on) while (val) { regmap_read(i2s->regmap, I2S_CLR, &val); retry--; - if (!retry) + if (!retry) { dev_warn(i2s->dev, "fail to clear\n"); + break; + } } } } -- cgit v1.2.3-59-g8ed1b From a66ae631a3cffb00f441b229a07fa1b4c72e738a Mon Sep 17 00:00:00 2001 From: Mark Brown Date: Wed, 8 Oct 2014 15:31:18 +0100 Subject: ASoC: mc13783: Ensure we only try to dereference valid of_nodes Reported-by: Takashi Iwai Signed-off-by: Mark Brown --- sound/soc/codecs/mc13783.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/sound/soc/codecs/mc13783.c b/sound/soc/codecs/mc13783.c index 388f90a597fa..71f775aad7c7 100644 --- a/sound/soc/codecs/mc13783.c +++ b/sound/soc/codecs/mc13783.c @@ -765,12 +765,18 @@ static int __init mc13783_codec_probe(struct platform_device *pdev) return -ENOSYS; ret = of_property_read_u32(np, "adc-port", &priv->adc_ssi_port); - if (ret) - goto out; + if (ret) { + of_node_put(np); + return ret; + } ret = of_property_read_u32(np, "dac-port", &priv->dac_ssi_port); - if (ret) - goto out; + if (ret) { + of_node_put(np); + return ret; + } + + of_node_put(np); } dev_set_drvdata(&pdev->dev, priv); @@ -783,8 +789,6 @@ static int __init mc13783_codec_probe(struct platform_device *pdev) ret = snd_soc_register_codec(&pdev->dev, &soc_codec_dev_mc13783, mc13783_dai_async, ARRAY_SIZE(mc13783_dai_async)); -out: - of_node_put(np); return ret; } -- cgit v1.2.3-59-g8ed1b