diff options
| author |   Trevor Wu <trevor.wu@mediatek.com> | 2023-06-01 11:33:18 +0800 |
|---|---|---|
| committer |   Mark Brown <broonie@kernel.org> | 2023-06-01 12:30:36 +0100 |
| commit | dc93f0dcb436dfd24a06c5b3c0f4c5cd9296e8e5 (patch) | |
| tree | e8b82a0502e1222d5775777b820d411be2d6e13b /sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | |
| parent | ASoC: mediatek: mt8188: fix use-after-free in driver remove path (diff) | |
| download | wireguard-linux-dc93f0dcb436dfd24a06c5b3c0f4c5cd9296e8e5.tar.xz wireguard-linux-dc93f0dcb436dfd24a06c5b3c0f4c5cd9296e8e5.zip | |
ASoC: mediatek: mt8195: fix use-after-free in driver remove path
During mt8195_afe_init_clock(), mt8195_audsys_clk_register() was called
followed by several other devm functions. At mt8195_afe_deinit_clock()
located at mt8195_afe_pcm_dev_remove(), mt8195_audsys_clk_unregister()
was called.
However, there was an issue with the order in which these functions were
called. Specifically, the remove callback of platform_driver was called
before devres released the resource, resulting in a use-after-free issue
during remove time.
At probe time, the order of calls was:
1. mt8195_audsys_clk_register
2. afe_priv->clk = devm_kcalloc
3. afe_priv->clk[i] = devm_clk_get
At remove time, the order of calls was:
1. mt8195_audsys_clk_unregister
3. free afe_priv->clk[i]
2. free afe_priv->clk
To resolve the problem, we can utilize devm_add_action_or_reset() in
mt8195_audsys_clk_register() so that the remove order can be changed to
3->2->1.
Fixes: 6746cc858259 ("ASoC: mediatek: mt8195: add platform driver")
Signed-off-by: Trevor Wu <trevor.wu@mediatek.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20230601033318.10408-3-trevor.wu@mediatek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'sound/soc/mediatek/mt8195/mt8195-afe-pcm.c')
| -rw-r--r-- | sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c index 9e45efeada55..03dabc056b91 100644 --- a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +++ b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c @@ -3255,15 +3255,11 @@ err_pm_put: static void mt8195_afe_pcm_dev_remove(struct platform_device *pdev) { - struct mtk_base_afe *afe = platform_get_drvdata(pdev); - snd_soc_unregister_component(&pdev->dev); pm_runtime_disable(&pdev->dev); if (!pm_runtime_status_suspended(&pdev->dev)) mt8195_afe_runtime_suspend(&pdev->dev); - - mt8195_afe_deinit_clock(afe); } static const struct of_device_id mt8195_afe_pcm_dt_match[] = { |