From 7b2050ceb62d8d6c64cca04cf88ec8f862a1d343 Mon Sep 17 00:00:00 2001 From: Meng Wang Date: Wed, 27 Jul 2016 14:41:21 +0800 Subject: [PATCH 1/4] ASoC: wcd: set pointer to null after kfree In codec drivers, some pointers are not set as NULL after the memory is freed, which will leave many dangling pointers. Set them to NULL explicitly to avoid potential risk. CRs-Fixed: 997062 Change-Id: I1fde78158af71d57c958ac9f5668d4b65c9a7a3f Signed-off-by: Meng Wang --- sound/soc/codecs/wcd9330.c | 8 ++++++++ sound/soc/codecs/wcd9335.c | 8 ++++++++ sound/soc/codecs/wcd934x/wcd934x.c | 4 ++++ 3 files changed, 20 insertions(+) diff --git a/sound/soc/codecs/wcd9330.c b/sound/soc/codecs/wcd9330.c index 16a23aa9770c..a8d6e0fa4732 100644 --- a/sound/soc/codecs/wcd9330.c +++ b/sound/soc/codecs/wcd9330.c @@ -8956,8 +8956,11 @@ static int tomtom_codec_probe(struct snd_soc_codec *codec) err_pdata: kfree(ptr); + control->rx_chs = NULL; + control->tx_chs = NULL; err_hwdep: kfree(tomtom->fw_data); + tomtom->fw_data = NULL; err_nomem_slimch: devm_kfree(codec->dev, tomtom); return ret; @@ -8965,12 +8968,17 @@ err_nomem_slimch: static int tomtom_codec_remove(struct snd_soc_codec *codec) { struct tomtom_priv *tomtom = snd_soc_codec_get_drvdata(codec); + struct wcd9xxx *control; WCD9XXX_BG_CLK_LOCK(&tomtom->resmgr); atomic_set(&kp_tomtom_priv, 0); WCD9XXX_BG_CLK_UNLOCK(&tomtom->resmgr); + control = dev_get_drvdata(codec->dev->parent); + control->rx_chs = NULL; + control->tx_chs = NULL; + if (tomtom->wcd_ext_clk) clk_put(tomtom->wcd_ext_clk); tomtom_cleanup_irqs(tomtom); diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c index f24feeb18b51..202a5e437732 100644 --- a/sound/soc/codecs/wcd9335.c +++ b/sound/soc/codecs/wcd9335.c @@ -13235,8 +13235,11 @@ static int tasha_codec_probe(struct snd_soc_codec *codec) err_pdata: devm_kfree(codec->dev, ptr); + control->rx_chs = NULL; + control->tx_chs = NULL; err_hwdep: devm_kfree(codec->dev, tasha->fw_data); + tasha->fw_data = NULL; err: return ret; } @@ -13244,6 +13247,11 @@ err: static int tasha_codec_remove(struct snd_soc_codec *codec) { struct tasha_priv *tasha = snd_soc_codec_get_drvdata(codec); + struct wcd9xxx *control; + + control = dev_get_drvdata(codec->dev->parent); + control->rx_chs = NULL; + control->tx_chs = NULL; tasha_cleanup_irqs(tasha); /* Cleanup MBHC */ diff --git a/sound/soc/codecs/wcd934x/wcd934x.c b/sound/soc/codecs/wcd934x/wcd934x.c index 75387b7c2069..add8aca6dec6 100644 --- a/sound/soc/codecs/wcd934x/wcd934x.c +++ b/sound/soc/codecs/wcd934x/wcd934x.c @@ -5289,6 +5289,8 @@ static int tavil_soc_codec_probe(struct snd_soc_codec *codec) err_pdata: devm_kfree(codec->dev, ptr); + control->rx_chs = NULL; + control->tx_chs = NULL; err: return ret; } @@ -5300,6 +5302,8 @@ static int tavil_soc_codec_remove(struct snd_soc_codec *codec) control = dev_get_drvdata(codec->dev->parent); devm_kfree(codec->dev, control->rx_chs); + control->rx_chs = NULL; + control->tx_chs = NULL; tavil_cleanup_irqs(tavil); return 0; From 59ff3301d529ed74f414f15b69365a0c7babb7d5 Mon Sep 17 00:00:00 2001 From: Meng Wang Date: Wed, 27 Jul 2016 14:49:10 +0800 Subject: [PATCH 2/4] ASoC: msm: set pointer to null after kfree In machine drivers, some pointers are not set as NULL after the memory is freed, which will leave many dangling pointers. Set them to NULL explicitly to avoid potential risk. CRs-Fixed: 997062 Change-Id: Ifa27a21cb76688101b758a34eddf69b160c27c79 Signed-off-by: Meng Wang --- sound/soc/msm/msm-audio-pinctrl.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/sound/soc/msm/msm-audio-pinctrl.c b/sound/soc/msm/msm-audio-pinctrl.c index d30b0c40f993..2b30271500eb 100644 --- a/sound/soc/msm/msm-audio-pinctrl.c +++ b/sound/soc/msm/msm-audio-pinctrl.c @@ -1,4 +1,4 @@ - /* Copyright (c) 2015, The Linux Foundation. All rights reserved. + /* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -200,28 +200,40 @@ int msm_gpioset_initialize(enum pinctrl_client client, err: /* Free up memory allocated for gpio set combinations */ for (i = 0; i < gpioset_info[client].gpiosets_max; i++) { - if (NULL != gpioset_info[client].gpiosets[i]) + if (gpioset_info[client].gpiosets[i] != NULL) { devm_kfree(dev, gpioset_info[client].gpiosets[i]); + gpioset_info[client].gpiosets[i] = NULL; + } } - if (NULL != gpioset_info[client].gpiosets) + if (gpioset_info[client].gpiosets != NULL) { devm_kfree(dev, gpioset_info[client].gpiosets); + gpioset_info[client].gpiosets = NULL; + } /* Free up memory allocated for gpio set combinations */ for (i = 0; i < gpioset_info[client].gpiosets_comb_max; i++) { - if (NULL != gpioset_info[client].gpiosets_comb_names[i]) + if (gpioset_info[client].gpiosets_comb_names[i] != NULL) { devm_kfree(dev, gpioset_info[client].gpiosets_comb_names[i]); + gpioset_info[client].gpiosets_comb_names[i] = NULL; + } } - if (NULL != gpioset_info[client].gpiosets_comb_names) + if (gpioset_info[client].gpiosets_comb_names != NULL) { devm_kfree(dev, gpioset_info[client].gpiosets_comb_names); + gpioset_info[client].gpiosets_comb_names = NULL; + } /* Free up memory allocated for handles to pinctrl states */ - if (NULL != pinctrl_info[client].cdc_lines) + if (pinctrl_info[client].cdc_lines != NULL) { devm_kfree(dev, pinctrl_info[client].cdc_lines); + pinctrl_info[client].cdc_lines = NULL; + } /* Free up memory allocated for counter of gpio sets */ - if (NULL != gpioset_info[client].gpioset_state) + if (gpioset_info[client].gpioset_state != NULL) { devm_kfree(dev, gpioset_info[client].gpioset_state); + gpioset_info[client].gpioset_state = NULL; + } success: return ret; From 115b1e7c4e7d1d58de4e96f0d64056dde6ebebb1 Mon Sep 17 00:00:00 2001 From: Meng Wang Date: Wed, 27 Jul 2016 15:55:05 +0800 Subject: [PATCH 3/4] ASoC: wcd9xxx: set pointer to null after kfree In wcd core drivers, some pointers are not set as NULL after the memory is freed, which will leave many dangling pointers. Set them to NULL explicitly to avoid potential risk. CRs-Fixed: 997062 Change-Id: I5dd4a9dd8f757d0850d75575d7e522e2a22f46f3 Signed-off-by: Meng Wang --- drivers/mfd/wcd9xxx-irq.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/mfd/wcd9xxx-irq.c b/drivers/mfd/wcd9xxx-irq.c index 1b93c83ae98e..0c5754341991 100644 --- a/drivers/mfd/wcd9xxx-irq.c +++ b/drivers/mfd/wcd9xxx-irq.c @@ -741,6 +741,7 @@ static int wcd9xxx_irq_remove(struct platform_device *pdev) wmb(); irq_domain_remove(data->domain); kfree(data); + domain->host_data = NULL; return 0; } From 45ffbb1fba8a1498c206d78fcca420f0d60f2eff Mon Sep 17 00:00:00 2001 From: Meng Wang Date: Wed, 27 Jul 2016 16:05:53 +0800 Subject: [PATCH 4/4] swr-wcd-ctrl: set pointer to null after kfree In soundwire control drivers, some pointers are not set as NULL after the memory is freed, which will leave many dangling pointers. Set them to NULL explicitly to avoid potential risk. CRs-Fixed: 997062 Change-Id: I18bd73397173187f87af28c78564835eed6d6a10 Signed-off-by: Meng Wang --- drivers/soundwire/swr-wcd-ctrl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/soundwire/swr-wcd-ctrl.c b/drivers/soundwire/swr-wcd-ctrl.c index 2cb60c11e212..6ffe2e3576e6 100644 --- a/drivers/soundwire/swr-wcd-ctrl.c +++ b/drivers/soundwire/swr-wcd-ctrl.c @@ -325,6 +325,7 @@ static int swrm_set_ch_map(struct swr_mstr_ctrl *swrm, void *data) GFP_KERNEL); if (!swrm->mstr_port->port) { kfree(swrm->mstr_port); + swrm->mstr_port = NULL; return -ENOMEM; } memcpy(swrm->mstr_port->port, pinfo->port, pinfo->num_port); @@ -1474,7 +1475,9 @@ static int swrm_remove(struct platform_device *pdev) swrm, SWR_IRQ_FREE); if (swrm->mstr_port) { kfree(swrm->mstr_port->port); + swrm->mstr_port->port = NULL; kfree(swrm->mstr_port); + swrm->mstr_port = NULL; } pm_runtime_disable(&pdev->dev); pm_runtime_set_suspended(&pdev->dev);