sound/pci/hda/cs35l41_hda.c:304 cs35l41_request_firmware_files() error: double free of '*wmfw_filename'

From: Dan Carpenter
Date: Fri Sep 29 2023 - 03:13:15 EST

Next message: Thomas Zimmermann: "Re: [PATCH 2/3] drm: Spelling s/preceeding/preceding/g"
Previous message: Thomas Zimmermann: "Re: [PATCH 1/3] drm: Spelling s/hardward/hardware/g"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 9ed22ae6be817d7a3f5c15ca22cbc9d3963b481d
commit: cd40dad2ca9196631dcd48e1b991244ab3940d83 ALSA: hda: cs35l41: Ensure firmware/tuning pairs are always loaded
config: x86_64-randconfig-161-20230929 (https://download.01.org/0day-ci/archive/20230929/202309291331.0JUUQnPT-lkp@xxxxxxxxx/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce: (https://download.01.org/0day-ci/archive/20230929/202309291331.0JUUQnPT-lkp@xxxxxxxxx/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
| Closes: https://lore.kernel.org/r/202309291331.0JUUQnPT-lkp@xxxxxxxxx/

smatch warnings:
sound/pci/hda/cs35l41_hda.c:304 cs35l41_request_firmware_files() error: double free of '*wmfw_filename'

vim +304 sound/pci/hda/cs35l41_hda.c

2e81e1fffd53ba Vitaly Rodionov 2022-06-30 238 static int cs35l41_request_firmware_files(struct cs35l41_hda *cs35l41,
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 239 const struct firmware **wmfw_firmware,
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 240 char **wmfw_filename,
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 241 const struct firmware **coeff_firmware,
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 242 char **coeff_filename)
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 243 {
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 244 int ret;
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 245
cd40dad2ca9196 Stefan Binding 2023-02-13 246 if (cs35l41->speaker_id > -1) {
cd40dad2ca9196 Stefan Binding 2023-02-13 247 ret = cs35l41_request_firmware_files_spkid(cs35l41, wmfw_firmware, wmfw_filename,
63f4b99f0089a9 Stefan Binding 2022-06-30 248 coeff_firmware, coeff_filename);
cd40dad2ca9196 Stefan Binding 2023-02-13 249 goto out;
cd40dad2ca9196 Stefan Binding 2023-02-13 250
cd40dad2ca9196 Stefan Binding 2023-02-13 251 }
63f4b99f0089a9 Stefan Binding 2022-06-30 252
bb6eb621f522d1 Stefan Binding 2022-06-30 253 /* try cirrus/part-dspN-fwtype-sub<-ampname>.wmfw */
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 254 ret = cs35l41_request_firmware_file(cs35l41, wmfw_firmware, wmfw_filename,
bb6eb621f522d1 Stefan Binding 2022-06-30 255 CS35L41_FIRMWARE_ROOT, cs35l41->acpi_subsystem_id,
63f4b99f0089a9 Stefan Binding 2022-06-30 256 cs35l41->amp_name, -1, "wmfw");
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 257 if (!ret) {
bb6eb621f522d1 Stefan Binding 2022-06-30 258 /* try cirrus/part-dspN-fwtype-sub<-ampname>.bin */
cd40dad2ca9196 Stefan Binding 2023-02-13 259 ret = cs35l41_request_firmware_file(cs35l41, coeff_firmware, coeff_filename,
cd40dad2ca9196 Stefan Binding 2023-02-13 260 CS35L41_FIRMWARE_ROOT,
cd40dad2ca9196 Stefan Binding 2023-02-13 261 cs35l41->acpi_subsystem_id, cs35l41->amp_name,
cd40dad2ca9196 Stefan Binding 2023-02-13 262 -1, "bin");
cd40dad2ca9196 Stefan Binding 2023-02-13 263 goto out;
bb6eb621f522d1 Stefan Binding 2022-06-30 264 }
bb6eb621f522d1 Stefan Binding 2022-06-30 265
bb6eb621f522d1 Stefan Binding 2022-06-30 266 /* try cirrus/part-dspN-fwtype-sub.wmfw */
bb6eb621f522d1 Stefan Binding 2022-06-30 267 ret = cs35l41_request_firmware_file(cs35l41, wmfw_firmware, wmfw_filename,
bb6eb621f522d1 Stefan Binding 2022-06-30 268 CS35L41_FIRMWARE_ROOT, cs35l41->acpi_subsystem_id,
63f4b99f0089a9 Stefan Binding 2022-06-30 269 NULL, -1, "wmfw");
bb6eb621f522d1 Stefan Binding 2022-06-30 270 if (!ret) {
bb6eb621f522d1 Stefan Binding 2022-06-30 271 /* try cirrus/part-dspN-fwtype-sub<-ampname>.bin */
bb6eb621f522d1 Stefan Binding 2022-06-30 272 ret = cs35l41_request_firmware_file(cs35l41, coeff_firmware, coeff_filename,
bb6eb621f522d1 Stefan Binding 2022-06-30 273 CS35L41_FIRMWARE_ROOT,
bb6eb621f522d1 Stefan Binding 2022-06-30 274 cs35l41->acpi_subsystem_id,
63f4b99f0089a9 Stefan Binding 2022-06-30 275 cs35l41->amp_name, -1, "bin");
bb6eb621f522d1 Stefan Binding 2022-06-30 276 if (ret)
bb6eb621f522d1 Stefan Binding 2022-06-30 277 /* try cirrus/part-dspN-fwtype-sub.bin */
cd40dad2ca9196 Stefan Binding 2023-02-13 278 ret = cs35l41_request_firmware_file(cs35l41, coeff_firmware, coeff_filename,
bb6eb621f522d1 Stefan Binding 2022-06-30 279 CS35L41_FIRMWARE_ROOT,
cd40dad2ca9196 Stefan Binding 2023-02-13 280 cs35l41->acpi_subsystem_id, NULL, -1,
cd40dad2ca9196 Stefan Binding 2023-02-13 281 "bin");
bb6eb621f522d1 Stefan Binding 2022-06-30 282 }
bb6eb621f522d1 Stefan Binding 2022-06-30 283
cd40dad2ca9196 Stefan Binding 2023-02-13 284 out:
cd40dad2ca9196 Stefan Binding 2023-02-13 285 if (!ret)
cd40dad2ca9196 Stefan Binding 2023-02-13 286 return 0;
cd40dad2ca9196 Stefan Binding 2023-02-13 287
cd40dad2ca9196 Stefan Binding 2023-02-13 288 /* Handle fallback */
cd40dad2ca9196 Stefan Binding 2023-02-13 289 dev_warn(cs35l41->dev, "Falling back to default firmware.\n");
cd40dad2ca9196 Stefan Binding 2023-02-13 290
cd40dad2ca9196 Stefan Binding 2023-02-13 291 release_firmware(*wmfw_firmware);
cd40dad2ca9196 Stefan Binding 2023-02-13 292 kfree(*wmfw_filename);

Freed here.

cd40dad2ca9196 Stefan Binding 2023-02-13 293
bb6eb621f522d1 Stefan Binding 2022-06-30 294 /* fallback try cirrus/part-dspN-fwtype.wmfw */
bb6eb621f522d1 Stefan Binding 2022-06-30 295 ret = cs35l41_request_firmware_file(cs35l41, wmfw_firmware, wmfw_filename,
63f4b99f0089a9 Stefan Binding 2022-06-30 296 CS35L41_FIRMWARE_ROOT, NULL, NULL, -1, "wmfw");

Assume this fails.

cd40dad2ca9196 Stefan Binding 2023-02-13 297 if (!ret)

Better to flip this around:

if (ret)
return ret;

bb6eb621f522d1 Stefan Binding 2022-06-30 298 /* fallback try cirrus/part-dspN-fwtype.bin */
cd40dad2ca9196 Stefan Binding 2023-02-13 299 ret = cs35l41_request_firmware_file(cs35l41, coeff_firmware, coeff_filename,
63f4b99f0089a9 Stefan Binding 2022-06-30 300 CS35L41_FIRMWARE_ROOT, NULL, NULL, -1, "bin");
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 301
cd40dad2ca9196 Stefan Binding 2023-02-13 302 if (ret) {
cd40dad2ca9196 Stefan Binding 2023-02-13 303 release_firmware(*wmfw_firmware);
cd40dad2ca9196 Stefan Binding 2023-02-13 @304 kfree(*wmfw_filename);

The zero day bot doesn't have cross function analysis so the
kfree(*wmfw_filename); warning is a false positive, but the second
release_firmware() is a double free if the kasprintf() in
cs35l41_request_firmware_file() fails. You would have to get pretty
unlucky to hit this bug.

cd40dad2ca9196 Stefan Binding 2023-02-13 305 dev_warn(cs35l41->dev, "Unable to find firmware and tuning\n");
cd40dad2ca9196 Stefan Binding 2023-02-13 306 }
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 307 return ret;
2e81e1fffd53ba Vitaly Rodionov 2022-06-30 308 }

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Next message: Thomas Zimmermann: "Re: [PATCH 2/3] drm: Spelling s/preceeding/preceding/g"
Previous message: Thomas Zimmermann: "Re: [PATCH 1/3] drm: Spelling s/hardward/hardware/g"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]