iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ASoC: amd: acp: Fix possible UAF in acp_dma_open

Browse Source 
Smatch report warning as follows:

sound/soc/amd/acp/acp-platform.c:199 acp_dma_open() warn:
  '&stream->list' not removed from list

If snd_pcm_hw_constraint_integer() fails in acp_dma_open(),
stream will be freed, but stream->list will not be removed from
adata->stream_list, then list traversal may cause UAF.

Fix by adding the newly allocated stream to the list once it's fully
initialised.

Fixes: 7929985cfe36 ("ASoC: amd: acp: Initialize list to store acp_stream during pcm_open")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221118030056.3135960-1-cuigaosheng1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
This commit is contained in:
Gaosheng Cui 2022-11-18 11:00:56 +08:00 committed by Mark Brown
parent 13c459fa37
commit 3420fdb8ae
No known key found for this signature in database
GPG Key ID: 24D68B725D5487D0
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sound/soc/amd/acp/acp-platform.c
View File

@ -184,10 +184,6 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
stream->substream = substream; stream->substream = substream;
spin_lock_irq(&adata->acp_lock);
list_add_tail(&stream->list, &adata->stream_list);
spin_unlock_irq(&adata->acp_lock);
if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
runtime->hw = acp_pcm_hardware_playback; runtime->hw = acp_pcm_hardware_playback;
else else
@ -203,6 +199,10 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
writel(1, ACP_EXTERNAL_INTR_ENB(adata)); writel(1, ACP_EXTERNAL_INTR_ENB(adata));
spin_lock_irq(&adata->acp_lock);
list_add_tail(&stream->list, &adata->stream_list);
spin_unlock_irq(&adata->acp_lock);
return ret; return ret;
} }