From patchwork Fri Nov 18 03:00:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: cuigaosheng X-Patchwork-Id: 13047680 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 43C75C433FE for ; Fri, 18 Nov 2022 03:01:59 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 3B53D16BD; Fri, 18 Nov 2022 04:01:07 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 3B53D16BD DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1668740517; bh=1ThU/66mpZiXADR5MB9PjH7eDhWgTHyHJMA/YvJh9M8=; h=From:To:Subject:Date:Cc:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=AenT+ghvKL0XB/azCB2+Oaio1ktPiic0ASA4geVeHGnCNdZzXlY37PsyUJJPEi6eC 1747TfHUmvfMpXiuCxrQwLjGN6+XU7DgqE50D+cK9gDoscfxNjHIZYLrzdkML8ZNlH ZR1/LaeoGzTP7M5Xfw6tjuckOycE8A3UdfYJVgZ8= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id DB6F9F800B5; Fri, 18 Nov 2022 04:01:06 +0100 (CET) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 49F70F801D8; Fri, 18 Nov 2022 04:01:05 +0100 (CET) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id 3C449F800FD for ; Fri, 18 Nov 2022 04:01:00 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz 3C449F800FD Received: from kwepemi500012.china.huawei.com (unknown [172.30.72.57]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4ND1k06kSbzHw1B; Fri, 18 Nov 2022 11:00:24 +0800 (CST) Received: from cgs.huawei.com (10.244.148.83) by kwepemi500012.china.huawei.com (7.221.188.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 18 Nov 2022 11:00:56 +0800 From: Gaosheng Cui To: , , , , , , , , , , Subject: [PATCH v2] ASoC: amd: acp: Fix possible UAF in acp_dma_open Date: Fri, 18 Nov 2022 11:00:56 +0800 Message-ID: <20221118030056.3135960-1-cuigaosheng1@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [10.244.148.83] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemi500012.china.huawei.com (7.221.188.12) X-CFilter-Loop: Reflected Cc: alsa-devel@alsa-project.org X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" Smatch report warning as follows: sound/soc/amd/acp/acp-platform.c:199 acp_dma_open() warn: '&stream->list' not removed from list If snd_pcm_hw_constraint_integer() fails in acp_dma_open(), stream will be freed, but stream->list will not be removed from adata->stream_list, then list traversal may cause UAF. Fix by adding the newly allocated stream to the list once it's fully initialised. Fixes: 7929985cfe36 ("ASoC: amd: acp: Initialize list to store acp_stream during pcm_open") Signed-off-by: Gaosheng Cui --- v2: - Fix by adding the newly allocated stream to the list once it's fully initialised. v1: - Fix by removeing it from adata->stream_list before free(). sound/soc/amd/acp/acp-platform.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sound/soc/amd/acp/acp-platform.c b/sound/soc/amd/acp/acp-platform.c index 85a81add4ef9..447612a7a762 100644 --- a/sound/soc/amd/acp/acp-platform.c +++ b/sound/soc/amd/acp/acp-platform.c @@ -184,10 +184,6 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs stream->substream = substream; - spin_lock_irq(&adata->acp_lock); - list_add_tail(&stream->list, &adata->stream_list); - spin_unlock_irq(&adata->acp_lock); - if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) runtime->hw = acp_pcm_hardware_playback; else @@ -203,6 +199,10 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs writel(1, ACP_EXTERNAL_INTR_ENB(adata)); + spin_lock_irq(&adata->acp_lock); + list_add_tail(&stream->list, &adata->stream_list); + spin_unlock_irq(&adata->acp_lock); + return ret; }