From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Cezary Rojewski <cezary.rojewski@intel.com>,
Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>,
perex@perex.cz, tiwai@suse.com, broonie@kernel.org,
divya1.prakash@intel.com, mengyingkun@loongson.cn,
siyanteng@loongson.cn, zhangyiqun@phytium.com.cn,
linux-sound@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 10/16] ALSA: hda: Fix possible null-ptr-deref when assigning a stream
Date: Tue, 7 Nov 2023 10:52:29 -0500 [thread overview]
Message-ID: <20231107155249.3768098-10-sashal@kernel.org> (raw)
In-Reply-To: <20231107155249.3768098-1-sashal@kernel.org>
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit f93dc90c2e8ed664985e366aa6459ac83cdab236 ]
While AudioDSP drivers assign streams exclusively of HOST or LINK type,
nothing blocks a user to attempt to assign a COUPLED stream. As
supplied substream instance may be a stub, what is the case when
code-loading, such scenario ends with null-ptr-deref.
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20231006102857.749143-2-cezary.rojewski@intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/hdac_stream.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
index 1e0f61affd979..5570722458caf 100644
--- a/sound/hda/hdac_stream.c
+++ b/sound/hda/hdac_stream.c
@@ -320,8 +320,10 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus,
struct hdac_stream *res = NULL;
/* make a non-zero unique key for the substream */
- int key = (substream->pcm->device << 16) | (substream->number << 2) |
- (substream->stream + 1);
+ int key = (substream->number << 2) | (substream->stream + 1);
+
+ if (substream->pcm)
+ key |= (substream->pcm->device << 16);
spin_lock_irq(&bus->reg_lock);
list_for_each_entry(azx_dev, &bus->stream_list, list) {
--
2.42.0
next prev parent reply other threads:[~2023-11-07 16:01 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 15:52 [PATCH AUTOSEL 5.10 01/16] ASoC: soc-card: Add storage for PCI SSID Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 02/16] crypto: pcrypt - Fix hungtask for PADATA_RESET Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 03/16] RDMA/hfi1: Use FIELD_GET() to extract Link Width Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 04/16] fs/jfs: Add check for negative db_l2nbperpage Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 05/16] fs/jfs: Add validity check for db_maxag and db_agpref Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 06/16] jfs: fix array-index-out-of-bounds in dbFindLeaf Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 07/16] jfs: fix array-index-out-of-bounds in diAlloc Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 08/16] HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 09/16] ARM: 9320/1: fix stack depot IRQ stack filter Sasha Levin
2023-11-07 15:52 ` Sasha Levin
2023-11-07 15:52 ` Sasha Levin [this message]
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 11/16] PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 12/16] atm: iphase: Do PCI error checks on own line Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 13/16] scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 14/16] misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 15/16] HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W Sasha Levin
2023-11-07 15:52 ` [PATCH AUTOSEL 5.10 16/16] exfat: support handle zero-size directory Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107155249.3768098-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=broonie@kernel.org \
--cc=cezary.rojewski@intel.com \
--cc=divya1.prakash@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=mengyingkun@loongson.cn \
--cc=perex@perex.cz \
--cc=siyanteng@loongson.cn \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
--cc=zhangyiqun@phytium.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.