Message ID | 20220327082018.13585-1-xiam0nd.tong@gmail.com |
---|---|
State | New |
Headers | show |
Series | soc: soc-core: fix a missing check on list iterator | expand |
Hi Xiaomeng Thank you for your patch > The bug is here: > *dai_name = dai->driver->name; > > For for_each_component_dais, just like list_for_each_entry, > the list iterator 'dai' will point to a bogus position > containing HEAD if the list is empty or no element is found. > This case must be checked before any use of the iterator, > otherwise it will lead to a invalid memory access. > > To fix the bug, use a new variable 'iter' as the list iterator, > while use the original variable 'dai' as a dedicated pointer > to point to the found element. > > Cc: stable@vger.kernel.org > Fixes: 58bf4179000a3 ("ASoC: soc-core: remove dai_drv from snd_soc_component") > Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> > ---
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index 434e61b46983..064fc0347868 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -3238,7 +3238,7 @@ int snd_soc_get_dai_name(const struct of_phandle_args *args, ret = snd_soc_component_of_xlate_dai_name(pos, args, dai_name); if (ret == -ENOTSUPP) { - struct snd_soc_dai *dai; + struct snd_soc_dai *dai = NULL, *iter; int id = -1; switch (args->args_count) { @@ -3261,12 +3261,19 @@ int snd_soc_get_dai_name(const struct of_phandle_args *args, ret = 0; /* find target DAI */ - for_each_component_dais(pos, dai) { - if (id == 0) + for_each_component_dais(pos, iter) { + if (id == 0) { + dai = iter; break; + } id--; } + if (!dai) { + ret = -EINVAL; + continue; + } + *dai_name = dai->driver->name; if (!*dai_name) *dai_name = pos->name;
The bug is here: *dai_name = dai->driver->name; For for_each_component_dais, just like list_for_each_entry, the list iterator 'dai' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access. To fix the bug, use a new variable 'iter' as the list iterator, while use the original variable 'dai' as a dedicated pointer to point to the found element. Cc: stable@vger.kernel.org Fixes: 58bf4179000a3 ("ASoC: soc-core: remove dai_drv from snd_soc_component") Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> --- sound/soc/soc-core.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)