diff mbox series

mediatek: mt8195: fix a missing check on list iterator

Message ID 20220327081712.13341-1-xiam0nd.tong@gmail.com
State New
Headers show
Series mediatek: mt8195: fix a missing check on list iterator | expand

Commit Message

Xiaomeng Tong March 27, 2022, 8:17 a.m. UTC
The bug is here:
 mt8195_etdm_hw_params_fixup(runtime, params);

For the for_each_card_rtds(), just like list_for_each_entry(),
the list iterator 'runtime' will point to a bogus position
containing HEAD if the list is empty or no element is found.
This case must be checked before any use of the iterator,
otherwise it will lead to a invalid memory access.

To fix the bug, use a new variable 'iter' as the list iterator,
while use the original variable 'runtime' as a dedicated pointer
to point to the found element.

Cc: stable@vger.kernel.org
Fixes: 3d00d2c07f04f ("ASoC: mediatek: mt8195: add sof support on mt8195-mt6359-rt1019-rt5682")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
---
 .../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c  | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

Comments

Trevor Wu March 29, 2022, 2:33 a.m. UTC | #1
On Sun, 2022-03-27 at 16:17 +0800, Xiaomeng Tong wrote:
> The bug is here:
>  mt8195_etdm_hw_params_fixup(runtime, params);
> 
> For the for_each_card_rtds(), just like list_for_each_entry(),
> the list iterator 'runtime' will point to a bogus position
> containing HEAD if the list is empty or no element is found.
> This case must be checked before any use of the iterator,
> otherwise it will lead to a invalid memory access.
> 
> To fix the bug, use a new variable 'iter' as the list iterator,
> while use the original variable 'runtime' as a dedicated poin
> ter
> to point to the found element.

Hi Xiaomeng,

About this bug, I think it won't happen anymore.

mt8195_dai_link_fixup() is only assigned when the corresponding
snd_soc_pcm_runtime is found
in mt8195_mt6359_rt1019_rt5682_late_probe().

On the other hand, runtime is not used in the body of
mt8195_etdm_hw_params_fixup().

That's why I think the problem doesn't exist.
If I misunderstood the problem you pointed out, please correct me.

Thanks,
Trevor
> 
> Cc: stable@vger.kernel.org
> Fixes: 3d00d2c07f04f ("ASoC: mediatek: mt8195: add sof support on
> mt8195-mt6359-rt1019-rt5682")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
> ---
>  .../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c  | 14 ++++++++--
> ----
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
> b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
> index 29c2d3407cc7..dc91877e4c3c 100644
> --- a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
> +++ b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
> @@ -814,7 +814,7 @@ static int mt8195_dai_link_fixup(struct
> snd_soc_pcm_runtime *rtd,
>  {
>  	struct snd_soc_card *card = rtd->card;
>  	struct snd_soc_dai_link *sof_dai_link = NULL;
> -	struct snd_soc_pcm_runtime *runtime;
> +	struct snd_soc_pcm_runtime *runtime = NULL, *iter;
>  	struct snd_soc_dai *cpu_dai;
>  	int i, j, ret = 0;
>  
> @@ -824,16 +824,17 @@ static int mt8195_dai_link_fixup(struct
> snd_soc_pcm_runtime *rtd,
>  		if (strcmp(rtd->dai_link->name, conn->normal_link))
>  			continue;
>  
> -		for_each_card_rtds(card, runtime) {
> -			if (strcmp(runtime->dai_link->name, conn-
> >sof_link))
> +		for_each_card_rtds(card, iter) {
> +			if (strcmp(iter->dai_link->name, conn-
> >sof_link))
>  				continue;
>  
> -			for_each_rtd_cpu_dais(runtime, j, cpu_dai) {
> +			for_each_rtd_cpu_dais(iter, j, cpu_dai) {
>  				if (cpu_dai->stream_active[conn-
> >stream_dir] > 0) {
> -					sof_dai_link = runtime-
> >dai_link;
> +					sof_dai_link = iter->dai_link;
>  					break;
>  				}
>  			}
> +			runtime = iter;
>  			break;
>  		}
>  
> @@ -845,7 +846,8 @@ static int mt8195_dai_link_fixup(struct
> snd_soc_pcm_runtime *rtd,
>  
>  	if (!strcmp(rtd->dai_link->name, "ETDM2_IN_BE") ||
>  	    !strcmp(rtd->dai_link->name, "ETDM1_OUT_BE")) {
> -		mt8195_etdm_hw_params_fixup(runtime, params);
> +		if (runtime)
> +			mt8195_etdm_hw_params_fixup(runtime, params);
>  	}
>  
>  	return ret;
diff mbox series

Patch

diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
index 29c2d3407cc7..dc91877e4c3c 100644
--- a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
+++ b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
@@ -814,7 +814,7 @@  static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd,
 {
 	struct snd_soc_card *card = rtd->card;
 	struct snd_soc_dai_link *sof_dai_link = NULL;
-	struct snd_soc_pcm_runtime *runtime;
+	struct snd_soc_pcm_runtime *runtime = NULL, *iter;
 	struct snd_soc_dai *cpu_dai;
 	int i, j, ret = 0;
 
@@ -824,16 +824,17 @@  static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd,
 		if (strcmp(rtd->dai_link->name, conn->normal_link))
 			continue;
 
-		for_each_card_rtds(card, runtime) {
-			if (strcmp(runtime->dai_link->name, conn->sof_link))
+		for_each_card_rtds(card, iter) {
+			if (strcmp(iter->dai_link->name, conn->sof_link))
 				continue;
 
-			for_each_rtd_cpu_dais(runtime, j, cpu_dai) {
+			for_each_rtd_cpu_dais(iter, j, cpu_dai) {
 				if (cpu_dai->stream_active[conn->stream_dir] > 0) {
-					sof_dai_link = runtime->dai_link;
+					sof_dai_link = iter->dai_link;
 					break;
 				}
 			}
+			runtime = iter;
 			break;
 		}
 
@@ -845,7 +846,8 @@  static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd,
 
 	if (!strcmp(rtd->dai_link->name, "ETDM2_IN_BE") ||
 	    !strcmp(rtd->dai_link->name, "ETDM1_OUT_BE")) {
-		mt8195_etdm_hw_params_fixup(runtime, params);
+		if (runtime)
+			mt8195_etdm_hw_params_fixup(runtime, params);
 	}
 
 	return ret;