.../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
The bug is here:
mt8195_etdm_hw_params_fixup(runtime, params);
For the for_each_card_rtds(), just like list_for_each_entry(),
the list iterator 'runtime' will point to a bogus position
containing HEAD if the list is empty or no element is found.
This case must be checked before any use of the iterator,
otherwise it will lead to a invalid memory access.
To fix the bug, use a new variable 'iter' as the list iterator,
while use the original variable 'runtime' as a dedicated pointer
to point to the found element.
Cc: stable@vger.kernel.org
Fixes: 3d00d2c07f04f ("ASoC: mediatek: mt8195: add sof support on mt8195-mt6359-rt1019-rt5682")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
---
.../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
index 29c2d3407cc7..dc91877e4c3c 100644
--- a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
+++ b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c
@@ -814,7 +814,7 @@ static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd,
{
struct snd_soc_card *card = rtd->card;
struct snd_soc_dai_link *sof_dai_link = NULL;
- struct snd_soc_pcm_runtime *runtime;
+ struct snd_soc_pcm_runtime *runtime = NULL, *iter;
struct snd_soc_dai *cpu_dai;
int i, j, ret = 0;
@@ -824,16 +824,17 @@ static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd,
if (strcmp(rtd->dai_link->name, conn->normal_link))
continue;
- for_each_card_rtds(card, runtime) {
- if (strcmp(runtime->dai_link->name, conn->sof_link))
+ for_each_card_rtds(card, iter) {
+ if (strcmp(iter->dai_link->name, conn->sof_link))
continue;
- for_each_rtd_cpu_dais(runtime, j, cpu_dai) {
+ for_each_rtd_cpu_dais(iter, j, cpu_dai) {
if (cpu_dai->stream_active[conn->stream_dir] > 0) {
- sof_dai_link = runtime->dai_link;
+ sof_dai_link = iter->dai_link;
break;
}
}
+ runtime = iter;
break;
}
@@ -845,7 +846,8 @@ static int mt8195_dai_link_fixup(struct snd_soc_pcm_runtime *rtd,
if (!strcmp(rtd->dai_link->name, "ETDM2_IN_BE") ||
!strcmp(rtd->dai_link->name, "ETDM1_OUT_BE")) {
- mt8195_etdm_hw_params_fixup(runtime, params);
+ if (runtime)
+ mt8195_etdm_hw_params_fixup(runtime, params);
}
return ret;
--
2.17.1
On Sun, 2022-03-27 at 16:17 +0800, Xiaomeng Tong wrote: > The bug is here: > mt8195_etdm_hw_params_fixup(runtime, params); > > For the for_each_card_rtds(), just like list_for_each_entry(), > the list iterator 'runtime' will point to a bogus position > containing HEAD if the list is empty or no element is found. > This case must be checked before any use of the iterator, > otherwise it will lead to a invalid memory access. > > To fix the bug, use a new variable 'iter' as the list iterator, > while use the original variable 'runtime' as a dedicated poin > ter > to point to the found element. Hi Xiaomeng, About this bug, I think it won't happen anymore. mt8195_dai_link_fixup() is only assigned when the corresponding snd_soc_pcm_runtime is found in mt8195_mt6359_rt1019_rt5682_late_probe(). On the other hand, runtime is not used in the body of mt8195_etdm_hw_params_fixup(). That's why I think the problem doesn't exist. If I misunderstood the problem you pointed out, please correct me. Thanks, Trevor > > Cc: stable@vger.kernel.org > Fixes: 3d00d2c07f04f ("ASoC: mediatek: mt8195: add sof support on > mt8195-mt6359-rt1019-rt5682") > Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> > --- > .../mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c | 14 ++++++++-- > ---- > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c > b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c > index 29c2d3407cc7..dc91877e4c3c 100644 > --- a/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c > +++ b/sound/soc/mediatek/mt8195/mt8195-mt6359-rt1019-rt5682.c > @@ -814,7 +814,7 @@ static int mt8195_dai_link_fixup(struct > snd_soc_pcm_runtime *rtd, > { > struct snd_soc_card *card = rtd->card; > struct snd_soc_dai_link *sof_dai_link = NULL; > - struct snd_soc_pcm_runtime *runtime; > + struct snd_soc_pcm_runtime *runtime = NULL, *iter; > struct snd_soc_dai *cpu_dai; > int i, j, ret = 0; > > @@ -824,16 +824,17 @@ static int mt8195_dai_link_fixup(struct > snd_soc_pcm_runtime *rtd, > if (strcmp(rtd->dai_link->name, conn->normal_link)) > continue; > > - for_each_card_rtds(card, runtime) { > - if (strcmp(runtime->dai_link->name, conn- > >sof_link)) > + for_each_card_rtds(card, iter) { > + if (strcmp(iter->dai_link->name, conn- > >sof_link)) > continue; > > - for_each_rtd_cpu_dais(runtime, j, cpu_dai) { > + for_each_rtd_cpu_dais(iter, j, cpu_dai) { > if (cpu_dai->stream_active[conn- > >stream_dir] > 0) { > - sof_dai_link = runtime- > >dai_link; > + sof_dai_link = iter->dai_link; > break; > } > } > + runtime = iter; > break; > } > > @@ -845,7 +846,8 @@ static int mt8195_dai_link_fixup(struct > snd_soc_pcm_runtime *rtd, > > if (!strcmp(rtd->dai_link->name, "ETDM2_IN_BE") || > !strcmp(rtd->dai_link->name, "ETDM1_OUT_BE")) { > - mt8195_etdm_hw_params_fixup(runtime, params); > + if (runtime) > + mt8195_etdm_hw_params_fixup(runtime, params); > } > > return ret;
© 2016 - 2024 Red Hat, Inc.