1. Patchew
  2. linux
  3. View series

[PATCH] ASoC: soc-utils: Check string pointer validity in snd_soc_dlc_is_dummy()

Chen-Yu Tsai posted 1 patch 7 months, 1 week ago 
sound/soc/soc-utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] ASoC: soc-utils: Check string pointer validity in snd_soc_dlc_is_dummy()
Posted by Chen-Yu Tsai 7 months, 1 week ago 
In the recently added snd_soc_dlc_is_dummy(), the helper uses the .name
and .dai_name fields without checking their validity.

For .name, this field is NULL if the component is matched by .of_node
instead. In fact, only one of these fields may be set. This caused a
NULL pointer dereference on MediaTek MT8195 and MT8188 platforms with
the subsequent conversion to snd_soc_dlc_is_dummy() in their machine
drivers. The codecs are all matches through the device tree, so their
.name fields are empty.

For .dai_name, there are cases where this field is empty, such as for
the following component definitions:

	#define COMP_EMPTY()                    { }
	#define COMP_PLATFORM(_name)            { .name = _name }
	#define COMP_AUX(_name)                 { .name = _name }
	#define COMP_CODEC_CONF(_name)          { .name = _name }

Or the single link CPU DAI case in the simple audio card family, as
covered by simple_util_canonicalize_cpu(), in which the .dai_name
field is explicitly cleared.

To fix this, check the validity of the fields before using them in
string comparison.

Fixes: 3e021f3b8115 ("ASoC: soc-utils: add snd_soc_dlc_is_dummy()")
Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
---
 sound/soc/soc-utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c
index a1bcc852a6de..c8adfff826bd 100644
--- a/sound/soc/soc-utils.c
+++ b/sound/soc/soc-utils.c
@@ -267,8 +267,8 @@ int snd_soc_dlc_is_dummy(struct snd_soc_dai_link_component *dlc)
 	if (dlc == &snd_soc_dummy_dlc)
 		return true;
 
-	if (strcmp(dlc->name,	  snd_soc_dummy_dlc.name)	== 0 ||
-	    strcmp(dlc->dai_name, snd_soc_dummy_dlc.dai_name)	== 0)
+	if ((dlc->name     && strcmp(dlc->name,     snd_soc_dummy_dlc.name)     == 0) ||
+	    (dlc->dai_name && strcmp(dlc->dai_name, snd_soc_dummy_dlc.dai_name) == 0))
 		return true;
 
 	return false;
-- 
2.49.0.1101.gccaa498523-goog
Re: [PATCH] ASoC: soc-utils: Check string pointer validity in snd_soc_dlc_is_dummy()
Posted by Mark Brown 7 months, 1 week ago 
On Fri, 16 May 2025 13:05:48 +0800, Chen-Yu Tsai wrote:
> In the recently added snd_soc_dlc_is_dummy(), the helper uses the .name
> and .dai_name fields without checking their validity.
> 
> For .name, this field is NULL if the component is matched by .of_node
> instead. In fact, only one of these fields may be set. This caused a
> NULL pointer dereference on MediaTek MT8195 and MT8188 platforms with
> the subsequent conversion to snd_soc_dlc_is_dummy() in their machine
> drivers. The codecs are all matches through the device tree, so their
> .name fields are empty.
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: soc-utils: Check string pointer validity in snd_soc_dlc_is_dummy()
      commit: 628479afc7a157bca3430a75e759ed06c1a81c66

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark
Re: [PATCH] ASoC: soc-utils: Check string pointer validity in snd_soc_dlc_is_dummy()
Posted by Kuninori Morimoto 7 months, 1 week ago 
Hi Chen-Yu

> In the recently added snd_soc_dlc_is_dummy(), the helper uses the .name
> and .dai_name fields without checking their validity.
> 
> For .name, this field is NULL if the component is matched by .of_node
> instead. In fact, only one of these fields may be set. This caused a
> NULL pointer dereference on MediaTek MT8195 and MT8188 platforms with
> the subsequent conversion to snd_soc_dlc_is_dummy() in their machine
> drivers. The codecs are all matches through the device tree, so their
> .name fields are empty.
> 
> For .dai_name, there are cases where this field is empty, such as for
> the following component definitions:
> 
> 	#define COMP_EMPTY()                    { }
> 	#define COMP_PLATFORM(_name)            { .name = _name }
> 	#define COMP_AUX(_name)                 { .name = _name }
> 	#define COMP_CODEC_CONF(_name)          { .name = _name }
> 
> Or the single link CPU DAI case in the simple audio card family, as
> covered by simple_util_canonicalize_cpu(), in which the .dai_name
> field is explicitly cleared.
> 
> To fix this, check the validity of the fields before using them in
> string comparison.
> 
> Fixes: 3e021f3b8115 ("ASoC: soc-utils: add snd_soc_dlc_is_dummy()")
> Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
> Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
> ---

Yes, indeed

Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

Thank you for your help !!

Best regards
---
Kuninori Morimoto

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.