Commit b8a0d229 authored Jul 15, 2024 by Simon Trimmer Committed by Xiongfeng Wang Jul 15, 2024

ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()

mainline inclusion
from mainline-v6.10-rc5
commit 6386682cdc8b41319c92fbbe421953e33a28840c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACS5R
CVE: CVE-2024-40964

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6386682cdc8b41319c92fbbe421953e33a28840c



--------------------------------

The cs35l41_hda_unbind() function clears the hda_component entry
matching it's index and then dereferences the codec pointer held in the
first element of the hda_component array, this is an issue when the
device index was 0.

Instead use the codec pointer stashed in the cs35l41_hda structure as it
will still be valid.

Fixes: 7cf5ce66 ("ALSA: hda: cs35l41: Add device_link between HDA and cs35l41_hda")
Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20240531120820.35367-1-simont@opensource.cirrus.com


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>

parent 3c62a9a7

sound/pci/hda/cs35l41_hda.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1187,7 +1187,7 @@ static void cs35l41_hda_unbind(struct device dev, struct device master, void *
		if (comps[cs35l41->index].dev == dev) {
		memset(&comps[cs35l41->index], 0, sizeof(*comps));
		sleep_flags = lock_system_sleep();
		device_link_remove(&comps->codec->core.dev, cs35l41->dev);
		device_link_remove(&cs35l41->codec->core.dev, cs35l41->dev);
		unlock_system_sleep(sleep_flags);
		}
		}