Commit c31f7740 authored by Peter Ujfalusi's avatar Peter Ujfalusi Committed by Xiaomeng Zhang
Browse files

ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers 

mainline inclusion
from mainline-v6.14-rc4
commit 6fd60136d256b3b948333ebdb3835f41a95ab7ef
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVJF
CVE: CVE-2025-21870

Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6fd60136d256b3b948333ebdb3835f41a95ab7ef



--------------------------------

Other, non DAI copier widgets could have the same  stream name (sname) as
the ALH copier and in that case the copier->data is NULL, no alh_data is
attached, which could lead to NULL pointer dereference.
We could check for this NULL pointer in sof_ipc4_prepare_copier_module()
and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()
will miscalculate the ALH device count, causing broken audio.

The correct fix is to harden the matching logic by making sure that the
1. widget is a DAI widget - so dai = w->private is valid
2. the dai (and thus the copier) is ALH copier

Fixes: a150345a ("ASoC: SOF: ipc4-topology: add SoundWire/ALH aggregation support")
Reported-by: default avatarSeppo Ingalsuo <seppo.ingalsuo@linux.intel.com>
Closes: https://github.com/thesofproject/sof/pull/9652


Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: default avatarLiam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: default avatarRanjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: default avatarBard Liao <yung-chuan.liao@linux.intel.com>
Link: https://patch.msgid.link/20250206084642.14988-1-peter.ujfalusi@linux.intel.com


Signed-off-by: default avatarMark Brown <broonie@kernel.org>
Conflicts:
	sound/soc/sof/ipc4-topology.c
[The conflicts were due to some minor issue.]
Signed-off-by: default avatarXiaomeng Zhang <zhangxiaomeng13@huawei.com>
parent 38cb6fd8

sound/soc/sof/ipc4-topology.c

+10 −2
Original line number Diff line number Diff line
@@ -577,10 +577,16 @@ static int sof_ipc4_widget_setup_comp_dai(struct snd_sof_widget *swidget) 
		}



		list_for_each_entry(w, &sdev->widget_list, list) {

			if (w->widget->sname &&

			struct snd_sof_dai *alh_dai;



			if (!WIDGET_IS_DAI(w->id) || !w->widget->sname ||

			    strcmp(w->widget->sname, swidget->widget->sname))

				continue;



			alh_dai = w->private;

			if (alh_dai->type != SOF_DAI_INTEL_ALH)

				continue;



			blob->alh_cfg.device_count++;

		}
@@ -1692,11 +1698,13 @@ sof_ipc4_prepare_copier_module(struct snd_sof_widget *swidget, 
			 */

			i = 0;

			list_for_each_entry(w, &sdev->widget_list, list) {

				if (w->widget->sname &&

				if (!WIDGET_IS_DAI(w->id) || !w->widget->sname ||

				    strcmp(w->widget->sname, swidget->widget->sname))

					continue;



				dai = w->private;

				if (dai->type != SOF_DAI_INTEL_ALH)

					continue;

				alh_copier = (struct sof_ipc4_copier *)dai->private;

				alh_data = &alh_copier->data;

				blob->alh_cfg.mapping[i].device = alh_data->gtw_cfg.node_id;