From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Vinod Koul <vkoul@kernel.org>
Subject: [PATCH 5.4 33/40] soundwire: stream: fix NULL pointer dereference for multi_link
Date: Mon, 18 Dec 2023 14:52:28 +0100 [thread overview]
Message-ID: <20231218135044.004097116@linuxfoundation.org> (raw)
In-Reply-To: <20231218135042.748715259@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit e199bf52ffda8f98f129728d57244a9cd9ad5623 upstream.
If bus is marked as multi_link, but number of masters in the stream is
not higher than bus->hw_sync_min_links (bus->multi_link && m_rt_count >=
bus->hw_sync_min_links), bank switching should not happen. The first
part of do_bank_switch() code properly takes these conditions into
account, but second part (sdw_ml_sync_bank_switch()) relies purely on
bus->multi_link property. This is not balanced and leads to NULL
pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
...
Call trace:
wait_for_completion_timeout+0x124/0x1f0
do_bank_switch+0x370/0x6f8
sdw_prepare_stream+0x2d0/0x438
qcom_snd_sdw_prepare+0xa0/0x118
sm8450_snd_prepare+0x128/0x148
snd_soc_link_prepare+0x5c/0xe8
__soc_pcm_prepare+0x28/0x1ec
dpcm_be_dai_prepare+0x1e0/0x2c0
dpcm_fe_dai_prepare+0x108/0x28c
snd_pcm_do_prepare+0x44/0x68
snd_pcm_action_single+0x54/0xc0
snd_pcm_action_nonatomic+0xe4/0xec
snd_pcm_prepare+0xc4/0x114
snd_pcm_common_ioctl+0x1154/0x1cc0
snd_pcm_ioctl+0x54/0x74
Fixes: ce6e74d008ff ("soundwire: Add support for multi link bank switch")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20231124180136.390621-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soundwire/stream.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -709,14 +709,15 @@ error_1:
* sdw_ml_sync_bank_switch: Multilink register bank switch
*
* @bus: SDW bus instance
+ * @multi_link: whether this is a multi-link stream with hardware-based sync
*
* Caller function should free the buffers on error
*/
-static int sdw_ml_sync_bank_switch(struct sdw_bus *bus)
+static int sdw_ml_sync_bank_switch(struct sdw_bus *bus, bool multi_link)
{
unsigned long time_left;
- if (!bus->multi_link)
+ if (!multi_link)
return 0;
/* Wait for completion of transfer */
@@ -809,7 +810,7 @@ static int do_bank_switch(struct sdw_str
bus->bank_switch_timeout = DEFAULT_BANK_SWITCH_TIMEOUT;
/* Check if bank switch was successful */
- ret = sdw_ml_sync_bank_switch(bus);
+ ret = sdw_ml_sync_bank_switch(bus, multi_link);
if (ret < 0) {
dev_err(bus->dev,
"multi link bank switch failed: %d\n", ret);
next prev parent reply other threads:[~2023-12-18 14:11 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-18 13:51 [PATCH 5.4 00/40] 5.4.265-rc1 review Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 01/40] afs: Fix refcount underflow from error handling race Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 02/40] net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 03/40] qca_debug: Prevent crash on TX ring changes Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.4 04/40] qca_debug: Fix ethtool -G iface tx behavior Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 05/40] qca_spi: Fix reset behavior Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 06/40] atm: solos-pci: Fix potential deadlock on &cli_queue_lock Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 07/40] atm: solos-pci: Fix potential deadlock on &tx_queue_lock Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 08/40] atm: Fix Use-After-Free in do_vcc_ioctl Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 09/40] net/rose: Fix Use-After-Free in rose_ioctl Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 10/40] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 11/40] net: Remove acked SYN flag from packet in the transmit queue correctly Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 12/40] sign-file: Fix incorrect return values check Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 13/40] vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 14/40] net: stmmac: use dev_err_probe() for reporting mdio bus registration failure Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 15/40] net: stmmac: Handle disabled MDIO busses from devicetree Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 16/40] appletalk: Fix Use-After-Free in atalk_ioctl Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 17/40] cred: switch to using atomic_long_t Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 18/40] ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 19/40] Revert "PCI: acpiphp: Reassign resources on bridge if necessary" Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 20/40] usb: aqc111: check packet for fixup for true limit Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 21/40] blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 22/40] bcache: avoid oversize memory allocation by small stripe_size Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 23/40] bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 24/40] bcache: avoid NULL checking to c->root in run_cache_set() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 25/40] platform/x86: intel_telemetry: Fix kernel doc descriptions Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 26/40] HID: add ALWAYS_POLL quirk for Apple kb Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 27/40] HID: hid-asus: reset the backlight brightness level on resume Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 28/40] HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 29/40] asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 30/40] net: usb: qmi_wwan: claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 31/40] HID: hid-asus: add const to read-only outgoing usb buffer Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 32/40] perf: Fix perf_event_validate_size() lockdep splat Greg Kroah-Hartman
2023-12-18 13:52 ` Greg Kroah-Hartman [this message]
2023-12-18 13:52 ` [PATCH 5.4 34/40] ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 35/40] arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 36/40] team: Fix use-after-free when an option instance allocation fails Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 37/40] ring-buffer: Fix memory leak of free page Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 38/40] mmc: block: Be sure to wait while busy in CQE error recovery Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 39/40] powerpc/ftrace: Create a dummy stackframe to fix stack unwind Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.4 40/40] powerpc/ftrace: Fix stack teardown in ftrace_no_trace Greg Kroah-Hartman
2023-12-19 0:03 ` [PATCH 5.4 00/40] 5.4.265-rc1 review Shuah Khan
2023-12-19 6:19 ` Harshit Mogalapalli
2023-12-19 9:08 ` Naresh Kamboju
2023-12-19 11:30 ` Jon Hunter
2023-12-19 20:52 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231218135044.004097116@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=krzysztof.kozlowski@linaro.org \
--cc=patches@lists.linux.dev \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.