From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>,
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>,
Vinod Koul <vkoul@kernel.org>
Subject: [PATCH 5.10 48/62] soundwire: stream: fix NULL pointer dereference for multi_link
Date: Mon, 18 Dec 2023 14:52:12 +0100 [thread overview]
Message-ID: <20231218135048.369726725@linuxfoundation.org> (raw)
In-Reply-To: <20231218135046.178317233@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit e199bf52ffda8f98f129728d57244a9cd9ad5623 upstream.
If bus is marked as multi_link, but number of masters in the stream is
not higher than bus->hw_sync_min_links (bus->multi_link && m_rt_count >=
bus->hw_sync_min_links), bank switching should not happen. The first
part of do_bank_switch() code properly takes these conditions into
account, but second part (sdw_ml_sync_bank_switch()) relies purely on
bus->multi_link property. This is not balanced and leads to NULL
pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
...
Call trace:
wait_for_completion_timeout+0x124/0x1f0
do_bank_switch+0x370/0x6f8
sdw_prepare_stream+0x2d0/0x438
qcom_snd_sdw_prepare+0xa0/0x118
sm8450_snd_prepare+0x128/0x148
snd_soc_link_prepare+0x5c/0xe8
__soc_pcm_prepare+0x28/0x1ec
dpcm_be_dai_prepare+0x1e0/0x2c0
dpcm_fe_dai_prepare+0x108/0x28c
snd_pcm_do_prepare+0x44/0x68
snd_pcm_action_single+0x54/0xc0
snd_pcm_action_nonatomic+0xe4/0xec
snd_pcm_prepare+0xc4/0x114
snd_pcm_common_ioctl+0x1154/0x1cc0
snd_pcm_ioctl+0x54/0x74
Fixes: ce6e74d008ff ("soundwire: Add support for multi link bank switch")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20231124180136.390621-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soundwire/stream.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -724,14 +724,15 @@ error_1:
* sdw_ml_sync_bank_switch: Multilink register bank switch
*
* @bus: SDW bus instance
+ * @multi_link: whether this is a multi-link stream with hardware-based sync
*
* Caller function should free the buffers on error
*/
-static int sdw_ml_sync_bank_switch(struct sdw_bus *bus)
+static int sdw_ml_sync_bank_switch(struct sdw_bus *bus, bool multi_link)
{
unsigned long time_left;
- if (!bus->multi_link)
+ if (!multi_link)
return 0;
/* Wait for completion of transfer */
@@ -827,7 +828,7 @@ static int do_bank_switch(struct sdw_str
bus->bank_switch_timeout = DEFAULT_BANK_SWITCH_TIMEOUT;
/* Check if bank switch was successful */
- ret = sdw_ml_sync_bank_switch(bus);
+ ret = sdw_ml_sync_bank_switch(bus, multi_link);
if (ret < 0) {
dev_err(bus->dev,
"multi link bank switch failed: %d\n", ret);
next prev parent reply other threads:[~2023-12-18 14:09 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-18 13:51 [PATCH 5.10 00/62] 5.10.205-rc1 review Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 01/62] netfilter: nf_tables: fix exist matching on bigendian arches Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 02/62] afs: Fix refcount underflow from error handling race Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 03/62] HID: lenovo: Restrict detection of patched firmware only to USB cptkbd Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 04/62] net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 05/62] qca_debug: Prevent crash on TX ring changes Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 06/62] qca_debug: Fix ethtool -G iface tx behavior Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 07/62] qca_spi: Fix reset behavior Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 08/62] atm: solos-pci: Fix potential deadlock on &cli_queue_lock Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 09/62] atm: solos-pci: Fix potential deadlock on &tx_queue_lock Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 10/62] net: vlan: introduce skb_vlan_eth_hdr() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 11/62] net: fec: correct queue selection Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 12/62] atm: Fix Use-After-Free in do_vcc_ioctl Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 13/62] net/rose: Fix Use-After-Free in rose_ioctl Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 14/62] qed: Fix a potential use-after-free in qed_cxt_tables_alloc Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 15/62] net: Remove acked SYN flag from packet in the transmit queue correctly Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 16/62] net: ena: Destroy correct number of xdp queues upon failure Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 17/62] net: ena: Fix XDP redirection error Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 18/62] sign-file: Fix incorrect return values check Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 19/62] vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 20/62] net: stmmac: use dev_err_probe() for reporting mdio bus registration failure Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 21/62] net: stmmac: Handle disabled MDIO busses from devicetree Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 22/62] appletalk: Fix Use-After-Free in atalk_ioctl Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 23/62] net: atlantic: fix double free in ring reinit logic Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 24/62] cred: switch to using atomic_long_t Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 25/62] fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 26/62] ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 27/62] ALSA: hda/realtek: Apply mute LED quirk for HP15-db Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 28/62] Revert "PCI: acpiphp: Reassign resources on bridge if necessary" Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 29/62] PCI: loongson: Limit MRRS to 256 Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 30/62] drm/atomic: Pass the full state to CRTC atomic begin and flush Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 31/62] drm: Use state helper instead of CRTC state pointer Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 32/62] drm/mediatek: Add spinlock for setting vblank event in atomic_begin Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 33/62] usb: aqc111: check packet for fixup for true limit Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 34/62] blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" Greg Kroah-Hartman
2023-12-18 13:51 ` [PATCH 5.10 35/62] bcache: avoid oversize memory allocation by small stripe_size Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 36/62] bcache: remove redundant assignment to variable cur_idx Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 37/62] bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 38/62] bcache: avoid NULL checking to c->root in run_cache_set() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 39/62] platform/x86: intel_telemetry: Fix kernel doc descriptions Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 40/62] HID: glorious: fix Glorious Model I HID report Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 41/62] HID: add ALWAYS_POLL quirk for Apple kb Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 42/62] HID: hid-asus: reset the backlight brightness level on resume Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 43/62] HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 44/62] asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 45/62] net: usb: qmi_wwan: claim interface 4 for ZTE MF290 Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 46/62] HID: hid-asus: add const to read-only outgoing usb buffer Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 47/62] perf: Fix perf_event_validate_size() lockdep splat Greg Kroah-Hartman
2023-12-18 13:52 ` Greg Kroah-Hartman [this message]
2023-12-18 13:52 ` [PATCH 5.10 49/62] ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 50/62] arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 51/62] team: Fix use-after-free when an option instance allocation fails Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 52/62] ring-buffer: Fix memory leak of free page Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 53/62] tracing: Update snapshot buffer on resize if it is allocated Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 54/62] ring-buffer: Have saved event hold the entire event Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 55/62] ring-buffer: Fix writing to the buffer with max_data_size Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 56/62] ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 57/62] USB: gadget: core: adjust uevent timing on gadget unbind Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 58/62] tty: n_gsm: fix tty registration before control channel open Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 59/62] tty: n_gsm, remove duplicates of parameters Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 60/62] tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 61/62] powerpc/ftrace: Create a dummy stackframe to fix stack unwind Greg Kroah-Hartman
2023-12-18 13:52 ` [PATCH 5.10 62/62] powerpc/ftrace: Fix stack teardown in ftrace_no_trace Greg Kroah-Hartman
2023-12-18 15:24 ` [PATCH 5.10 00/62] 5.10.205-rc1 review Naresh Kamboju
2023-12-19 0:54 ` Dominique Martinet
2023-12-19 7:29 ` Greg Kroah-Hartman
2023-12-21 15:50 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231218135048.369726725@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=krzysztof.kozlowski@linaro.org \
--cc=patches@lists.linux.dev \
--cc=pierre-louis.bossart@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.