From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> mainline inclusion from mainline-v6.9-rc1 commit 743eb6c68d3534e01e73d316ddcaa7334c0e29d3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVJF CVE: CVE-2025-21870 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- For dspless mode, we need to allocate and store an 'sdai' structure. The existing code allocate the data on the stack and does not set the widget->private pointer. This minor change should not have any impact on existing DAIs, even when the DSP is used. Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com> Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Link: https://msgid.link/r/20240213101247.28887-10-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13@huawei.com> --- sound/soc/sof/sof-audio.c | 8 +++----- sound/soc/sof/topology.c | 13 ++++++++++--- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/sound/soc/sof/sof-audio.c b/sound/soc/sof/sof-audio.c index 516262583472..ffd4a0e328c1 100644 --- a/sound/soc/sof/sof-audio.c +++ b/sound/soc/sof/sof-audio.c @@ -47,7 +47,6 @@ static int sof_widget_free_unlocked(struct snd_sof_dev *sdev, { const struct sof_ipc_tplg_ops *tplg_ops = sof_ipc_get_ops(sdev, tplg); struct snd_sof_pipeline *spipe = swidget->spipe; - struct snd_sof_widget *pipe_widget; int err = 0; int ret; @@ -60,8 +59,6 @@ static int sof_widget_free_unlocked(struct snd_sof_dev *sdev, if (--swidget->use_count) return 0; - pipe_widget = swidget->spipe->pipe_widget; - /* reset route setup status for all routes that contain this widget */ sof_reset_route_setup_status(sdev, swidget); @@ -110,8 +107,9 @@ static int sof_widget_free_unlocked(struct snd_sof_dev *sdev, * free the scheduler widget (same as pipe_widget) associated with the current swidget. * skip for static pipelines */ - if (swidget->dynamic_pipeline_widget && swidget->id != snd_soc_dapm_scheduler) { - ret = sof_widget_free_unlocked(sdev, pipe_widget); + if (swidget->spipe && swidget->dynamic_pipeline_widget && + swidget->id != snd_soc_dapm_scheduler) { + ret = sof_widget_free_unlocked(sdev, swidget->spipe->pipe_widget); if (ret < 0 && !err) err = ret; } diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c index cf1e63daad86..1165fd2560bc 100644 --- a/sound/soc/sof/topology.c +++ b/sound/soc/sof/topology.c @@ -2347,23 +2347,29 @@ static int sof_dspless_widget_ready(struct snd_soc_component *scomp, int index, if (WIDGET_IS_DAI(w->id)) { struct snd_sof_dev *sdev = snd_soc_component_get_drvdata(scomp); struct snd_sof_widget *swidget; - struct snd_sof_dai dai; + struct snd_sof_dai *sdai; int ret; swidget = kzalloc(sizeof(*swidget), GFP_KERNEL); if (!swidget) return -ENOMEM; - memset(&dai, 0, sizeof(dai)); + sdai = kzalloc(sizeof(*sdai), GFP_KERNEL); + if (!sdai) { + kfree(swidget); + return -ENOMEM; + } - ret = sof_connect_dai_widget(scomp, w, tw, &dai); + ret = sof_connect_dai_widget(scomp, w, tw, sdai); if (ret) { kfree(swidget); + kfree(sdai); return ret; } swidget->scomp = scomp; swidget->widget = w; + swidget->private = sdai; mutex_init(&swidget->setup_mutex); w->dobj.private = swidget; list_add(&swidget->list, &sdev->widget_list); @@ -2387,6 +2393,7 @@ static int sof_dspless_widget_unload(struct snd_soc_component *scomp, /* remove and free swidget object */ list_del(&swidget->list); + kfree(swidget->private); kfree(swidget); } -- 2.34.1

From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> mainline inclusion from mainline-v6.14-rc4 commit 6fd60136d256b3b948333ebdb3835f41a95ab7ef category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVJF CVE: CVE-2025-21870 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... -------------------------------- Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL pointer in sof_ipc4_prepare_copier_module() and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai() will miscalculate the ALH device count, causing broken audio. The correct fix is to harden the matching logic by making sure that the 1. widget is a DAI widget - so dai = w->private is valid 2. the dai (and thus the copier) is ALH copier Fixes: a150345aa758 ("ASoC: SOF: ipc4-topology: add SoundWire/ALH aggregation support") Reported-by: Seppo Ingalsuo <seppo.ingalsuo@linux.intel.com> Closes: https://github.com/thesofproject/sof/pull/9652 Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com> Link: https://patch.msgid.link/20250206084642.14988-1-peter.ujfalusi@linux.intel.c... Signed-off-by: Mark Brown <broonie@kernel.org> Conflicts: sound/soc/sof/ipc4-topology.c [The conflicts were due to some minor issue.] Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13@huawei.com> --- sound/soc/sof/ipc4-topology.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index bbc42887ad4a..144e6f9eb8cd 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -577,10 +577,16 @@ static int sof_ipc4_widget_setup_comp_dai(struct snd_sof_widget *swidget) } list_for_each_entry(w, &sdev->widget_list, list) { - if (w->widget->sname && + struct snd_sof_dai *alh_dai; + + if (!WIDGET_IS_DAI(w->id) || !w->widget->sname || strcmp(w->widget->sname, swidget->widget->sname)) continue; + alh_dai = w->private; + if (alh_dai->type != SOF_DAI_INTEL_ALH) + continue; + blob->alh_cfg.device_count++; } @@ -1692,11 +1698,13 @@ sof_ipc4_prepare_copier_module(struct snd_sof_widget *swidget, */ i = 0; list_for_each_entry(w, &sdev->widget_list, list) { - if (w->widget->sname && + if (!WIDGET_IS_DAI(w->id) || !w->widget->sname || strcmp(w->widget->sname, swidget->widget->sname)) continue; dai = w->private; + if (dai->type != SOF_DAI_INTEL_ALH) + continue; alh_copier = (struct sof_ipc4_copier *)dai->private; alh_data = &alh_copier->data; blob->alh_cfg.mapping[i].device = alh_data->gtw_cfg.node_id; -- 2.34.1