From: Aleksei Vetrov vvvvvv@google.com
stable inclusion from stable-v6.11.7 commit c549cb66e8de0ba1936fc97a59f0156741d3492a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KRC CVE: CVE-2024-53045
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
----------------------------------------------------------------------
[ Upstream commit 2ef9439f7a19fd3d43b288d38b1c6e55b668a4fe ]
The widgets array in the snd_soc_dapm_widget_list has a __counted_by attribute attached to it, which points to the num_widgets variable. This attribute is used in bounds checking, and if it is not set before the array is filled, then the bounds sanitizer will issue a warning or a kernel panic if CONFIG_UBSAN_TRAP is set.
This patch sets the size of the widgets list calculated with list_for_each as the initial value for num_widgets as it is used for allocating memory for the array. It is updated with the actual number of added elements after the array is filled.
Signed-off-by: Aleksei Vetrov vvvvvv@google.com Fixes: 80e698e2df5b ("ASoC: soc-dapm: Annotate struct snd_soc_dapm_widget_list with __counted_by") Link: https://patch.msgid.link/20241028-soc-dapm-bounds-checker-fix-v1-1-262b0394e... Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by:WangJinchaowangjinchao@xfusion.com --- sound/soc/soc-dapm.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index e39df5d10b07..1647b24ca34d 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -1147,6 +1147,8 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list, if (*list == NULL) return -ENOMEM;
+ (*list)->num_widgets = size; + list_for_each_entry(w, widgets, work_list) (*list)->widgets[i++] = w;