[PATCH openEuler-22.03-LTS-SP1] ALSA: hda: Do not unset preset when cleaning up codec - Kernel

29 May 2024

From: Cezary Rojewski cezary.rojewski@intel.com
stable inclusion
from stable-v5.10.169
commit 7fc4e7191eae9d9325511e03deadfdb2224914f8
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9R4NC
CVE: CVE-2023-52736
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
----------------------------------------------------
[ Upstream commit 87978e6ad45a16835cc58234451111091be3c59a ]
Several functions that take part in codec's initialization and removal
are re-used by ASoC codec drivers implementations. Drivers mimic the
behavior of hda_codec_driver_probe/remove() found in
sound/pci/hda/hda_bind.c with their component->probe/remove() instead.
One of the reasons for that is the expectation of
snd_hda_codec_device_new() to receive a valid pointer to an instance of
struct snd_card. This expectation can be met only once sound card
components probing commences.
As ASoC sound card may be unbound without codec device being actually
removed from the system, unsetting ->preset in
snd_hda_codec_cleanup_for_unbind() interferes with module unload -> load
scenario causing null-ptr-deref. Preset is assigned only once, during
device/driver matching whereas ASoC codec driver's module reloading may
occur several times throughout the lifetime of an audio stack.
Suggested-by: Takashi Iwai tiwai@suse.com
Signed-off-by: Cezary Rojewski cezary.rojewski@intel.com
Link: https://lore.kernel.org/r/20230119143235.1159814-1-cezary.rojewski@intel.com
Signed-off-by: Takashi Iwai tiwai@suse.de
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: zhaoxiaoqiang11 zhaoxiaoqiang11@jd.com
Signed-off-by: Ye Bin yebin10@huawei.com
---
 sound/pci/hda/hda_bind.c  | 2 ++
 sound/pci/hda/hda_codec.c | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c
index 4efbcc41fdfb..0a83afa5f373 100644
--- a/sound/pci/hda/hda_bind.c
+++ b/sound/pci/hda/hda_bind.c
@@ -143,6 +143,7 @@ static int hda_codec_driver_probe(struct device *dev)
error:
    snd_hda_codec_cleanup_for_unbind(codec);
+	codec->preset = NULL;
    return err;
 }
@@ -159,6 +160,7 @@ static int hda_codec_driver_remove(struct device *dev)
    if (codec->patch_ops.free)
    	codec->patch_ops.free(codec);
    snd_hda_codec_cleanup_for_unbind(codec);
+	codec->preset = NULL;
    module_put(dev->driver->owner);
    return 0;
 }
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 39281106477e..fc4a64a83ff2 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -784,7 +784,6 @@ void snd_hda_codec_cleanup_for_unbind(struct hda_codec *codec)
    snd_array_free(&codec->cvt_setups);
    snd_array_free(&codec->spdif_out);
    snd_array_free(&codec->verbs);
-	codec->preset = NULL;
    codec->follower_dig_outs = NULL;
    codec->spdif_status_reset = 0;
    snd_array_free(&codec->mixers);
-- 
2.31.1


    