Patch "ASoC: amd: acp: Fix possible UAF in acp_dma_open" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 08:20:05 -0500

This is a note to let you know that I've just added the patch titled

    ASoC: amd: acp: Fix possible UAF in acp_dma_open

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     asoc-amd-acp-fix-possible-uaf-in-acp_dma_open.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6aaad779dc133143ead38009bc7469bf6a9d343f
Author: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
Date:   Fri Nov 18 11:00:56 2022 +0800

    ASoC: amd: acp: Fix possible UAF in acp_dma_open
    
    [ Upstream commit 3420fdb8ae99f0a08d78d2b80f42a71971cf478d ]
    
    Smatch report warning as follows:
    
    sound/soc/amd/acp/acp-platform.c:199 acp_dma_open() warn:
      '&stream->list' not removed from list
    
    If snd_pcm_hw_constraint_integer() fails in acp_dma_open(),
    stream will be freed, but stream->list will not be removed from
    adata->stream_list, then list traversal may cause UAF.
    
    Fix by adding the newly allocated stream to the list once it's fully
    initialised.
    
    Fixes: 7929985cfe36 ("ASoC: amd: acp: Initialize list to store acp_stream during pcm_open")
    Signed-off-by: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221118030056.3135960-1-cuigaosheng1@xxxxxxxxxx
    Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/sound/soc/amd/acp/acp-platform.c b/sound/soc/amd/acp/acp-platform.c
index 85a81add4ef9..447612a7a762 100644
--- a/sound/soc/amd/acp/acp-platform.c
+++ b/sound/soc/amd/acp/acp-platform.c
@@ -184,10 +184,6 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
 
 	stream->substream = substream;
 
-	spin_lock_irq(&adata->acp_lock);
-	list_add_tail(&stream->list, &adata->stream_list);
-	spin_unlock_irq(&adata->acp_lock);
-
 	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
 		runtime->hw = acp_pcm_hardware_playback;
 	else
@@ -203,6 +199,10 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
 
 	writel(1, ACP_EXTERNAL_INTR_ENB(adata));
 
+	spin_lock_irq(&adata->acp_lock);
+	list_add_tail(&stream->list, &adata->stream_list);
+	spin_unlock_irq(&adata->acp_lock);
+
 	return ret;
 }
 






