On 8/23/24 09:42, Hans de Goede wrote:
> Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component
> via COMP_DUMMY()") dummy codecs declared like this:
>
> SND_SOC_DAILINK_DEF(dummy,
> DAILINK_COMP_ARRAY(COMP_DUMMY()));
>
> expand to:
>
> static struct snd_soc_dai_link_component dummy[] = {
> };
>
> Which means that dummy is a zero sized array and thus dais[i].codecs should
> not be dereferenced *at all* since it points to the address of the next
> variable stored in the data section as the "dummy" variable has an address
> but no size, so even dereferencing dais[0] is already an out of bounds
> array reference.
>
> Which means that the if (dais[i].codecs->name) check added in
> commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref
> in BYT/CHT boards") relies on that the part of the next variable which
> the name member maps to just happens to be NULL.
>
> Which apparently so far it usually is, except when it isn't
> and then it results in crashes like this one:
>
> [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011
> ...
> [ 28.795780] Call Trace:
> [ 28.795787] <TASK>
> ...
> [ 28.795862] ? strcmp+0x18/0x40
> [ 28.795872] 0xffffffffc150c605
> [ 28.795887] platform_probe+0x40/0xa0
> ...
> [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]
>
> Really fix things this time around by checking dais.num_codecs != 0.
>
> Fixes: 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
