ASoC: amd: acp: Fix possible UAF in acp_dma_open

[ Upstream commit 3420fdb ] Smatch report warning as follows: sound/soc/amd/acp/acp-platform.c:199 acp_dma_open() warn: '&stream->list' not removed from list If snd_pcm_hw_constraint_integer() fails in acp_dma_open(), stream will be freed, but stream->list will not be removed from adata->stream_list, then list traversal may cause UAF. Fix by adding the newly allocated stream to the list once it's fully initialised. Fixes: 7929985 ("ASoC: amd: acp: Initialize list to store acp_stream during pcm_open") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Link: https://lore.kernel.org/r/20221118030056.3135960-1-cuigaosheng1@huawei.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
xanmod · Dec 31, 2022 · 38e2a92 · 38e2a92
1 parent 917e58a
commit 38e2a92
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/sound/soc/amd/acp/acp-platform.c b/sound/soc/amd/acp/acp-platform.c
@@ -184,10 +184,6 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
 
 	stream->substream = substream;
 
-	spin_lock_irq(&adata->acp_lock);
-	list_add_tail(&stream->list, &adata->stream_list);
-	spin_unlock_irq(&adata->acp_lock);
-
 	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
 		runtime->hw = acp_pcm_hardware_playback;
 	else
@@ -203,6 +199,10 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
 
 	writel(1, ACP_EXTERNAL_INTR_ENB(adata));
 
+	spin_lock_irq(&adata->acp_lock);
+	list_add_tail(&stream->list, &adata->stream_list);
+	spin_unlock_irq(&adata->acp_lock);
+
 	return ret;
 }