[PATCH AUTOSEL 6.6 05/33] ASoC: topology: Fix references to freed memory
From: Sasha Levin
Date: Tue Jul 09 2024 - 12:33:39 EST
From: Amadeusz Sławiński <amadeuszx.slawinski@xxxxxxxxxxxxxxx>
[ Upstream commit 97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1 ]
Most users after parsing a topology file, release memory used by it, so
having pointer references directly into topology file contents is wrong.
Use devm_kmemdup(), to allocate memory as needed.
Reported-by: Jason Montleon <jmontleo@xxxxxxxxxx>
Link: https://github.com/thesofproject/avs-topology-xml/issues/22#issuecomment-2127892605
Reviewed-by: Cezary Rojewski <cezary.rojewski@xxxxxxxxx>
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@xxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20240603102818.36165-2-amadeuszx.slawinski@xxxxxxxxxxxxxxx
Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
sound/soc/soc-topology.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
index 2362c282ec8b3..c63545b27d450 100644
--- a/sound/soc/soc-topology.c
+++ b/sound/soc/soc-topology.c
@@ -1060,15 +1060,32 @@ static int soc_tplg_dapm_graph_elems_load(struct soc_tplg *tplg,
break;
}
- route->source = elem->source;
- route->sink = elem->sink;
+ route->source = devm_kmemdup(tplg->dev, elem->source,
+ min(strlen(elem->source),
+ SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+ GFP_KERNEL);
+ route->sink = devm_kmemdup(tplg->dev, elem->sink,
+ min(strlen(elem->sink), SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+ GFP_KERNEL);
+ if (!route->source || !route->sink) {
+ ret = -ENOMEM;
+ break;
+ }
/* set to NULL atm for tplg users */
route->connected = NULL;
- if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0)
+ if (strnlen(elem->control, SNDRV_CTL_ELEM_ID_NAME_MAXLEN) == 0) {
route->control = NULL;
- else
- route->control = elem->control;
+ } else {
+ route->control = devm_kmemdup(tplg->dev, elem->control,
+ min(strlen(elem->control),
+ SNDRV_CTL_ELEM_ID_NAME_MAXLEN),
+ GFP_KERNEL);
+ if (!route->control) {
+ ret = -ENOMEM;
+ break;
+ }
+ }
/* add route dobj to dobj_list */
route->dobj.type = SND_SOC_DOBJ_GRAPH;
--
2.43.0