Skip to content

Commit

Permalink
soundwire: stream: fix NULL pointer dereference for multi_link
Browse files Browse the repository at this point in the history
commit e199bf5 upstream.

If bus is marked as multi_link, but number of masters in the stream is
not higher than bus->hw_sync_min_links (bus->multi_link && m_rt_count >=
bus->hw_sync_min_links), bank switching should not happen.  The first
part of do_bank_switch() code properly takes these conditions into
account, but second part (sdw_ml_sync_bank_switch()) relies purely on
bus->multi_link property.  This is not balanced and leads to NULL
pointer dereference:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
  ...
  Call trace:
   wait_for_completion_timeout+0x124/0x1f0
   do_bank_switch+0x370/0x6f8
   sdw_prepare_stream+0x2d0/0x438
   qcom_snd_sdw_prepare+0xa0/0x118
   sm8450_snd_prepare+0x128/0x148
   snd_soc_link_prepare+0x5c/0xe8
   __soc_pcm_prepare+0x28/0x1ec
   dpcm_be_dai_prepare+0x1e0/0x2c0
   dpcm_fe_dai_prepare+0x108/0x28c
   snd_pcm_do_prepare+0x44/0x68
   snd_pcm_action_single+0x54/0xc0
   snd_pcm_action_nonatomic+0xe4/0xec
   snd_pcm_prepare+0xc4/0x114
   snd_pcm_common_ioctl+0x1154/0x1cc0
   snd_pcm_ioctl+0x54/0x74

Fixes: ce6e74d ("soundwire: Add support for multi link bank switch")
Cc: [email protected]
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Reviewed-by: Pierre-Louis Bossart <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
krzk authored and gregkh committed Dec 20, 2023
1 parent 5a95499 commit 1a4da77
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions drivers/soundwire/stream.c
Original file line number Diff line number Diff line change
Expand Up @@ -744,14 +744,15 @@ static int sdw_bank_switch(struct sdw_bus *bus, int m_rt_count)
* sdw_ml_sync_bank_switch: Multilink register bank switch
*
* @bus: SDW bus instance
* @multi_link: whether this is a multi-link stream with hardware-based sync
*
* Caller function should free the buffers on error
*/
static int sdw_ml_sync_bank_switch(struct sdw_bus *bus)
static int sdw_ml_sync_bank_switch(struct sdw_bus *bus, bool multi_link)
{
unsigned long time_left;

if (!bus->multi_link)
if (!multi_link)
return 0;

/* Wait for completion of transfer */
Expand Down Expand Up @@ -847,7 +848,7 @@ static int do_bank_switch(struct sdw_stream_runtime *stream)
bus->bank_switch_timeout = DEFAULT_BANK_SWITCH_TIMEOUT;

/* Check if bank switch was successful */
ret = sdw_ml_sync_bank_switch(bus);
ret = sdw_ml_sync_bank_switch(bus, multi_link);
if (ret < 0) {
dev_err(bus->dev,
"multi link bank switch failed: %d\n", ret);
Expand Down

0 comments on commit 1a4da77

Please sign in to comment.