From f4aa5e214eeaf7f1c7f157526a5aa29784cb6a1f Mon Sep 17 00:00:00 2001 From: Charles Keepax Date: Tue, 26 May 2020 17:19:30 +0100 Subject: ASoC: dapm: Move dai_link widgets to runtime to fix use after free The newly added CODEC to CODEC DAI link widget pointers in snd_soc_dai_link are better placed in snd_soc_pcm_runtime. snd_soc_dai_link is really intended for static configuration of the DAI, and the runtime for dynamic data. The snd_soc_dai_link structures are not destroyed if the card is unbound. The widgets are cleared up on unbind, however if the card is rebound as the snd_soc_dai_link structures are reused these pointers will be left at their old values, causing access to freed memory. Fixes: 595571cca4de ("ASoC: dapm: Fix regression introducing multiple copies of DAI widgets") Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20200526161930.30759-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown --- include/sound/soc.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'include/sound') diff --git a/include/sound/soc.h b/include/sound/soc.h index 946f88a6c63d..53e2062b9cef 100644 --- a/include/sound/soc.h +++ b/include/sound/soc.h @@ -790,9 +790,6 @@ struct snd_soc_dai_link { const struct snd_soc_pcm_stream *params; unsigned int num_params; - struct snd_soc_dapm_widget *playback_widget; - struct snd_soc_dapm_widget *capture_widget; - unsigned int dai_fmt; /* format to set on init */ enum snd_soc_dpcm_trigger trigger[2]; /* trigger type for DPCM */ @@ -1156,6 +1153,9 @@ struct snd_soc_pcm_runtime { struct snd_soc_dai **cpu_dais; unsigned int num_cpus; + struct snd_soc_dapm_widget *playback_widget; + struct snd_soc_dapm_widget *capture_widget; + struct delayed_work delayed_work; void (*close_delayed_work_func)(struct snd_soc_pcm_runtime *rtd); #ifdef CONFIG_DEBUG_FS -- cgit v1.2.3-59-g8ed1b