summaryrefslogtreecommitdiff
path: root/include/sound
diff options
context:
space:
mode:
authorCharles Keepax <ckeepax@opensource.cirrus.com>2020-05-26 17:19:30 +0100
committerMark Brown <broonie@kernel.org>2020-05-27 13:24:13 +0100
commitf4aa5e214eeaf7f1c7f157526a5aa29784cb6a1f (patch)
treef2a3eaf814b830a9eb1da54143051b9173984076 /include/sound
parent53a58bf96bcdd47c670a957920f3a1bcf7215b39 (diff)
ASoC: dapm: Move dai_link widgets to runtime to fix use after free
The newly added CODEC to CODEC DAI link widget pointers in snd_soc_dai_link are better placed in snd_soc_pcm_runtime. snd_soc_dai_link is really intended for static configuration of the DAI, and the runtime for dynamic data. The snd_soc_dai_link structures are not destroyed if the card is unbound. The widgets are cleared up on unbind, however if the card is rebound as the snd_soc_dai_link structures are reused these pointers will be left at their old values, causing access to freed memory. Fixes: 595571cca4de ("ASoC: dapm: Fix regression introducing multiple copies of DAI widgets") Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com> Link: https://lore.kernel.org/r/20200526161930.30759-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org>
Diffstat (limited to 'include/sound')
-rw-r--r--include/sound/soc.h6
1 files changed, 3 insertions, 3 deletions
diff --git a/include/sound/soc.h b/include/sound/soc.h
index 946f88a6c63d..53e2062b9cef 100644
--- a/include/sound/soc.h
+++ b/include/sound/soc.h
@@ -790,9 +790,6 @@ struct snd_soc_dai_link {
const struct snd_soc_pcm_stream *params;
unsigned int num_params;
- struct snd_soc_dapm_widget *playback_widget;
- struct snd_soc_dapm_widget *capture_widget;
-
unsigned int dai_fmt; /* format to set on init */
enum snd_soc_dpcm_trigger trigger[2]; /* trigger type for DPCM */
@@ -1156,6 +1153,9 @@ struct snd_soc_pcm_runtime {
struct snd_soc_dai **cpu_dais;
unsigned int num_cpus;
+ struct snd_soc_dapm_widget *playback_widget;
+ struct snd_soc_dapm_widget *capture_widget;
+
struct delayed_work delayed_work;
void (*close_delayed_work_func)(struct snd_soc_pcm_runtime *rtd);
#ifdef CONFIG_DEBUG_FS