ASoC: amd: acp: Fix possible UAF in acp_dma_open

Smatch report warning as follows:

sound/soc/amd/acp/acp-platform.c:199 acp_dma_open() warn:
  '&stream->list' not removed from list

If snd_pcm_hw_constraint_integer() fails in acp_dma_open(),
stream will be freed, but stream->list will not be removed from
adata->stream_list, then list traversal may cause UAF.

Fix by adding the newly allocated stream to the list once it's fully
initialised.

Fixes: 7929985cfe36 ("ASoC: amd: acp: Initialize list to store acp_stream during pcm_open")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221118030056.3135960-1-cuigaosheng1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/amd/acp/acp-platform.c b/sound/soc/amd/acp/acp-platform.c
index 85a81add4ef9fd5eb7dd5a5006c19e8e987dc416..447612a7a762706358647732c5ff7276205ed2b8 100644 (file)
--- a/sound/soc/amd/acp/acp-platform.c
+++ b/sound/soc/amd/acp/acp-platform.c
@@ -184,10 +184,6 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
 
        stream->substream = substream;
 
-       spin_lock_irq(&adata->acp_lock);
-       list_add_tail(&stream->list, &adata->stream_list);
-       spin_unlock_irq(&adata->acp_lock);
-
        if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
                runtime->hw = acp_pcm_hardware_playback;
        else
@@ -203,6 +199,10 @@ static int acp_dma_open(struct snd_soc_component *component, struct snd_pcm_subs
 
        writel(1, ACP_EXTERNAL_INTR_ENB(adata));
 
+       spin_lock_irq(&adata->acp_lock);
+       list_add_tail(&stream->list, &adata->stream_list);
+       spin_unlock_irq(&adata->acp_lock);
+
        return ret;
 }