Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp3144014rdb;
        Sat, 9 Dec 2023 13:19:02 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHDKp/337CHx8RG78YtRbeiNzvrCO/LAqV2iONbB/f/wnTF0530jCvWVaY6CguSQEeb9wdf
X-Received: by 2002:a17:90a:9c0a:b0:286:6cd8:ef0e with SMTP id h10-20020a17090a9c0a00b002866cd8ef0emr3589786pjp.38.1702156742431;
        Sat, 09 Dec 2023 13:19:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702156742; cv=none;
        d=google.com; s=arc-20160816;
        b=Es4KZYR8Fx2fkpULyGHQUl0Dqyo4zL2DwAg9xWdqP0wu2O5mXIGZaxzhH1k+mOLFLv
         gek9R79BE3DKGdMVQD0GuSlu619oeMbmkuhtKxCAO9pP5VzQ2QSykY6wdINamxPHClWG
         pUFw4+46MnJpyl6ZY5/ajtOWach/G5VOUvAOLHoZ3fD02v3gs1czOxZyQDH5Vqn9kk2G
         iLX8ConaDrdwWcKjmZxEyP/3/THdLzwuLzOLbqCBLI5tlnfBToXq7coEE9jtaaVrhnX2
         /i1u/5ARsJpmW/b2Y+SCVME6jkx7CMdgPjK2vWRLqRClVhazNyPcVgfSa34Lw0+Utpn0
         unSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=q0E7S21siwAIgSZVlP+ChpvQIZdIjws7ZcjCw/InaGY=;
        fh=AtUyipZqf9Wt3VmKECtwTscIVbxtj0bqEzvKFfEmcRc=;
        b=vFor1b3D1rEaRon+G0I8gFk3R8tZL2y99V7/D1j62vBYLUrlD7Sffto/IacrswMABY
         1pmE+SSZREfhSPHfyIaCgO8QwfEkOS+TAnzqzViN/3J+had4aqiIeN1W12/Ba824IcV6
         i2wjMZRRLGLLcweNRZvvQ2dlwdE/emwAtBlWuvb3b5Tfhb9wQRLnsK4pRs5jY2TgMoRU
         Aj2m/xOqzjhmndwLEnhQXGD11MXkaHApEI77s4El1u8C8hnldK0bWq/hejBcQzNAiZLm
         gnvSnUv9Y6iOJfSmLfU8sNZGd8eEBgi/k2p7+ouFEBX7iB90OmGFly3GTiZeb5nz6V29
         qvtQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=irl.hu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id e7-20020a17090ac20700b0028658eed319si3673551pjt.180.2023.12.09.13.19.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 09 Dec 2023 13:19:02 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=irl.hu
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 66B428069347;
	Sat,  9 Dec 2023 13:19:00 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229518AbjLIVSl (ORCPT <rfc822;acleo0523@gmail.com> + 99 others);
        Sat, 9 Dec 2023 16:18:41 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53390 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229477AbjLIVSk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 9 Dec 2023 16:18:40 -0500
Received: from irl.hu (irl.hu [95.85.9.111])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E9E5FA;
        Sat,  9 Dec 2023 13:18:44 -0800 (PST)
Received: from fedori.lan (51b690cd.dsl.pool.telekom.hu [::ffff:81.182.144.205])
  (AUTH: CRAM-MD5 soyer@irl.hu, )
  by irl.hu with ESMTPSA
  id 0000000000071201.000000006574D9B1.0011E9B9; Sat, 09 Dec 2023 22:18:41 +0100
From:   Gergo Koteles <soyer@irl.hu>
To:     Shenghao Ding <shenghao-ding@ti.com>, Kevin Lu <kevin-lu@ti.com>,
        Baojun Xu <baojun.xu@ti.com>, Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>
Cc:     linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
        Gergo Koteles <soyer@irl.hu>, stable@vger.kernel.org
Subject: [PATCH v3] ALSA: hda/tas2781: leave hda_component in usable state
Date:   Sat,  9 Dec 2023 22:18:29 +0100
Message-ID: <8b8ed2bd5f75fbb32e354a3226c2f966fa85b46b.1702156522.git.soyer@irl.hu>
X-Mailer: git-send-email 2.43.0
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Mime-Autoconverted: from 8bit to 7bit by courier 1.0
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Sat, 09 Dec 2023 13:19:00 -0800 (PST)

Unloading then loading the module causes a NULL ponter dereference.

The hda_unbind zeroes the hda_component, later the hda_bind tries
to dereference the codec field.

The hda_component is only initialized once by tas2781_generic_fixup.

Set only previously modified fields to NULL.

BUG: kernel NULL pointer dereference, address: 0000000000000322
Call Trace:
 <TASK>
 ? __die+0x23/0x70
 ? page_fault_oops+0x171/0x4e0
 ? exc_page_fault+0x7f/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? tas2781_hda_bind+0x59/0x140 [snd_hda_scodec_tas2781_i2c]
 component_bind_all+0xf3/0x240
 try_to_bring_up_aggregate_device+0x1c3/0x270
 __component_add+0xbc/0x1a0
 tas2781_hda_i2c_probe+0x289/0x3a0 [snd_hda_scodec_tas2781_i2c]
 i2c_device_probe+0x136/0x2e0

Fixes: 5be27f1e3ec9 ("ALSA: hda/tas2781: Add tas2781 HDA driver")
CC: stable@vger.kernel.org
Signed-off-by: Gergo Koteles <soyer@irl.hu>
---
 sound/pci/hda/tas2781_hda_i2c.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sound/pci/hda/tas2781_hda_i2c.c b/sound/pci/hda/tas2781_hda_i2c.c
index fb802802939e..b42837105c22 100644
--- a/sound/pci/hda/tas2781_hda_i2c.c
+++ b/sound/pci/hda/tas2781_hda_i2c.c
@@ -612,9 +612,13 @@ static void tas2781_hda_unbind(struct device *dev,
 {
 	struct tasdevice_priv *tas_priv = dev_get_drvdata(dev);
 	struct hda_component *comps = master_data;
+	comps = &comps[tas_priv->index];
 
-	if (comps[tas_priv->index].dev == dev)
-		memset(&comps[tas_priv->index], 0, sizeof(*comps));
+	if (comps->dev == dev) {
+		comps->dev = NULL;
+		memset(comps->name, 0, sizeof(comps->name));
+		comps->playback_hook = NULL;
+	}
 
 	tasdevice_config_info_remove(tas_priv);
 	tasdevice_dsp_remove(tas_priv);

base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa
-- 
2.43.0