From 8318e04ab2526b155773313b66a1542476ce1106 Mon Sep 17 00:00:00 2001 From: Srinivas Kandagatla Date: Mon, 25 Aug 2025 11:12:45 +0100 Subject: [PATCH 1/3] ASoC: qcom: audioreach: fix potential null pointer dereference It is possible that the topology parsing function audioreach_widget_load_module_common() could return NULL or an error pointer. Add missing NULL check so that we do not dereference it. Reported-by: Dan Carpenter Cc: Stable@vger.kernel.org Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20250825101247.152619-2-srinivas.kandagatla@oss.qualcomm.com Signed-off-by: Mark Brown --- sound/soc/qcom/qdsp6/topology.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/qcom/qdsp6/topology.c b/sound/soc/qcom/qdsp6/topology.c index ec51fabd98cb..c2226ed5164f 100644 --- a/sound/soc/qcom/qdsp6/topology.c +++ b/sound/soc/qcom/qdsp6/topology.c @@ -607,8 +607,8 @@ static int audioreach_widget_load_module_common(struct snd_soc_component *compon return PTR_ERR(cont); mod = audioreach_parse_common_tokens(apm, cont, &tplg_w->priv, w); - if (IS_ERR(mod)) - return PTR_ERR(mod); + if (IS_ERR_OR_NULL(mod)) + return mod ? PTR_ERR(mod) : -ENODEV; mod->data = audioreach_get_module_priv_data(&tplg_w->priv); From 7e67e1c99efa6ecd003d51a42dbe7bd5bad329eb Mon Sep 17 00:00:00 2001 From: Srinivas Kandagatla Date: Mon, 25 Aug 2025 11:12:46 +0100 Subject: [PATCH 2/3] ASoC: qcom: topology: convert to cpu endainess type before accessing Looks like some of the members of module config are accessed directly without converting their endainess to cpu type. Fix this by using le32_to_cpu() where required. Fixes: c7ed4c2debfd ("ASoC: qcom: audioreach: add support for static calibration") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202508230741.heXmHeDC-lkp@intel.com Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20250825101247.152619-3-srinivas.kandagatla@oss.qualcomm.com Signed-off-by: Mark Brown --- sound/soc/qcom/qdsp6/topology.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/qcom/qdsp6/topology.c b/sound/soc/qcom/qdsp6/topology.c index c2226ed5164f..f61285e7dcf2 100644 --- a/sound/soc/qcom/qdsp6/topology.c +++ b/sound/soc/qcom/qdsp6/topology.c @@ -314,7 +314,7 @@ static struct audioreach_module_priv_data *audioreach_get_module_priv_data( struct snd_soc_tplg_vendor_array *mod_array; mod_array = (struct snd_soc_tplg_vendor_array *)((u8 *)private->array + sz); - if (mod_array->type == SND_SOC_AR_TPLG_MODULE_CFG_TYPE) { + if (le32_to_cpu(mod_array->type) == SND_SOC_AR_TPLG_MODULE_CFG_TYPE) { struct audioreach_module_priv_data *pdata; pdata = kzalloc(struct_size(pdata, data, le32_to_cpu(mod_array->size)), From 8f57dcf39fd0864f5f3e6701fe885e55f45d0d3a Mon Sep 17 00:00:00 2001 From: Srinivas Kandagatla Date: Mon, 25 Aug 2025 11:12:47 +0100 Subject: [PATCH 3/3] ASoC: qcom: audioreach: convert to cpu endainess type before accessing Looks like some of the members of module config are accessed directly without converting their endainess to cpu type. Fix this by using le32_to_cpu() where required. Fixes: da9881d00153 ("ASoC: qcom: audioreach: add support for SMECNS module") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202508230830.Rkp7HHbG-lkp@intel.com Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20250825101247.152619-4-srinivas.kandagatla@oss.qualcomm.com Signed-off-by: Mark Brown --- sound/soc/qcom/qdsp6/audioreach.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/qcom/qdsp6/audioreach.c b/sound/soc/qcom/qdsp6/audioreach.c index f4c53e84b4dc..bbfd51db8797 100644 --- a/sound/soc/qcom/qdsp6/audioreach.c +++ b/sound/soc/qcom/qdsp6/audioreach.c @@ -815,7 +815,7 @@ static int audioreach_set_module_config(struct q6apm_graph *graph, struct audioreach_module *module, struct audioreach_module_config *cfg) { - int payload_size = module->data->size; + int payload_size = le32_to_cpu(module->data->size); struct gpr_pkt *pkt; int rc; void *p;