copier: fix NULL converter crash for non-zero sink_queue_id

tmleman · tmleman · commit b272bf3285e4 · 2025-09-24T17:27:45.000+02:00
Fix NULL pointer dereference in copier when sink buffer IDs map to
non-zero sink_queue_id values but converters are not initialized.

The issue occurs when IPC4_SINK_QUEUE_ID(buf_get_id(sink)) extracts a
non-zero queue ID from a sink buffer's ID, but copier_prepare() only
initializes converter[0]. This causes crashes in do_conversion_copy()
when accessing cd-&gt;converter[i] for i != 0.

This can happen even in single sink scenarios where the buffer ID
encoding results in sink_queue_id=1 instead of the expected 0.

The fix enhances copier_prepare() to:
- Iterate through all connected sink buffers
- Extract the actual sink_queue_id for each buffer
- Initialize converters for the queue IDs that are actually used
- Skip redundant initialization if converter already exists
- Provide proper error handling for out-of-range queue IDs

Resolves crashes in topologies where single sink copiers have buffers
with non-zero queue ID mappings.

Signed-off-by: Tomasz Leman &lt;tomasz.m.leman@intel.com&gt;
diff --git a/src/audio/copier/copier.c b/src/audio/copier/copier.c
@@ -344,17 +344,47 @@ static int copier_prepare(struct processing_module *mod,
 	}
 
 	if (!cd->endpoint_num) {
+		struct comp_buffer *sink;
+
 		/* set up format conversion function for pin 0, for other pins (if any)
 		 * format is set in IPC4_COPIER_MODULE_CFG_PARAM_SET_SINK_FORMAT handler
 		 */
 		cd->converter[0] = get_converter_func(&cd->config.base.audio_fmt,
-							      &cd->config.out_fmt, ipc4_gtw_none,
-							      ipc4_bidirection, DUMMY_CHMAP);
+						      &cd->config.out_fmt, ipc4_gtw_none,
+						      ipc4_bidirection, DUMMY_CHMAP);
 		if (!cd->converter[0]) {
 			comp_err(dev, "can't support for in format %d, out format %d",
 				 cd->config.base.audio_fmt.depth,  cd->config.out_fmt.depth);
 			return -EINVAL;
 		}
+
+		/* Initialize converters for all connected sink buffers.
+		 * Buffer ID to sink_queue_id mapping may result in non-zero queue IDs
+		 * even for single sink scenarios, so we need converters for actual IDs used.
+		 */
+		comp_dev_for_each_consumer(dev, sink) {
+			int sink_queue_id = IPC4_SINK_QUEUE_ID(buf_get_id(sink));
+
+			if (sink_queue_id >= IPC4_COPIER_MODULE_OUTPUT_PINS_COUNT) {
+				comp_err(dev, "sink_queue_id %d out of range", sink_queue_id);
+				return -EINVAL;
+			}
+
+			/* Skip if converter already initialized (e.g., pin 0 above) */
+			if (cd->converter[sink_queue_id])
+				continue;
+
+			cd->converter[sink_queue_id] =
+				get_converter_func(&cd->config.base.audio_fmt,
+						   &cd->config.out_fmt,
+						   ipc4_gtw_none,
+						   ipc4_bidirection, DUMMY_CHMAP);
+			if (!cd->converter[sink_queue_id]) {
+				comp_err(dev, "can't get converter for sink_queue_id %d",
+					 sink_queue_id);
+				return -EINVAL;
+			}
+		}
 	}
 
 	return 0;
