Re: [Sound-open-firmware] out-of-bounds access in sound/soc/sof/topology.c

Now control data allocations looks as follows

    scontrol->size = struct_size(scontrol->control_data, chanv,
                                 le32_to_cpu(mc->num_channels));
    scontrol->control_data = kzalloc(scontrol->size, GFP_KERNEL);

Which is sizeof(sof_ipc_ctrl_data) + mc->num_channels * sizeof(sof_ipc_ctrl_value_chan)

For some reason it uses sizeof(sof_ipc_ctrl_value_chan), which is not the largest member of the union.

For the record, this could be hitting as far back as 5.4 as I have been trying to debug an invalid IPC write in JSL.