ipc: ipc4: harden ipc_comp_disconnect() against invalid sink

Check the provided sink actually is connected to the buffer,
before proceeding to free the buffer.

This protects against an invalid IPC sent by the host.

Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>

Author: kv2019i

src/ipc/ipc4/helper.c

@@ -920,6 +920,27 @@ __cold int ipc_comp_disconnect(struct ipc *ipc, ipc_pipe_comp_connect *_connect)
 	if (!buffer)
 		return IPC4_INVALID_RESOURCE_ID;
 
+	/*
+	 * The buffer was located on the source's consumer list, but the sink was
+	 * resolved solely from the host-supplied dst_module_id/dst_instance_id.
+	 * Make sure the buffer is actually connected to that sink, otherwise an
+	 * incorrect dst would leave the real sink bound to a buffer we are about
+	 * to free, while unbinding an unrelated component instead.
+	 */
+	bool sink_connected = false;
+
+	comp_dev_for_each_producer(sink, buf) {
+		if (buf == buffer) {
+			sink_connected = true;
+			break;
+		}
+	}
+
+	if (!sink_connected) {
+		tr_err(&ipc_tr, "buffer %#x is not connected to sink %x", buffer_id, sink_id);
+		return IPC4_INVALID_RESOURCE_ID;
+	}
+
 	/*
 	 * Disconnect and unbind buffer from source/sink components and continue to free the buffer
 	 * even in case of errors. Block LL processing during disconnect and unbinding to prevent