ipc4: chain_dma: fix use-after-free on chain DMA deallocate

ipc4_process_chain_dma() called ipc4_chain_dma_state() and then, on the
deallocate path (allocate == 0 && enable == 0), unconditionally executed
list_item_del(&cdma_comp->list).

However, on that same deallocate path ipc4_chain_dma_state() already
unlinks the matching ipc_comp_dev from ipc->comp_list and frees it with
rfree():

	list_item_del(&icd->list);
	rfree(icd);

Since icd is the same object as cdma_comp, the subsequent
list_item_del(&cdma_comp->list) in the caller dereferenced and wrote to
already-freed memory (prev->next / next->prev), a use-after-free. With
heap grooming a host sending GLB_CHAIN_DMA with allocate=0/enable=0 on an
existing chain could turn this into controlled heap corruption.

The unlink-before-free is already handled correctly by
ipc4_chain_dma_state(), so the duplicate list_item_del() in the caller is
both redundant and unsafe. Remove it.

Signed-off-by: Jyri Sarha <jyri.sarha@linux.intel.com>

Author: Jyri Sarha

src/ipc/ipc4/handler-user.c

@@ -611,9 +611,6 @@ __cold static int ipc4_process_chain_dma(struct ipc4_message_request *ipc4)
 	if (ret < 0)
 		return IPC4_INVALID_CHAIN_STATE_TRANSITION;
 
-	if (!cdma.primary.r.allocate && !cdma.primary.r.enable)
-		list_item_del(&cdma_comp->list);
-
 	return IPC4_SUCCESS;
 #else
 	return IPC4_UNAVAILABLE;