111 lines
3.8 KiB
Diff
111 lines
3.8 KiB
Diff
From 9a4895059bb6a8505098a9f75de187fd15631fc8 Mon Sep 17 00:00:00 2001
|
|
From: Kean Ren <rh_king@163.com>
|
|
Date: Thu, 11 Jun 2026 10:37:57 +0800
|
|
Subject: [PATCH] ASoC: SDCA: fix NULL pointer dereference in
|
|
sdca_dev_unregister_functions
|
|
|
|
[ Upstream commit e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd ]
|
|
|
|
sdca_dev_unregister_functions() iterates over all SDCA function
|
|
descriptors and calls sdca_dev_unregister() on each func_dev without
|
|
checking for NULL. When a function registration has failed partway
|
|
through, or the device cleanup races with probe deferral, func_dev
|
|
entries may be NULL, leading to a kernel oops:
|
|
|
|
BUG: kernel NULL pointer dereference, address: 0000000000000040
|
|
RIP: 0010:device_del+0x1e/0x3e0
|
|
Call Trace:
|
|
sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
|
|
release_nodes+0x35/0xb0
|
|
devres_release_all+0x90/0x100
|
|
device_unbind_cleanup+0xe/0x80
|
|
device_release_driver_internal+0x1c1/0x200
|
|
bus_remove_device+0xc6/0x130
|
|
device_del+0x161/0x3e0
|
|
device_unregister+0x17/0x60
|
|
sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
|
|
sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
|
|
...
|
|
sof_probe_work+0x19/0x30 [snd_sof]
|
|
|
|
This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
|
|
with the SOF audio driver probe failing due to missing Panther Lake
|
|
firmware, causing the subsequent cleanup of SoundWire devices to
|
|
trigger the crash.
|
|
|
|
Fix this with three changes:
|
|
|
|
1) Add a NULL guard in sdca_dev_unregister() so that callers do not
|
|
need to pre-validate the pointer (defense in depth).
|
|
|
|
2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
|
|
and clear func_dev to NULL after unregistration, making the
|
|
function idempotent and safe against double-invocation.
|
|
|
|
3) In sdca_dev_register_functions(), roll back all previously
|
|
registered functions when a later one fails, so the function
|
|
array is never left in a partially-populated state.
|
|
|
|
Fixes: 4496d1c65bad ("ASoC: SDCA: add function devices")
|
|
Signed-off-by: Kean Ren <rh_king@163.com>
|
|
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
|
|
Link: https://patch.msgid.link/20260611023757.1553960-1-rh_king@163.com
|
|
Signed-off-by: Mark Brown <broonie@kernel.org>
|
|
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
|
|
diff --git a/sound/soc/sdca/sdca_function_device.c b/sound/soc/sdca/sdca_function_device.c
|
|
index c6cc880..b206158 100644
|
|
--- a/sound/soc/sdca/sdca_function_device.c
|
|
+++ b/sound/soc/sdca/sdca_function_device.c
|
|
@@ -82,6 +82,9 @@ static struct sdca_dev *sdca_dev_register(struct device *parent,
|
|
|
|
static void sdca_dev_unregister(struct sdca_dev *sdev)
|
|
{
|
|
+ if (!sdev)
|
|
+ return;
|
|
+
|
|
auxiliary_device_delete(&sdev->auxdev);
|
|
auxiliary_device_uninit(&sdev->auxdev);
|
|
}
|
|
@@ -90,14 +93,24 @@ int sdca_dev_register_functions(struct sdw_slave *slave)
|
|
{
|
|
struct sdca_device_data *sdca_data = &slave->sdca_data;
|
|
int i;
|
|
+ int ret;
|
|
|
|
for (i = 0; i < sdca_data->num_functions; i++) {
|
|
struct sdca_dev *func_dev;
|
|
|
|
func_dev = sdca_dev_register(&slave->dev,
|
|
&sdca_data->function[i]);
|
|
- if (IS_ERR(func_dev))
|
|
- return PTR_ERR(func_dev);
|
|
+ if (IS_ERR(func_dev)) {
|
|
+ ret = PTR_ERR(func_dev);
|
|
+ /*
|
|
+ * Unregister functions that were successfully
|
|
+ * registered before this failure. This also
|
|
+ * sets func_dev to NULL so the caller will not
|
|
+ * try to unregister them again.
|
|
+ */
|
|
+ sdca_dev_unregister_functions(slave);
|
|
+ return ret;
|
|
+ }
|
|
|
|
sdca_data->function[i].func_dev = func_dev;
|
|
}
|
|
@@ -111,7 +124,12 @@ void sdca_dev_unregister_functions(struct sdw_slave *slave)
|
|
struct sdca_device_data *sdca_data = &slave->sdca_data;
|
|
int i;
|
|
|
|
- for (i = 0; i < sdca_data->num_functions; i++)
|
|
+ for (i = 0; i < sdca_data->num_functions; i++) {
|
|
+ if (!sdca_data->function[i].func_dev)
|
|
+ continue;
|
|
+
|
|
sdca_dev_unregister(sdca_data->function[i].func_dev);
|
|
+ sdca_data->function[i].func_dev = NULL;
|
|
+ }
|
|
}
|
|
EXPORT_SYMBOL_NS(sdca_dev_unregister_functions, "SND_SOC_SDCA");
|