[PATCH] ALSA: hda/realtek: Fix resource cleanup in alc_alloc_spec error path

[PATCH] ALSA: hda/realtek: Fix resource cleanup in alc_alloc_spec error path

[wangdich9700]

From: wangdicheng <wangdicheng@kylinos.cn>

Ensure proper resource cleanup when alc_codec_rename_from_preset() fails
in alc_alloc_spec(). Currently, the error path only calls kfree(spec) but
does not:

1. Destroy the initialized coef_mutex mutex
2. Reset codec->spec to NULL, potentially leaving a dangling pointer

Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
---
 sound/hda/codecs/realtek/realtek.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/sound/hda/codecs/realtek/realtek.c b/sound/hda/codecs/realtek/realtek.c
index ca377a5adadb..9a358c072e50 100644
--- a/sound/hda/codecs/realtek/realtek.c
+++ b/sound/hda/codecs/realtek/realtek.c
@@ -1029,6 +1029,7 @@ int alc_alloc_spec(struct hda_codec *codec, hda_nid_t mixer_nid)
 {
 	struct alc_spec *spec = kzalloc(sizeof(*spec), GFP_KERNEL);
 	int err;
+	bool mutex_initialized = false;
 
 	if (!spec)
 		return -ENOMEM;
@@ -1040,14 +1041,22 @@ int alc_alloc_spec(struct hda_codec *codec, hda_nid_t mixer_nid)
 	/* FIXME: do we need this for all Realtek codec models? */
 	codec->spdif_status_reset = 1;
 	codec->forced_resume = 1;
+
 	mutex_init(&spec->coef_mutex);
 
 	err = alc_codec_rename_from_preset(codec);
 	if (err < 0) {
-		kfree(spec);
-		return err;
+		codec_err(codec, "Failed to rename codec: %d\n", err);
+		goto error;
 	}
 	return 0;
+
+error:
+	if (mutex_initialized)
+		mutex_destroy(&spec->coef_mutex);
+	codec->spec = NULL;
+	kfree(spec);
+	return err;
 }
 EXPORT_SYMBOL_NS_GPL(alc_alloc_spec, "SND_HDA_CODEC_REALTEK");
 
-- 
2.25.1

Re: [PATCH] ALSA: hda/realtek: Fix resource cleanup in alc_alloc_spec error path

[Takashi Iwai]

On Mon, 10 Nov 2025 08:23:49 +0100,
wangdich9700@163.com wrote:
> 
> From: wangdicheng <wangdicheng@kylinos.cn>
> 
> Ensure proper resource cleanup when alc_codec_rename_from_preset() fails
> in alc_alloc_spec(). Currently, the error path only calls kfree(spec) but
> does not:
> 
> 1. Destroy the initialized coef_mutex mutex

It's rather an optional operation.  As of the probing phase, there is
really no much race, after all.
(And, it's not handled properly in your patch, either...)

> 2. Reset codec->spec to NULL, potentially leaving a dangling pointer

This is done in snd_hda_codec_cleanup_for_unbind() called in the error
handling of hda_codec_driver_probe().


thanks,

Takashi

> 
> Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
> ---
>  sound/hda/codecs/realtek/realtek.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/hda/codecs/realtek/realtek.c b/sound/hda/codecs/realtek/realtek.c
> index ca377a5adadb..9a358c072e50 100644
> --- a/sound/hda/codecs/realtek/realtek.c
> +++ b/sound/hda/codecs/realtek/realtek.c
> @@ -1029,6 +1029,7 @@ int alc_alloc_spec(struct hda_codec *codec, hda_nid_t mixer_nid)
>  {
>  	struct alc_spec *spec = kzalloc(sizeof(*spec), GFP_KERNEL);
>  	int err;
> +	bool mutex_initialized = false;
>  
>  	if (!spec)
>  		return -ENOMEM;
> @@ -1040,14 +1041,22 @@ int alc_alloc_spec(struct hda_codec *codec, hda_nid_t mixer_nid)
>  	/* FIXME: do we need this for all Realtek codec models? */
>  	codec->spdif_status_reset = 1;
>  	codec->forced_resume = 1;
> +
>  	mutex_init(&spec->coef_mutex);
>  
>  	err = alc_codec_rename_from_preset(codec);
>  	if (err < 0) {
> -		kfree(spec);
> -		return err;
> +		codec_err(codec, "Failed to rename codec: %d\n", err);
> +		goto error;
>  	}
>  	return 0;
> +
> +error:
> +	if (mutex_initialized)
> +		mutex_destroy(&spec->coef_mutex);
> +	codec->spec = NULL;
> +	kfree(spec);
> +	return err;
>  }
>  EXPORT_SYMBOL_NS_GPL(alc_alloc_spec, "SND_HDA_CODEC_REALTEK");
>  
> -- 
> 2.25.1
>