[PATCH] ASoC: dmic: Fix NULL pointer dereference

Linux Sound subsystem development
 help / color / mirror / Atom feed

From: Mario Limonciello <superm1@kernel.org>
To: mario.limonciello@amd.com, lgirdwood@gmail.com,
	broonie@kernel.org, perex@perex.cz, tiwai@suse.com,
	olivier.moysan@foss.st.com
Cc: Akshata V Unkal <Akshata.VUnkal@amd.com>, linux-sound@vger.kernel.org
Subject: [PATCH] ASoC: dmic: Fix NULL pointer dereference
Date: Wed, 19 Mar 2025 09:56:31 -0500	[thread overview]
Message-ID: <20250319145636.2401680-1-superm1@kernel.org> (raw)

From: Mario Limonciello <mario.limonciello@amd.com>

Regulator support was introduced in commit d3321a20b5111 ("ASoC: dmic: add
regulator support"). During probe `dmic->vref` is initialized with
devm_regulator_get_optional() but in the error flow doesn't get cleared in
the case that PTR_ERR(dmic->vref) is -ENODEV. This leads to the following
NULL pointer deref.

```
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 1000 PID: 1587 Comm: wireplumber Not tainted 6.14.0-rc7-next-20250318 #1 PREEMPT(voluntary)
RIP: 0010:regulator_enable+0x17/0x70
RSP: 0018:ffffcc10c1fe7a38 EFLAGS: 00010282
RAX: ffff8bccc1c25010 RBX: ffffffffffffffed RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffcc10c1fe7a38 RDI: ffffffffffffffed
RBP: ffffcc10c1fe7a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8bcccd51f800
R13: ffffffffc1086e88 R14: 0000000000000001 R15: 0000000000000001
FS:  00007f927bc35800(0000) GS:ffff8bd44f09f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000065 CR3: 00000001332c6000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 ? show_regs+0x6c/0x80
 ? __die+0x24/0x80
 ? page_fault_oops+0x154/0x570
 ? hrtimer_start_range_ns+0x142/0x4e0
 ? timerqueue_del+0x31/0x50
 ? do_user_addr_fault+0x4ac/0x880
 ? exc_page_fault+0x82/0x1d0
 ? asm_exc_page_fault+0x27/0x30
 ? regulator_enable+0x17/0x70
 ? __schedule+0x491/0x16b0
 dmic_aif_event+0x82/0xa0 [snd_soc_dmic]
```

Adjust the error flow to explicitly set it back to NULL to avoid calling
regulator_enable() with garbage data.

Reported-by: Akshata V Unkal <Akshata.VUnkal@amd.com>
Fixes: d3321a20b5111 ("ASoC: dmic: add regulator support")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
---
 sound/soc/codecs/dmic.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/dmic.c b/sound/soc/codecs/dmic.c
index 5d3c3f17c6d8d..61e1bf1b3c9e6 100644
--- a/sound/soc/codecs/dmic.c
+++ b/sound/soc/codecs/dmic.c
@@ -114,8 +114,12 @@ static int dmic_component_probe(struct snd_soc_component *component)
 		return -ENOMEM;
 
 	dmic->vref = devm_regulator_get_optional(component->dev, "vref");
-	if (IS_ERR(dmic->vref) && PTR_ERR(dmic->vref) != -ENODEV)
-		return dev_err_probe(component->dev, PTR_ERR(dmic->vref), "Failed to get vref\n");
+	if (IS_ERR(dmic->vref)) {
+		if (PTR_ERR(dmic->vref) != -ENODEV)
+			return dev_err_probe(component->dev, PTR_ERR(dmic->vref),
+					     "Failed to get vref\n");
+		dmic->vref = NULL;
+	}
 
 	dmic->gpio_en = devm_gpiod_get_optional(component->dev,
 						"dmicen", GPIOD_OUT_LOW);
-- 
2.43.0

next             reply	other threads:[~2025-03-19 14:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-19 14:56 Mario Limonciello [this message]
2025-03-20 22:54 ` [PATCH] ASoC: dmic: Fix NULL pointer dereference Mark Brown

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5d3c3f17c6d8 dfblob:61e1bf1b3c9e )
 OR (
bs:"[PATCH] ASoC: dmic: Fix NULL pointer dereference" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250319145636.2401680-1-superm1@kernel.org \
    --to=superm1@kernel.org \
    --cc=Akshata.VUnkal@amd.com \
    --cc=broonie@kernel.org \
    --cc=lgirdwood@gmail.com \
    --cc=linux-sound@vger.kernel.org \
    --cc=mario.limonciello@amd.com \
    --cc=olivier.moysan@foss.st.com \
    --cc=perex@perex.cz \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox