[PATCH] ASoC: dmic: Fix NULL pointer dereference

[PATCH] ASoC: dmic: Fix NULL pointer dereference

[Mario Limonciello]

From: Mario Limonciello <mario.limonciello@amd.com>

Regulator support was introduced in commit d3321a20b5111 ("ASoC: dmic: add
regulator support"). During probe `dmic->vref` is initialized with
devm_regulator_get_optional() but in the error flow doesn't get cleared in
the case that PTR_ERR(dmic->vref) is -ENODEV. This leads to the following
NULL pointer deref.

```
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 1000 PID: 1587 Comm: wireplumber Not tainted 6.14.0-rc7-next-20250318 #1 PREEMPT(voluntary)
RIP: 0010:regulator_enable+0x17/0x70
RSP: 0018:ffffcc10c1fe7a38 EFLAGS: 00010282
RAX: ffff8bccc1c25010 RBX: ffffffffffffffed RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffcc10c1fe7a38 RDI: ffffffffffffffed
RBP: ffffcc10c1fe7a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8bcccd51f800
R13: ffffffffc1086e88 R14: 0000000000000001 R15: 0000000000000001
FS:  00007f927bc35800(0000) GS:ffff8bd44f09f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000065 CR3: 00000001332c6000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 ? show_regs+0x6c/0x80
 ? __die+0x24/0x80
 ? page_fault_oops+0x154/0x570
 ? hrtimer_start_range_ns+0x142/0x4e0
 ? timerqueue_del+0x31/0x50
 ? do_user_addr_fault+0x4ac/0x880
 ? exc_page_fault+0x82/0x1d0
 ? asm_exc_page_fault+0x27/0x30
 ? regulator_enable+0x17/0x70
 ? __schedule+0x491/0x16b0
 dmic_aif_event+0x82/0xa0 [snd_soc_dmic]
```

Adjust the error flow to explicitly set it back to NULL to avoid calling
regulator_enable() with garbage data.

Reported-by: Akshata V Unkal <Akshata.VUnkal@amd.com>
Fixes: d3321a20b5111 ("ASoC: dmic: add regulator support")
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
---
 sound/soc/codecs/dmic.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/dmic.c b/sound/soc/codecs/dmic.c
index 5d3c3f17c6d8d..61e1bf1b3c9e6 100644
--- a/sound/soc/codecs/dmic.c
+++ b/sound/soc/codecs/dmic.c
@@ -114,8 +114,12 @@ static int dmic_component_probe(struct snd_soc_component *component)
 		return -ENOMEM;
 
 	dmic->vref = devm_regulator_get_optional(component->dev, "vref");
-	if (IS_ERR(dmic->vref) && PTR_ERR(dmic->vref) != -ENODEV)
-		return dev_err_probe(component->dev, PTR_ERR(dmic->vref), "Failed to get vref\n");
+	if (IS_ERR(dmic->vref)) {
+		if (PTR_ERR(dmic->vref) != -ENODEV)
+			return dev_err_probe(component->dev, PTR_ERR(dmic->vref),
+					     "Failed to get vref\n");
+		dmic->vref = NULL;
+	}
 
 	dmic->gpio_en = devm_gpiod_get_optional(component->dev,
 						"dmicen", GPIOD_OUT_LOW);
-- 
2.43.0

Re: [PATCH] ASoC: dmic: Fix NULL pointer dereference

[Mark Brown]

On Wed, 19 Mar 2025 09:56:31 -0500, Mario Limonciello wrote:
> Regulator support was introduced in commit d3321a20b5111 ("ASoC: dmic: add
> regulator support"). During probe `dmic->vref` is initialized with
> devm_regulator_get_optional() but in the error flow doesn't get cleared in
> the case that PTR_ERR(dmic->vref) is -ENODEV. This leads to the following
> NULL pointer deref.
> 
> ```
> Oops: Oops: 0000 [#1] SMP NOPTI
> CPU: 7 UID: 1000 PID: 1587 Comm: wireplumber Not tainted 6.14.0-rc7-next-20250318 #1 PREEMPT(voluntary)
> RIP: 0010:regulator_enable+0x17/0x70
> RSP: 0018:ffffcc10c1fe7a38 EFLAGS: 00010282
> RAX: ffff8bccc1c25010 RBX: ffffffffffffffed RCX: 0000000000000000
> RDX: 0000000000000002 RSI: ffffcc10c1fe7a38 RDI: ffffffffffffffed
> RBP: ffffcc10c1fe7a68 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8bcccd51f800
> R13: ffffffffc1086e88 R14: 0000000000000001 R15: 0000000000000001
> FS:  00007f927bc35800(0000) GS:ffff8bd44f09f000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000065 CR3: 00000001332c6000 CR4: 0000000000750ef0
> PKRU: 55555554
> Call Trace:
>  <TASK>
>  ? show_regs+0x6c/0x80
>  ? __die+0x24/0x80
>  ? page_fault_oops+0x154/0x570
>  ? hrtimer_start_range_ns+0x142/0x4e0
>  ? timerqueue_del+0x31/0x50
>  ? do_user_addr_fault+0x4ac/0x880
>  ? exc_page_fault+0x82/0x1d0
>  ? asm_exc_page_fault+0x27/0x30
>  ? regulator_enable+0x17/0x70
>  ? __schedule+0x491/0x16b0
>  dmic_aif_event+0x82/0xa0 [snd_soc_dmic]
> ```
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: dmic: Fix NULL pointer dereference
      commit: 6271b746e40ebaf24dc54be5f4248f5a61618871

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark