[PATCH] ALSA: hda: intel-dsp-config: Prevent SEGFAULT if ACPI_HANDLE() is NULL

[PATCH] ALSA: hda: intel-dsp-config: Prevent SEGFAULT if ACPI_HANDLE() is NULL

[Richard Fitzgerald]

Check in snd_intel_dsp_check_soundwire() that the pointer returned by
ACPI_HANDLE() is not NULL, before passing it on to other functions.

The original code assumed a non-NULL return, but if it was unexpectedly
NULL it would end up passed to acpi_walk_namespace() as the start
point, and would result in

[    3.219028] BUG: kernel NULL pointer dereference, address:
0000000000000018
[    3.219029] #PF: supervisor read access in kernel mode
[    3.219030] #PF: error_code(0x0000) - not-present page
[    3.219031] PGD 0 P4D 0
[    3.219032] Oops: Oops: 0000 [#1] SMP NOPTI
[    3.219035] CPU: 2 UID: 0 PID: 476 Comm: (udev-worker) Tainted: G S
AW   E       6.17.0-rc5-test #1 PREEMPT(voluntary)
[    3.219038] Tainted: [S]=CPU_OUT_OF_SPEC, [A]=OVERRIDDEN_ACPI_TABLE,
[W]=WARN, [E]=UNSIGNED_MODULE
[    3.219040] RIP: 0010:acpi_ns_walk_namespace+0xb5/0x480

This problem was triggered by a bugged DSDT that the kernel couldn't parse.
But it shouldn't be possible to SEGFAULT the kernel just because of some
bugs in ACPI.

Fixes: 0650857570d1 ("ALSA: hda: add autodetection for SoundWire")
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
---
 sound/hda/core/intel-dsp-config.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/hda/core/intel-dsp-config.c b/sound/hda/core/intel-dsp-config.c
index c15284742899..2a9e35cddcf7 100644
--- a/sound/hda/core/intel-dsp-config.c
+++ b/sound/hda/core/intel-dsp-config.c
@@ -650,6 +650,8 @@ static int snd_intel_dsp_check_soundwire(struct pci_dev *pci)
 	int ret;
 
 	handle = ACPI_HANDLE(&pci->dev);
+	if (!handle)
+		return -ENODEV;
 
 	ret = sdw_intel_acpi_scan(handle, &info);
 	if (ret < 0)
-- 
2.39.5

Re: [PATCH] ALSA: hda: intel-dsp-config: Prevent SEGFAULT if ACPI_HANDLE() is NULL

[Takashi Iwai]

On Wed, 17 Sep 2025 18:06:09 +0200,
Richard Fitzgerald wrote:
> 
> Check in snd_intel_dsp_check_soundwire() that the pointer returned by
> ACPI_HANDLE() is not NULL, before passing it on to other functions.
> 
> The original code assumed a non-NULL return, but if it was unexpectedly
> NULL it would end up passed to acpi_walk_namespace() as the start
> point, and would result in
> 
> [    3.219028] BUG: kernel NULL pointer dereference, address:
> 0000000000000018
> [    3.219029] #PF: supervisor read access in kernel mode
> [    3.219030] #PF: error_code(0x0000) - not-present page
> [    3.219031] PGD 0 P4D 0
> [    3.219032] Oops: Oops: 0000 [#1] SMP NOPTI
> [    3.219035] CPU: 2 UID: 0 PID: 476 Comm: (udev-worker) Tainted: G S
> AW   E       6.17.0-rc5-test #1 PREEMPT(voluntary)
> [    3.219038] Tainted: [S]=CPU_OUT_OF_SPEC, [A]=OVERRIDDEN_ACPI_TABLE,
> [W]=WARN, [E]=UNSIGNED_MODULE
> [    3.219040] RIP: 0010:acpi_ns_walk_namespace+0xb5/0x480
> 
> This problem was triggered by a bugged DSDT that the kernel couldn't parse.
> But it shouldn't be possible to SEGFAULT the kernel just because of some
> bugs in ACPI.
> 
> Fixes: 0650857570d1 ("ALSA: hda: add autodetection for SoundWire")
> Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>

Thanks, applied now.


Takashi