[PATCH 0/2] ASoC: fixup snd_soc_lookup_component_nolocked()

[PATCH 0/2] ASoC: fixup snd_soc_lookup_component_nolocked()

[Kuninori Morimoto]

Hi Mark, Neuschafer

Because snd_dmaengine_pcm is sharing same dev with CPU and Platform,
snd_soc_lookup_component_nolocked() might be call with NULL driver name
(= CPU). This patch fixup and cleanup it.

Kuninori Morimoto (2):
  ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()
  ASoC: soc-core: tidyup snd_soc_lookup_component_nolocked()

 sound/soc/soc-core.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

-- 
2.43.0

[PATCH 1/2] ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()

[Kuninori Morimoto]

soc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform.
In such case, CPU component driver might not have driver->name, then
snd_soc_lookup_component_nolocked() will be NULL pointer access error.
Care NULL driver name.

	Call trace:
	 strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4
	 snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44
	 snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64
	 snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc
	 devres_release_all from device_unbind_cleanup+0xc/0x60
	 device_unbind_cleanup from really_probe+0x220/0x2c8
	 really_probe from __driver_probe_device+0x88/0x1a0
	 __driver_probe_device from driver_probe_device+0x30/0x110
	driver_probe_device from __driver_attach+0x90/0x178
	__driver_attach from bus_for_each_dev+0x7c/0xcc
	bus_for_each_dev from bus_add_driver+0xcc/0x1ec
	bus_add_driver from driver_register+0x80/0x11c
	driver_register from do_one_initcall+0x58/0x23c
	do_one_initcall from kernel_init_freeable+0x198/0x1f4
	kernel_init_freeable from kernel_init+0x1c/0x12c
	kernel_init from ret_from_fork+0x14/0x28

Fixes: 144d6dfc7482 ("ASoC: soc-core: merge snd_soc_unregister_component() and snd_soc_unregister_component_by_driver()")
Reported-by: J. Neuschäfer <j.ne@posteo.net>
Closes: https://lore.kernel.org/r/aJb311bMDc9x-dpW@probook
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
---
 sound/soc/soc-core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 37bc5867f81d4..c1cf205e05569 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -375,8 +375,9 @@ struct snd_soc_component
 	for_each_component(component) {
 		if ((dev == component->dev) &&
 		    (!driver_name ||
-		     (driver_name == component->driver->name) ||
-		     (strcmp(component->driver->name, driver_name) == 0))) {
+		     (component->driver->name &&
+		      ((component->driver->name == driver_name) ||
+		       (strcmp(component->driver->name, driver_name) == 0))))) {
 			found_component = component;
 			break;
 		}
-- 
2.43.0

[PATCH 2/2] ASoC: soc-core: tidyup snd_soc_lookup_component_nolocked()

[Kuninori Morimoto]

snd_soc_lookup_component_nolocked() is very complex today.
Let's tidyup the code.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
---
 sound/soc/soc-core.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index c1cf205e05569..cc9125ffe92ac 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -369,21 +369,25 @@ struct snd_soc_component
 *snd_soc_lookup_component_nolocked(struct device *dev, const char *driver_name)
 {
 	struct snd_soc_component *component;
-	struct snd_soc_component *found_component;
 
-	found_component = NULL;
 	for_each_component(component) {
-		if ((dev == component->dev) &&
-		    (!driver_name ||
-		     (component->driver->name &&
-		      ((component->driver->name == driver_name) ||
-		       (strcmp(component->driver->name, driver_name) == 0))))) {
-			found_component = component;
-			break;
-		}
+		if (dev != component->dev)
+			continue;
+
+		if (!driver_name)
+			return component;
+
+		if (!component->driver->name)
+			continue;
+
+		if (component->driver->name == driver_name)
+			return component;
+
+		if (strcmp(component->driver->name, driver_name) == 0)
+			return component;
 	}
 
-	return found_component;
+	return NULL;
 }
 EXPORT_SYMBOL_GPL(snd_soc_lookup_component_nolocked);
 
-- 
2.43.0

Re: [PATCH 1/2] ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()

[Kuninori Morimoto]

Hi

> soc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform.
> In such case, CPU component driver might not have driver->name, then
> snd_soc_lookup_component_nolocked() will be NULL pointer access error.
> Care NULL driver name.

Reported-by: Ondřej Jirman <megi@xff.cz>
Closes: https://lore.kernel.org/r/arxpwzu6nzgjxvsndct65ww2wz4aezb5gjdzlgr24gfx7xvyih@natjg6dg2pj6

Thank you for your help !!

Best regards
---
Kuninori Morimoto

Re: [PATCH 1/2] ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()

[J. Neuschäfer]

Hello,

On Tue, Aug 19, 2025 at 01:58:51AM +0000, Kuninori Morimoto wrote:
> soc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform.
> In such case, CPU component driver might not have driver->name, then
> snd_soc_lookup_component_nolocked() will be NULL pointer access error.
> Care NULL driver name.
> 
> 	Call trace:
> 	 strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4
> 	 snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44
> 	 snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64
> 	 snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc
> 	 devres_release_all from device_unbind_cleanup+0xc/0x60
> 	 device_unbind_cleanup from really_probe+0x220/0x2c8
> 	 really_probe from __driver_probe_device+0x88/0x1a0
> 	 __driver_probe_device from driver_probe_device+0x30/0x110
> 	driver_probe_device from __driver_attach+0x90/0x178
> 	__driver_attach from bus_for_each_dev+0x7c/0xcc
> 	bus_for_each_dev from bus_add_driver+0xcc/0x1ec
> 	bus_add_driver from driver_register+0x80/0x11c
> 	driver_register from do_one_initcall+0x58/0x23c
> 	do_one_initcall from kernel_init_freeable+0x198/0x1f4
> 	kernel_init_freeable from kernel_init+0x1c/0x12c
> 	kernel_init from ret_from_fork+0x14/0x28
> 
> Fixes: 144d6dfc7482 ("ASoC: soc-core: merge snd_soc_unregister_component() and snd_soc_unregister_component_by_driver()")
> Reported-by: J. Neuschäfer <j.ne@posteo.net>
> Closes: https://lore.kernel.org/r/aJb311bMDc9x-dpW@probook
> Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
> ---

I can confirm that this patch (applied on top of v6.17-rc1) fixes the
NULL deref that I reported.

Tested-by: J. Neuschäfer <j.ne@posteo.net>

Thank you!


>  sound/soc/soc-core.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
> index 37bc5867f81d4..c1cf205e05569 100644
> --- a/sound/soc/soc-core.c
> +++ b/sound/soc/soc-core.c
> @@ -375,8 +375,9 @@ struct snd_soc_component
>  	for_each_component(component) {
>  		if ((dev == component->dev) &&
>  		    (!driver_name ||
> -		     (driver_name == component->driver->name) ||
> -		     (strcmp(component->driver->name, driver_name) == 0))) {
> +		     (component->driver->name &&
> +		      ((component->driver->name == driver_name) ||
> +		       (strcmp(component->driver->name, driver_name) == 0))))) {
>  			found_component = component;
>  			break;
>  		}
> -- 
> 2.43.0
> 

Re: [PATCH 0/2] ASoC: fixup snd_soc_lookup_component_nolocked()

[Mark Brown]

On Tue, 19 Aug 2025 01:58:09 +0000, Kuninori Morimoto wrote:
> Because snd_dmaengine_pcm is sharing same dev with CPU and Platform,
> snd_soc_lookup_component_nolocked() might be call with NULL driver name
> (= CPU). This patch fixup and cleanup it.
> 
> Kuninori Morimoto (2):
>   ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()
>   ASoC: soc-core: tidyup snd_soc_lookup_component_nolocked()
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/2] ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()
      commit: 168873ca1799d3f23442b9e79eae55f907b9b126
[2/2] ASoC: soc-core: tidyup snd_soc_lookup_component_nolocked()
      commit: b833b412a522e58b790abe79b6ec46e8ba1f312a

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark