* [PATCH] ALSA: hwdep: fix NULL dereference on error path
@ 2026-04-12 17:45 Guangshuo Li
2026-04-13 5:22 ` Takashi Iwai
0 siblings, 1 reply; 3+ messages in thread
From: Guangshuo Li @ 2026-04-12 17:45 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai, Guangshuo Li, Curtis Malainey,
linux-sound, linux-kernel
Cc: stable
snd_hwdep_new() allocates a hwdep instance first and then allocates
hwdep->dev via snd_device_alloc().
When snd_device_alloc() fails, hwdep->dev remains NULL, because
snd_device_alloc() clears *dev_p before attempting to allocate the
device object. The error path then calls snd_hwdep_free(), which
unconditionally invokes put_device(hwdep->dev).
This may lead to a NULL pointer dereference in put_device().
Fixes: 897c8882df58 ("ALSA: hwdep: Don't embed device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
sound/core/hwdep.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
index 09200df2932c..aa35bee8da6b 100644
--- a/sound/core/hwdep.c
+++ b/sound/core/hwdep.c
@@ -343,7 +343,8 @@ static void snd_hwdep_free(struct snd_hwdep *hwdep)
return;
if (hwdep->private_free)
hwdep->private_free(hwdep);
- put_device(hwdep->dev);
+ if (hwdep->dev)
+ put_device(hwdep->dev);
kfree(hwdep);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] ALSA: hwdep: fix NULL dereference on error path
2026-04-12 17:45 [PATCH] ALSA: hwdep: fix NULL dereference on error path Guangshuo Li
@ 2026-04-13 5:22 ` Takashi Iwai
2026-04-13 5:48 ` Guangshuo Li
0 siblings, 1 reply; 3+ messages in thread
From: Takashi Iwai @ 2026-04-13 5:22 UTC (permalink / raw)
To: Guangshuo Li
Cc: Jaroslav Kysela, Takashi Iwai, Curtis Malainey, linux-sound,
linux-kernel, stable
On Sun, 12 Apr 2026 19:45:29 +0200,
Guangshuo Li wrote:
>
> snd_hwdep_new() allocates a hwdep instance first and then allocates
> hwdep->dev via snd_device_alloc().
>
> When snd_device_alloc() fails, hwdep->dev remains NULL, because
> snd_device_alloc() clears *dev_p before attempting to allocate the
> device object. The error path then calls snd_hwdep_free(), which
> unconditionally invokes put_device(hwdep->dev).
>
> This may lead to a NULL pointer dereference in put_device().
put_device() has a NULL check by itself, so it's safe to pass NULL
there.
thanks,
Takashi
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ALSA: hwdep: fix NULL dereference on error path
2026-04-13 5:22 ` Takashi Iwai
@ 2026-04-13 5:48 ` Guangshuo Li
0 siblings, 0 replies; 3+ messages in thread
From: Guangshuo Li @ 2026-04-13 5:48 UTC (permalink / raw)
To: Takashi Iwai
Cc: Jaroslav Kysela, Takashi Iwai, Curtis Malainey, linux-sound,
linux-kernel, stable
Hi Takashi,
Thanks for the correction.
I overlooked the NULL check in put_device(), so the reported NULL
dereference on this error path is not valid.
Sorry for the noise. Please disregard this patch.
Thanks,
Guangshuo
Takashi Iwai <tiwai@suse.de> 于2026年4月13日周一 13:22写道:
>
> On Sun, 12 Apr 2026 19:45:29 +0200,
> Guangshuo Li wrote:
> >
> > snd_hwdep_new() allocates a hwdep instance first and then allocates
> > hwdep->dev via snd_device_alloc().
> >
> > When snd_device_alloc() fails, hwdep->dev remains NULL, because
> > snd_device_alloc() clears *dev_p before attempting to allocate the
> > device object. The error path then calls snd_hwdep_free(), which
> > unconditionally invokes put_device(hwdep->dev).
> >
> > This may lead to a NULL pointer dereference in put_device().
>
> put_device() has a NULL check by itself, so it's safe to pass NULL
> there.
>
>
> thanks,
>
> Takashi
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-13 5:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-12 17:45 [PATCH] ALSA: hwdep: fix NULL dereference on error path Guangshuo Li
2026-04-13 5:22 ` Takashi Iwai
2026-04-13 5:48 ` Guangshuo Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox