Linux kernel -stable discussions
 help / color / mirror / Atom feed
* [PATCH 6.6.y] ASoC: SOF: Intel: hda: Fix NULL pointer dereference
@ 2026-05-19 10:44 Alva Lan
  2026-05-20  0:54 ` Sasha Levin
  0 siblings, 1 reply; 3+ messages in thread
From: Alva Lan @ 2026-05-19 10:44 UTC (permalink / raw)
  To: gregkh, sashal, stable
  Cc: linux-kernel, Ranjani Sridharan, Bard Liao, Liam Girdwood,
	Mateusz Redzynia, Peter Ujfalusi, Mark Brown, Alva Lan

From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>

[ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]

If there's a mismatch between the DAI links in the machine driver and
the topology, it is possible that the playback/capture widget is not
set, especially in the case of loopback capture for echo reference
where we use the dummy DAI link. Return the error when the widget is not
set to avoid a null pointer dereference like below when the topology is
broken.

RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]

Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Mateusz Redzynia <mateuszx.redzynia@intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260204081833.16630-10-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[ Minor context conflict resolved. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
---
 sound/soc/sof/intel/hda-dai.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c
index 19ec1a45737e..097bcc7822a7 100644
--- a/sound/soc/sof/intel/hda-dai.c
+++ b/sound/soc/sof/intel/hda-dai.c
@@ -77,11 +77,22 @@ static const struct hda_dai_widget_dma_ops *
 hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai)
 {
 	struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(cpu_dai, substream->stream);
-	struct snd_sof_widget *swidget = w->dobj.private;
+	struct snd_sof_widget *swidget;
 	struct snd_sof_dev *sdev;
 	struct snd_sof_dai *sdai;
 
+	/*
+	 * this is unlikely if the topology and the machine driver DAI links match.
+	 * But if there's a missing DAI link in topology, this will prevent a NULL pointer
+	 * dereference later on.
+	 */
+	if (!w) {
+		dev_err(cpu_dai->dev, "%s: widget is NULL\n", __func__);
+		return NULL;
+	}
+
 	sdev = widget_to_sdev(w);
+	swidget = w->dobj.private;
 
 	/*
 	 * The swidget parameter of hda_select_dai_widget_ops() is ignored in
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 6.6.y] ASoC: SOF: Intel: hda: Fix NULL pointer dereference
  2026-05-19 10:44 [PATCH 6.6.y] ASoC: SOF: Intel: hda: Fix NULL pointer dereference Alva Lan
@ 2026-05-20  0:54 ` Sasha Levin
  2026-05-20  1:15   ` Sasha Levin
  0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2026-05-20  0:54 UTC (permalink / raw)
  To: gregkh, stable
  Cc: Sasha Levin, linux-kernel, Ranjani Sridharan, Bard Liao,
	Liam Girdwood, Mateusz Redzynia, Peter Ujfalusi, Mark Brown,
	Alva Lan

On Tue, May 19, 2026 at 06:44:10PM +0800, Alva Lan wrote:
> From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
>
> [ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]
>
> If there's a mismatch between the DAI links in the machine driver and
> the topology, it is possible that the playback/capture widget is not
> set, especially in the case of loopback capture for echo reference
> where we use the dummy DAI link. Return the error when the widget is not
> set to avoid a null pointer dereference like below when the topology is
> broken.
[...]
> [ Minor context conflict resolved. ]
> Signed-off-by: Alva Lan <alvalan9@foxmail.com>

Queued for 6.6, thanks.

--
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH 6.6.y] ASoC: SOF: Intel: hda: Fix NULL pointer dereference
  2026-05-20  0:54 ` Sasha Levin
@ 2026-05-20  1:15   ` Sasha Levin
  0 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2026-05-20  1:15 UTC (permalink / raw)
  To: gregkh, stable
  Cc: linux-kernel, Ranjani Sridharan, Bard Liao, Liam Girdwood,
	Mateusz Redzynia, Peter Ujfalusi, Mark Brown, Alva Lan

On Tue, May 19, 2026 at 08:54:19PM -0400, Sasha Levin wrote:
>On Tue, May 19, 2026 at 06:44:10PM +0800, Alva Lan wrote:
>> From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
>>
>> [ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]
>>
>> If there's a mismatch between the DAI links in the machine driver and
>> the topology, it is possible that the playback/capture widget is not
>> set, especially in the case of loopback capture for echo reference
>> where we use the dummy DAI link. Return the error when the widget is not
>> set to avoid a null pointer dereference like below when the topology is
>> broken.
>[...]
>> [ Minor context conflict resolved. ]
>> Signed-off-by: Alva Lan <alvalan9@foxmail.com>
>
>Queued for 6.6, thanks.

Ugh...

This backport is missing the !swidget NULL check that the upstream commit also
adds.  Upstream 16c589567a95 adds two checks in hda_dai_get_ops(): one for !w
and one for !swidget.  Your patch only adds the !w check, so the later "sdai =
swidget->private" still crashes when w is non-NULL but w->dobj.private is NULL.

I'm going to drop it for now.

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-20  1:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-19 10:44 [PATCH 6.6.y] ASoC: SOF: Intel: hda: Fix NULL pointer dereference Alva Lan
2026-05-20  0:54 ` Sasha Levin
2026-05-20  1:15   ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox