| Message ID | 20240531120820.35367-1-simont@opensource.cirrus.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind() | expand |
On Fri, 31 May 2024 14:08:20 +0200, Simon Trimmer wrote: > > The cs35l41_hda_unbind() function clears the hda_component entry > matching it's index and then dereferences the codec pointer held in the > first element of the hda_component array, this is an issue when the > device index was 0. > > Instead use the codec pointer stashed in the cs35l41_hda structure as it > will still be valid. > > Fixes: 7cf5ce66dfda ("ALSA: hda: cs35l41: Add device_link between HDA and cs35l41_hda") > Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com> Thanks, applied now. Takashi
diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c index 6c49e5c6cd20..d54d4d60b03e 100644 --- a/sound/pci/hda/cs35l41_hda.c +++ b/sound/pci/hda/cs35l41_hda.c @@ -1495,7 +1495,7 @@ static void cs35l41_hda_unbind(struct device *dev, struct device *master, void * if (comps[cs35l41->index].dev == dev) { memset(&comps[cs35l41->index], 0, sizeof(*comps)); sleep_flags = lock_system_sleep(); - device_link_remove(&comps->codec->core.dev, cs35l41->dev); + device_link_remove(&cs35l41->codec->core.dev, cs35l41->dev); unlock_system_sleep(sleep_flags); } }
The cs35l41_hda_unbind() function clears the hda_component entry matching it's index and then dereferences the codec pointer held in the first element of the hda_component array, this is an issue when the device index was 0. Instead use the codec pointer stashed in the cs35l41_hda structure as it will still be valid. Fixes: 7cf5ce66dfda ("ALSA: hda: cs35l41: Add device_link between HDA and cs35l41_hda") Signed-off-by: Simon Trimmer <simont@opensource.cirrus.com> --- sound/pci/hda/cs35l41_hda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)