1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: hwdep: fix NULL dereference on error path

Guangshuo Li posted 1 patch 2 months, 1 week ago 
sound/core/hwdep.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] ALSA: hwdep: fix NULL dereference on error path
Posted by Guangshuo Li 2 months, 1 week ago 
snd_hwdep_new() allocates a hwdep instance first and then allocates
hwdep->dev via snd_device_alloc().

When snd_device_alloc() fails, hwdep->dev remains NULL, because
snd_device_alloc() clears *dev_p before attempting to allocate the
device object. The error path then calls snd_hwdep_free(), which
unconditionally invokes put_device(hwdep->dev).

This may lead to a NULL pointer dereference in put_device().

Fixes: 897c8882df58 ("ALSA: hwdep: Don't embed device")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 sound/core/hwdep.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
index 09200df2932c..aa35bee8da6b 100644
--- a/sound/core/hwdep.c
+++ b/sound/core/hwdep.c
@@ -343,7 +343,8 @@ static void snd_hwdep_free(struct snd_hwdep *hwdep)
 		return;
 	if (hwdep->private_free)
 		hwdep->private_free(hwdep);
-	put_device(hwdep->dev);
+	if (hwdep->dev)
+		put_device(hwdep->dev);
 	kfree(hwdep);
 }
 
-- 
2.43.0
Re: [PATCH] ALSA: hwdep: fix NULL dereference on error path
Posted by Takashi Iwai 2 months, 1 week ago 
On Sun, 12 Apr 2026 19:45:29 +0200,
Guangshuo Li wrote:
> 
> snd_hwdep_new() allocates a hwdep instance first and then allocates
> hwdep->dev via snd_device_alloc().
> 
> When snd_device_alloc() fails, hwdep->dev remains NULL, because
> snd_device_alloc() clears *dev_p before attempting to allocate the
> device object. The error path then calls snd_hwdep_free(), which
> unconditionally invokes put_device(hwdep->dev).
> 
> This may lead to a NULL pointer dereference in put_device().

put_device() has a NULL check by itself, so it's safe to pass NULL
there.


thanks,

Takashi
Re: [PATCH] ALSA: hwdep: fix NULL dereference on error path
Posted by Guangshuo Li 2 months, 1 week ago 
Hi Takashi,

Thanks for the correction.

I overlooked the NULL check in put_device(), so the reported NULL
dereference on this error path is not valid.

Sorry for the noise. Please disregard this patch.

Thanks,
Guangshuo

Takashi Iwai <tiwai@suse.de> 于2026年4月13日周一 13:22写道:
>
> On Sun, 12 Apr 2026 19:45:29 +0200,
> Guangshuo Li wrote:
> >
> > snd_hwdep_new() allocates a hwdep instance first and then allocates
> > hwdep->dev via snd_device_alloc().
> >
> > When snd_device_alloc() fails, hwdep->dev remains NULL, because
> > snd_device_alloc() clears *dev_p before attempting to allocate the
> > device object. The error path then calls snd_hwdep_free(), which
> > unconditionally invokes put_device(hwdep->dev).
> >
> > This may lead to a NULL pointer dereference in put_device().
>
> put_device() has a NULL check by itself, so it's safe to pass NULL
> there.
>
>
> thanks,
>
> Takashi

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.