1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: usb-audio: qcom: fix NULL pointer dereference in qmi_stop_session

Pei Xiao posted 1 patch 3 months, 2 weeks ago
There is a newer version of this series
sound/usb/qcom/qc_audio_offload.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
[PATCH] ALSA: usb-audio: qcom: fix NULL pointer dereference in qmi_stop_session
Posted by Pei Xiao 3 months, 2 weeks ago 
The find_substream() call may return NULL, but the original error path
dereferenced 'subs' unconditionally in dev_err(&subs->dev->dev, ...),
causing a NULL pointer dereference when subs is NULL.

Fix by replacing dev_err with pr_err which doesn't require device context.
This safely handles NULL subs while preserving the critical debugging
information (pcm_card_num, pcm_dev_num, direction).

Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
---
 sound/usb/qcom/qc_audio_offload.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sound/usb/qcom/qc_audio_offload.c b/sound/usb/qcom/qc_audio_offload.c
index 5bc27c82e0af..556fd9cb4fa6 100644
--- a/sound/usb/qcom/qc_audio_offload.c
+++ b/sound/usb/qcom/qc_audio_offload.c
@@ -759,8 +759,7 @@ static void qmi_stop_session(void)
 			subs = find_substream(pcm_card_num, info->pcm_dev_num,
 					      info->direction);
 			if (!subs || !chip || atomic_read(&chip->shutdown)) {
-				dev_err(&subs->dev->dev,
-					"no sub for c#%u dev#%u dir%u\n",
+				pr_err("no sub for c#%u dev#%u dir%u\n",
 					info->pcm_card_num,
 					info->pcm_dev_num,
 					info->direction);
-- 
2.25.1
Re: [PATCH] ALSA: usb-audio: qcom: fix NULL pointer dereference in qmi_stop_session
Posted by Takashi Iwai 3 months, 2 weeks ago 
On Tue, 24 Jun 2025 08:06:06 +0200,
Pei Xiao wrote:
> 
> The find_substream() call may return NULL, but the original error path
> dereferenced 'subs' unconditionally in dev_err(&subs->dev->dev, ...),
> causing a NULL pointer dereference when subs is NULL.
> 
> Fix by replacing dev_err with pr_err which doesn't require device context.
> This safely handles NULL subs while preserving the critical debugging
> information (pcm_card_num, pcm_dev_num, direction).
> 
> Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
> ---
>  sound/usb/qcom/qc_audio_offload.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/sound/usb/qcom/qc_audio_offload.c b/sound/usb/qcom/qc_audio_offload.c
> index 5bc27c82e0af..556fd9cb4fa6 100644
> --- a/sound/usb/qcom/qc_audio_offload.c
> +++ b/sound/usb/qcom/qc_audio_offload.c
> @@ -759,8 +759,7 @@ static void qmi_stop_session(void)
>  			subs = find_substream(pcm_card_num, info->pcm_dev_num,
>  					      info->direction);
>  			if (!subs || !chip || atomic_read(&chip->shutdown)) {
> -				dev_err(&subs->dev->dev,
> -					"no sub for c#%u dev#%u dir%u\n",
> +				pr_err("no sub for c#%u dev#%u dir%u\n",
>  					info->pcm_card_num,
>  					info->pcm_dev_num,
>  					info->direction);

if we replace with pr_err(), it should show a bit more relevant
information; otherwise user can't know who spews this error for what
reason.

Alternatively, we may replace the device pointer with another existing
device, e.g. uadev[idx].udev->dev, too.


thanks,

Takashi

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.