From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>

[ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]

If there's a mismatch between the DAI links in the machine driver and
the topology, it is possible that the playback/capture widget is not
set, especially in the case of loopback capture for echo reference
where we use the dummy DAI link. Return the error when the widget is not
set to avoid a null pointer dereference like below when the topology is
broken.

RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]

Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Mateusz Redzynia <mateuszx.redzynia@intel.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Link: https://patch.msgid.link/20260204081833.16630-10-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[ Minor context conflict resolved. ]
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
---
 sound/soc/sof/intel/hda-dai.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c
index 19ec1a45737e..097bcc7822a7 100644
--- a/sound/soc/sof/intel/hda-dai.c
+++ b/sound/soc/sof/intel/hda-dai.c
@@ -77,11 +77,22 @@ static const struct hda_dai_widget_dma_ops *
 hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai)
 {
 	struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(cpu_dai, substream->stream);
-	struct snd_sof_widget *swidget = w->dobj.private;
+	struct snd_sof_widget *swidget;
 	struct snd_sof_dev *sdev;
 	struct snd_sof_dai *sdai;
 
+	/*
+	 * this is unlikely if the topology and the machine driver DAI links match.
+	 * But if there's a missing DAI link in topology, this will prevent a NULL pointer
+	 * dereference later on.
+	 */
+	if (!w) {
+		dev_err(cpu_dai->dev, "%s: widget is NULL\n", __func__);
+		return NULL;
+	}
+
 	sdev = widget_to_sdev(w);
+	swidget = w->dobj.private;
 
 	/*
 	 * The swidget parameter of hda_select_dai_widget_ops() is ignored in
-- 
2.43.0

On Tue, May 19, 2026 at 06:44:10PM +0800, Alva Lan wrote:
> From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
>
> [ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]
>
> If there's a mismatch between the DAI links in the machine driver and
> the topology, it is possible that the playback/capture widget is not
> set, especially in the case of loopback capture for echo reference
> where we use the dummy DAI link. Return the error when the widget is not
> set to avoid a null pointer dereference like below when the topology is
> broken.
[...]
> [ Minor context conflict resolved. ]
> Signed-off-by: Alva Lan <alvalan9@foxmail.com>

Queued for 6.6, thanks.

--
Thanks,
Sasha

On Tue, May 19, 2026 at 08:54:19PM -0400, Sasha Levin wrote:
>On Tue, May 19, 2026 at 06:44:10PM +0800, Alva Lan wrote:
>> From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
>>
>> [ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ]
>>
>> If there's a mismatch between the DAI links in the machine driver and
>> the topology, it is possible that the playback/capture widget is not
>> set, especially in the case of loopback capture for echo reference
>> where we use the dummy DAI link. Return the error when the widget is not
>> set to avoid a null pointer dereference like below when the topology is
>> broken.
>[...]
>> [ Minor context conflict resolved. ]
>> Signed-off-by: Alva Lan <alvalan9@foxmail.com>
>
>Queued for 6.6, thanks.

Ugh...

This backport is missing the !swidget NULL check that the upstream commit also
adds.  Upstream 16c589567a95 adds two checks in hda_dai_get_ops(): one for !w
and one for !swidget.  Your patch only adds the !w check, so the later "sdai =
swidget->private" still crashes when w is non-NULL but w->dobj.private is NULL.

I'm going to drop it for now.

-- 
Thanks,
Sasha