Re: [PATCH] ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions

[Charles Keepax]

On Thu, Jun 11, 2026 at 10:37:57AM +0800, Kean Ren wrote:
> sdca_dev_unregister_functions() iterates over all SDCA function
> descriptors and calls sdca_dev_unregister() on each func_dev without
> checking for NULL. When a function registration has failed partway
> through, or the device cleanup races with probe deferral, func_dev
> entries may be NULL, leading to a kernel oops:
> 
>   BUG: kernel NULL pointer dereference, address: 0000000000000040
>   RIP: 0010:device_del+0x1e/0x3e0
>   Call Trace:
>    sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]
>    release_nodes+0x35/0xb0
>    devres_release_all+0x90/0x100
>    device_unbind_cleanup+0xe/0x80
>    device_release_driver_internal+0x1c1/0x200
>    bus_remove_device+0xc6/0x130
>    device_del+0x161/0x3e0
>    device_unregister+0x17/0x60
>    sdw_delete_slave+0xb6/0xd0 [soundwire_bus]
>    sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]
>    ...
>    sof_probe_work+0x19/0x30 [snd_sof]
> 
> This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)
> with the SOF audio driver probe failing due to missing Panther Lake
> firmware, causing the subsequent cleanup of SoundWire devices to
> trigger the crash.
> 
> Fix this with three changes:
> 
> 1) Add a NULL guard in sdca_dev_unregister() so that callers do not
>    need to pre-validate the pointer (defense in depth).
> 
> 2) In sdca_dev_unregister_functions(), skip NULL func_dev entries
>    and clear func_dev to NULL after unregistration, making the
>    function idempotent and safe against double-invocation.
> 
> 3) In sdca_dev_register_functions(), roll back all previously
>    registered functions when a later one fails, so the function
>    array is never left in a partially-populated state.
> 
> Fixes: 4496d1c65bad ("ASoC: SDCA: add function devices")
> Signed-off-by: Kean Ren <rh_king@xxxxxxx>
> ---

Reviewed-by: Charles Keepax <ckeepax@xxxxxxxxxxxxxxxxxxxxx>

Thanks,
Charles