From: Cezary Rojewski cezary.rojewski@intel.com
[ Upstream commit 11f74f48c14c1f4fe16541900ea5944c42e30ccf ]
If pcim_request_all_regions() fails, error path operates on uninitialized 'bus' pointer. Found out by Coverity static analyzer.
Reviewed-by: Amadeusz Sławiński amadeuszx.slawinski@linux.intel.com Signed-off-by: Cezary Rojewski cezary.rojewski@intel.com Link: https://patch.msgid.link/20250730124906.351798-1-cezary.rojewski@intel.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
**Backport Status: YES**
## Extensive Analysis:
This commit is an excellent candidate for backporting to stable kernel trees based on the following analysis:
### 1. **Clear Bug Fix for Uninitialized Pointer Access** The commit fixes a serious bug where an uninitialized `bus` pointer could be dereferenced in error paths. Looking at the original code flow: - Line 427: `struct hdac_bus *bus;` declares the pointer without initialization - Line 455-457: If `pcim_request_all_regions()` fails and returns an error, the function returns immediately - **Critical Issue**: At this point, `bus` has never been initialized (line 459 `bus = &adev->base.core;` would not be reached) - However, any error handling code that tries to use `bus` would crash with a null/uninitialized pointer dereference
### 2. **Minimal and Contained Fix** The fix is extremely simple and surgical: - Moves one line of code (`bus = &adev->base.core;`) from after the `pcim_request_all_regions()` call to immediately after `adev` allocation - This ensures `bus` is properly initialized before any potential error path that might use it - The change is only 2 lines (one deletion, one addition in a different location)
### 3. **No Functional Changes or Side Effects** - The fix doesn't change any logic or behavior in the success path - It merely ensures proper initialization order to prevent crashes - No new features or architectural changes are introduced - The initialization still happens at the same logical point in the flow (after `adev` is allocated and `avs_bus_init` succeeds)
### 4. **Found by Static Analysis** The commit message explicitly states this was "Found out by Coverity static analyzer", which indicates: - This is a real potential crash/security issue identified by automated tooling - Static analyzers are good at finding these initialization order bugs - The bug might be difficult to trigger in practice but represents a real vulnerability
### 5. **Affects Critical Audio Subsystem** This is in the Intel AVS (Audio Voice Speech) driver probe function, which: - Is part of system initialization for Intel audio hardware - A crash here could prevent audio subsystem from initializing - Could affect system stability on affected Intel platforms
### 6. **Clear Stable Tree Criteria Met** This commit meets multiple stable kernel criteria: - ✅ Fixes a real bug (uninitialized pointer dereference) - ✅ Minimal change (2 lines moved) - ✅ No new features - ✅ Low risk of regression (initialization order fix) - ✅ Could cause crashes/oops in error conditions - ✅ Found by static analysis (indicates real issue)
### 7. **Error Path Vulnerability** While the bug only manifests in error conditions (when `pcim_request_all_regions()` fails), error path bugs are particularly important to fix because: - They can be triggered by resource exhaustion or hardware issues - They can potentially be exploited for denial of service - They make debugging other issues more difficult when the error handler itself crashes
This is a textbook example of a commit that should be backported to stable trees - it fixes a clear bug with minimal risk and no functional changes.
sound/soc/intel/avs/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/avs/core.c b/sound/soc/intel/avs/core.c index ec1b3f55cb5c..d45e9279df27 100644 --- a/sound/soc/intel/avs/core.c +++ b/sound/soc/intel/avs/core.c @@ -446,6 +446,8 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) adev = devm_kzalloc(dev, sizeof(*adev), GFP_KERNEL); if (!adev) return -ENOMEM; + bus = &adev->base.core; + ret = avs_bus_init(adev, pci, id); if (ret < 0) { dev_err(dev, "failed to init avs bus: %d\n", ret); @@ -456,7 +458,6 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) if (ret < 0) return ret;
- bus = &adev->base.core; bus->addr = pci_resource_start(pci, 0); bus->remap_addr = pci_ioremap_bar(pci, 0); if (!bus->remap_addr) {