On 07/10/2025 09:39, Denis Arefev wrote:
The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced.
The call stack leading to the error looks like this:
hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference
Add IS_ERR() check to prevent the crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: fd895a74dc1d ("ALSA: hda: realtek: Move hda_component implementation to module") Cc: stable@vger.kernel.org Signed-off-by: Denis Arefev arefev@swemel.ru
sound/hda/codecs/side-codecs/hda_component.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/sound/hda/codecs/side-codecs/hda_component.c b/sound/hda/codecs/side-codecs/hda_component.c index 71860e2d6377..84ddbab660e3 100644 --- a/sound/hda/codecs/side-codecs/hda_component.c +++ b/sound/hda/codecs/side-codecs/hda_component.c @@ -181,6 +181,8 @@ int hda_component_manager_init(struct hda_codec *cdc, sm->match_str = match_str; sm->index = i; component_match_add(dev, &match, hda_comp_match_dev_name, sm);
if (IS_ERR(match))return PTR_ERR(match);
Would be good to print something to log an error, since otherwise this fails silently.
Thanks,
Stefan
} ret = component_master_add_with_match(dev, ops, match);