[alsa-devel] [PATCH 1/2] ALSA: dice: fix NULL pointer dereference at remove units when sound card is not registered

[Takashi Sakamoto]

When sound card is not registered, in a callback of unit removal, ALSA dice
driver calls amdtp_stream_stop(). This causes a NULL pointer dereference in
__mutex_lock_slowpath() because of uninitialized mutex data.

When private data is going to be released, no userspace applications refer
to AMDTP stream data anymore. Thus no need to stop the streams. This
commit just destroys the stream data to fix the bug.

Fixes: 4bdc495c87b3('ALSA: dice: handle several PCM substreams when any isochronous streams are available')
Signed-off-by: Takashi Sakamoto <o-takashi at sakamocchi.jp>
---
 sound/firewire/dice/dice-stream.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/sound/firewire/dice/dice-stream.c b/sound/firewire/dice/dice-stream.c
index 845d5e5..ec4db3a 100644
--- a/sound/firewire/dice/dice-stream.c
+++ b/sound/firewire/dice/dice-stream.c
@@ -446,18 +446,12 @@ end:
 
 void snd_dice_stream_destroy_duplex(struct snd_dice *dice)
 {
-	struct reg_params tx_params, rx_params;
-
-	snd_dice_transaction_clear_enable(dice);
+	unsigned int i;
 
-	if (get_register_params(dice, &tx_params, &rx_params) == 0) {
-		stop_streams(dice, AMDTP_IN_STREAM, &tx_params);
-		stop_streams(dice, AMDTP_OUT_STREAM, &rx_params);
+	for (i = 0; i < MAX_STREAMS; i++) {
+		destroy_stream(dice, AMDTP_IN_STREAM, i);
+		destroy_stream(dice, AMDTP_OUT_STREAM, i);
 	}
-
-	release_resources(dice);
-
-	dice->substreams_counter = 0;
 }
 
 void snd_dice_stream_update_duplex(struct snd_dice *dice)
-- 
2.7.3