[alsa-devel] [PATCH] ASoC: Fix freeing of incompletely initialized snd_soc_dapm_context

[Sylwester Nawrocki]

When soc_init_dai_link() call at the beginning of snd_soc_instantiate_card
function fails soc_cleanup_card_resources() and then snd_soc_dapm_free()
gets called with an incompletely initialized card->dapm. In particular
card->dapm.card is NULL and it gets dereferenced in dapm_free_widgets().
Also dapm->list is invalid and there is an invalid pointer dereference
from list_del().

The function call stack (deferred probing) on Chromebook Snow where this
issue has shown up in todays -next:

 snd_soc_dapm_free
 soc_cleanup_card_resources
 snd_soc_instantiate_card
 snd_soc_register_card
 devm_snd_soc_register_card
 snow_probe

Fix this by testing dapm->card before attempting to free dapm widgets.

Fixes: 70fc53734e71 ("ASoC: core: move DAI pre-links initiation to snd_soc_instantiate_card")
Reported-by: Marek Szyprowski <m.szyprowski at samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki at samsung.com>
---
 sound/soc/soc-dapm.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 6b44b4a78b8e..5774cbd393fe 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4658,8 +4658,11 @@ EXPORT_SYMBOL_GPL(snd_soc_dapm_ignore_suspend);
 void snd_soc_dapm_free(struct snd_soc_dapm_context *dapm)
 {
 	dapm_debugfs_cleanup(dapm);
-	dapm_free_widgets(dapm);
-	list_del(&dapm->list);
+
+	if (dapm->card) {
+		dapm_free_widgets(dapm);
+		list_del(&dapm->list);
+	}
 }
 EXPORT_SYMBOL_GPL(snd_soc_dapm_free);

--
2.17.1