Commit 99219419 authored May 14, 2026 by Quan Sun Committed by Takashi Iwai May 15, 2026

ALSA: hda: Fix NULL pointer dereference in snd_hda_ctl_add()



snd_hda_ctl_add() dereferences kctl->id.subdevice without checking
whether kctl is NULL. Multiple callers in sound/hda/codecs/ca0132.c
pass the return value of snd_ctl_new1() directly to snd_hda_ctl_add()
without a NULL check:

    return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));

snd_ctl_new1() returns NULL when the underlying snd_ctl_new() fails
on memory allocation (kzalloc_flex),which can occur under memory
pressure or via fault injection.

Add a NULL check at the entry of snd_hda_ctl_add(), matching the
pattern already used by snd_ctl_add_replace() at the same call
path (sound/core/control.c:515). Return -EINVAL to let callers
handle the error gracefully.

Fixes: 44f0c978 ("ALSA: hda/ca0132: Add tuning controls")
Signed-off-by: Quan Sun <2022090917019@std.uestc.edu.cn>
Link: https://patch.msgid.link/20260514132245.3062884-1-2022090917019@std.uestc.edu.cn


Signed-off-by: Takashi Iwai <tiwai@suse.de>

parent fd87b510

sound/hda/common/codec.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1699,6 +1699,9 @@ int snd_hda_ctl_add(struct hda_codec *codec, hda_nid_t nid,
		unsigned short flags = 0;
		struct hda_nid_item *item;

		if (!kctl)
		return -EINVAL;

		if (kctl->id.subdevice & HDA_SUBDEV_AMP_FLAG) {
		flags \|= HDA_NID_ITEM_AMP;
		if (nid == 0)