Ubuntu
pulseaudio package

Bug #1609750
Comment #40

Comment 40 for bug 1609750

Revision history for this message

In Linux Kernel Bug Tracker #151521, mildred-bug.kernel (mildred-bug.kernel-linux-kernel-bugs) wrote on 2017-02-15:

#40

There is a null pointer in ts3a227e_enable_jack_detect. The function looks like this in sound/soc/codecs/ts3a227e.c:

int ts3a227e_enable_jack_detect(struct snd_soc_component *component,
struct snd_soc_jack *jack)
{
struct ts3a227e *ts3a227e = snd_soc_component_get_drvdata(component);

snd_jack_set_key(jack->jack, SND_JACK_BTN_0, KEY_MEDIA);
snd_jack_set_key(jack->jack, SND_JACK_BTN_1, KEY_VOICECOMMAND);
snd_jack_set_key(jack->jack, SND_JACK_BTN_2, KEY_VOLUMEUP);
snd_jack_set_key(jack->jack, SND_JACK_BTN_3, KEY_VOLUMEDOWN);

ts3a227e->jack = jack;
ts3a227e_jack_report(ts3a227e);

return 0;
}

Given the calling context in from sound/soc/intel/boards/cht_bsw_max98090_ti.c:

static int cht_max98090_headset_init(struct snd_soc_component *component)
{
struct snd_soc_card *card = component->card;
struct cht_mc_private *ctx = snd_soc_card_get_drvdata(card);

return ts3a227e_enable_jack_detect(component, &ctx->jack);
}

And the driverdata struct:

struct cht_mc_private {
struct snd_soc_jack jack;
bool ts3a227e_present;
};

Unless ctx in cht_max98090_headset_init is null, &ctx->jack cannot be null, and the jack variable in ts3a227e_enable_jack_detect cannot be null. Tho options here:

- either the snd_soc_card driver data is null (card not initialized?)
- or ts3a227e_enable_jack_detect crashes because ts3a227e is null, which is the snd_soc_component driver data (component not initialized?)
- or ts3a227e_enable_jack_detect crashes because there is another pointer that is null. It doesn't look so...

The snd_soc_card driver data is initialized here:

static int snd_cht_mc_probe(struct platform_device *pdev)
{
int ret_val = 0;
struct cht_mc_private *drv;

drv = devm_kzalloc(&pdev->dev, sizeof(*drv), GFP_ATOMIC);
if (!drv)
return -ENOMEM;

drv->ts3a227e_present = acpi_dev_found("104C227E");
if (!drv->ts3a227e_present) {
  /* no need probe TI jack detection chip */
  snd_soc_card_cht.aux_dev = NULL;
  snd_soc_card_cht.num_aux_devs = 0;
}

/* register the soc card */
snd_soc_card_cht.dev = &pdev->dev;
snd_soc_card_set_drvdata(&snd_soc_card_cht, drv);
ret_val = devm_snd_soc_register_card(&pdev->dev, &snd_soc_card_cht);
if (ret_val) {
  dev_err(&pdev->dev,
   "snd_soc_register_card failed %d\n", ret_val);
  return ret_val;
}
platform_set_drvdata(pdev, &snd_soc_card_cht);
return ret_val;
}

Which is referenced in the platform driver:

static struct platform_driver snd_cht_mc_driver = {
.driver = {
.name = "cht-bsw-max98090",
},
.probe = snd_cht_mc_probe,
};

module_platform_driver(snd_cht_mc_driver)

I didn't see where snd_soc_component_set_drvdata was called...

There is a null pointer in ts3a227e_enable_jack_detect. The function looks like this in sound/soc/codecs/ts3a227e.c:

int ts3a227e_enable_jack_detect(struct snd_soc_component *component,
				struct snd_soc_jack *jack)
{
	struct ts3a227e *ts3a227e = snd_soc_component_get_drvdata(component);

snd_jack_set_key(jack->jack, SND_JACK_BTN_0, KEY_MEDIA);
	snd_jack_set_key(jack->jack, SND_JACK_BTN_1, KEY_VOICECOMMAND);
	snd_jack_set_key(jack->jack, SND_JACK_BTN_2, KEY_VOLUMEUP);
	snd_jack_set_key(jack->jack, SND_JACK_BTN_3, KEY_VOLUMEDOWN);

ts3a227e->jack = jack;
	ts3a227e_jack_report(ts3a227e);

return 0;
}

Given the calling context in from sound/soc/intel/boards/cht_bsw_max98090_ti.c:

static int cht_max98090_headset_init(struct snd_soc_component *component)
{
	struct snd_soc_card *card = component->card;
	struct cht_mc_private *ctx = snd_soc_card_get_drvdata(card);

return ts3a227e_enable_jack_detect(component, &ctx->jack);
}

And the driverdata struct:

struct cht_mc_private {
	struct snd_soc_jack jack;
	bool ts3a227e_present;
};

Unless ctx in cht_max98090_headset_init is null, &ctx->jack cannot be null, and the jack variable in ts3a227e_enable_jack_detect cannot be null. Tho options here:

The snd_soc_card driver data is initialized here:

static int snd_cht_mc_probe(struct platform_device *pdev)
{
	int ret_val = 0;
	struct cht_mc_private *drv;

drv = devm_kzalloc(&pdev->dev, sizeof(*drv), GFP_ATOMIC);
	if (!drv)
		return -ENOMEM;

drv->ts3a227e_present = acpi_dev_found("104C227E");
	if (!drv->ts3a227e_present) {
		/* no need probe TI jack detection chip */
		snd_soc_card_cht.aux_dev = NULL;
		snd_soc_card_cht.num_aux_devs = 0;
	}

/* register the soc card */
	snd_soc_card_cht.dev = &pdev->dev;
	snd_soc_card_set_drvdata(&snd_soc_card_cht, drv);
	ret_val = devm_snd_soc_register_card(&pdev->dev, &snd_soc_card_cht);
	if (ret_val) {
		dev_err(&pdev->dev,
			"snd_soc_register_card failed %d\n", ret_val);
		return ret_val;
	}
	platform_set_drvdata(pdev, &snd_soc_card_cht);
	return ret_val;
}

Which is referenced in the platform driver:

static struct platform_driver snd_cht_mc_driver = {
	.driver = {
		.name = "cht-bsw-max98090",
	},
	.probe = snd_cht_mc_probe,
};

module_platform_driver(snd_cht_mc_driver)

I didn't see where snd_soc_component_set_drvdata was called...

Ubuntupulseaudio package

Comment 40 for bug 1609750

Ubuntu
pulseaudio package