ALSA: hda: Fix NULL pointer dereference in snd_hda_ctl_add()

snd_hda_ctl_add() dereferences kctl->id.subdevice without checking
whether kctl is NULL. Multiple callers in sound/hda/codecs/ca0132.c
pass the return value of snd_ctl_new1() directly to snd_hda_ctl_add()
without a NULL check:

    return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));

snd_ctl_new1() returns NULL when the underlying snd_ctl_new() fails
on memory allocation (kzalloc_flex),which can occur under memory
pressure or via fault injection.

Add a NULL check at the entry of snd_hda_ctl_add(), matching the
pattern already used by snd_ctl_add_replace() at the same call
path (sound/core/control.c:515). Return -EINVAL to let callers
handle the error gracefully.

Fixes: 44f0c9782cc6 ("ALSA: hda/ca0132: Add tuning controls")
Signed-off-by: Quan Sun <2022090917019@std.uestc.edu.cn>
Link: https://patch.msgid.link/20260514132245.3062884-1-2022090917019@std.uestc.edu.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/hda/common/codec.c b/sound/hda/common/codec.c
index c2af2511a83160def89b9dceac1f4259438ae46b..81f266b9b850f7e542922ba7eb9d06d1d849043b 100644 (file)
--- a/sound/hda/common/codec.c
+++ b/sound/hda/common/codec.c
@@ -1699,6 +1699,9 @@ int snd_hda_ctl_add(struct hda_codec *codec, hda_nid_t nid,
        unsigned short flags = 0;
        struct hda_nid_item *item;
 
+       if (!kctl)
+               return -EINVAL;
+
        if (kctl->id.subdevice & HDA_SUBDEV_AMP_FLAG) {
                flags |= HDA_NID_ITEM_AMP;
                if (nid == 0)