On Wed, Mar 18, 2026 at 3:11 AM Gui-Dong Han <[email protected]> wrote: > > Passing NULL to debugfs_create_str() causes a NULL pointer dereference > upon reading, and creating debugfs nodes with NULL string pointers is no > longer permitted. Change the initialization of firmware_file to an > allocated empty string. Existing driver code using this field handles > empty strings correctly. > > Fixes: fe46d2a4301d ("soundwire: debugfs: add interface to read/write > commands") > Reported-by: yangshiguang <[email protected]> > Closes: > https://lore.kernel.org/lkml/[email protected]/ > Signed-off-by: Gui-Dong Han <[email protected]> > --- > drivers/soundwire/debugfs.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c > index ccc9670ef77c..d4abe8bfca76 100644 > --- a/drivers/soundwire/debugfs.c > +++ b/drivers/soundwire/debugfs.c > @@ -358,8 +358,9 @@ void sdw_slave_debugfs_init(struct sdw_slave *slave) > debugfs_create_file("go", 0200, d, slave, &cmd_go_fops); > > debugfs_create_file("read_buffer", 0400, d, slave, &read_buffer_fops); > - firmware_file = NULL; > - debugfs_create_str("firmware_file", 0200, d, &firmware_file); > + firmware_file = devm_kstrdup(&slave->dev, "", GFP_KERNEL); > + if (firmware_file) > + debugfs_create_str("firmware_file", 0200, d, &firmware_file);
I initially patterned this fix after commit 8cc27f5c6dd1 [1] by using devm_kstrdup(). However, I realized that approach is flawed: debugfs_write_file_str() calls a raw kfree(), which causes a mismatch. I have submitted a separate patch [2] to fix that existing commit. Additionally, firmware_file is a global pointer in this driver. The original code blindly overwrote it with NULL every time a new slave was added. To fix both issues properly, I moved the allocation to the subsystem init and exit paths so it is only allocated once. The updated v2 patch is included below for review. I will wait for further comments on the rest of the series and include this updated patch if a full v2 series is required. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cc27f5c6dd1 [2] https://lore.kernel.org/linux-pm/[email protected]/ >From bbaff3bc33746a965a2387ffe8302d05e700a1c3 Mon Sep 17 00:00:00 2001 From: Gui-Dong Han <[email protected]> Date: Wed, 18 Mar 2026 03:10:29 +0800 Subject: [PATCH v2 3/4] soundwire: debugfs: initialize firmware_file to empty string Passing NULL to debugfs_create_str() causes a NULL pointer dereference, and creating debugfs nodes with NULL string pointers is no longer permitted. Additionally, firmware_file is a global pointer. Previously, adding every new slave blindly overwrote it with NULL. Fix these issues by initializing firmware_file to an allocated empty string once in the subsystem init path (sdw_debugfs_init), and freeing it in the exit path. Existing driver code handles empty strings correctly. Fixes: fe46d2a4301d ("soundwire: debugfs: add interface to read/write commands") Reported-by: yangshiguang <[email protected]> Closes: https://lore.kernel.org/lkml/[email protected]/ Signed-off-by: Gui-Dong Han <[email protected]> --- v2: * Replace devm_kstrdup() with kstrdup() to fix allocation/free mismatch with debugfs. * Move initialization to subsystem init/exit paths to avoid overwriting the global pointer on every slave probe. --- drivers/soundwire/debugfs.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c index ccc9670ef77c..2905ec19b838 100644 --- a/drivers/soundwire/debugfs.c +++ b/drivers/soundwire/debugfs.c @@ -358,8 +358,8 @@ void sdw_slave_debugfs_init(struct sdw_slave *slave) debugfs_create_file("go", 0200, d, slave, &cmd_go_fops); debugfs_create_file("read_buffer", 0400, d, slave, &read_buffer_fops); - firmware_file = NULL; - debugfs_create_str("firmware_file", 0200, d, &firmware_file); + if (firmware_file) + debugfs_create_str("firmware_file", 0200, d, &firmware_file); slave->debugfs = d; } @@ -371,10 +371,15 @@ void sdw_slave_debugfs_exit(struct sdw_slave *slave) void sdw_debugfs_init(void) { + if (!firmware_file) + firmware_file = kstrdup("", GFP_KERNEL); + sdw_debugfs_root = debugfs_create_dir("soundwire", NULL); } void sdw_debugfs_exit(void) { debugfs_remove_recursive(sdw_debugfs_root); + kfree(firmware_file); + firmware_file = NULL; } -- 2.43.0
