CVE-2026-53348
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
01/07/2026
Última modificación:
01/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions<br />
<br />
sdca_dev_unregister_functions() iterates over all SDCA function<br />
descriptors and calls sdca_dev_unregister() on each func_dev without<br />
checking for NULL. When a function registration has failed partway<br />
through, or the device cleanup races with probe deferral, func_dev<br />
entries may be NULL, leading to a kernel oops:<br />
<br />
BUG: kernel NULL pointer dereference, address: 0000000000000040<br />
RIP: 0010:device_del+0x1e/0x3e0<br />
Call Trace:<br />
sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]<br />
release_nodes+0x35/0xb0<br />
devres_release_all+0x90/0x100<br />
device_unbind_cleanup+0xe/0x80<br />
device_release_driver_internal+0x1c1/0x200<br />
bus_remove_device+0xc6/0x130<br />
device_del+0x161/0x3e0<br />
device_unregister+0x17/0x60<br />
sdw_delete_slave+0xb6/0xd0 [soundwire_bus]<br />
sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]<br />
...<br />
sof_probe_work+0x19/0x30 [snd_sof]<br />
<br />
This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)<br />
with the SOF audio driver probe failing due to missing Panther Lake<br />
firmware, causing the subsequent cleanup of SoundWire devices to<br />
trigger the crash.<br />
<br />
Fix this with three changes:<br />
<br />
1) Add a NULL guard in sdca_dev_unregister() so that callers do not<br />
need to pre-validate the pointer (defense in depth).<br />
<br />
2) In sdca_dev_unregister_functions(), skip NULL func_dev entries<br />
and clear func_dev to NULL after unregistration, making the<br />
function idempotent and safe against double-invocation.<br />
<br />
3) In sdca_dev_register_functions(), roll back all previously<br />
registered functions when a later one fails, so the function<br />
array is never left in a partially-populated state.



