ipc: fix component teardown crashes and memory leaks

lrgirdwo · lrgirdwo · commit 94ca99b070a9 · 2026-03-27T21:26:50.000Z
Fuzzing identified several segmentation faults and memory corruptions
in ipc_comp_free() when processing malformed IPC messages or handling
uninitialized component lists.

This patch implements three defensive structural fixes to harden teardown logic:
1. Validates that `icd-&gt;cd` is not NULL before checking component state
   to avoid early NULL pointer dereferences on broken components.
2. Resolves a deliberate memory leak ("eat the resulting memory leak
   on error") when encountering uninitialized buffer lists. Instead of
   leaking the structure and leaving it hanging in `ipc-&gt;comp_list`
   (which triggers secondary use-after-free assertions and segfaults
   in subsequent IPC calls), the component is now properly removed
   and freed.
3. Moves `list_item_del(&amp;icd-&gt;list)` to occur immediately before
   `comp_free(icd-&gt;cd)`. This guarantees that other tasks or scheduling
   interrupts cannot discover and access a partially destructed component
   via the global IPC list.

Signed-off-by: Liam Girdwood &lt;liam.r.girdwood@linux.intel.com&gt;
diff --git a/src/ipc/ipc-helper.c b/src/ipc/ipc-helper.c
@@ -303,6 +303,13 @@ __cold int ipc_comp_free(struct ipc *ipc, uint32_t comp_id)
 		return -ENODEV;
 	}
 
+	if (!icd->cd) {
+		tr_err(&ipc_tr, "comp id: 0x%x cd is NULL", comp_id);
+		list_item_del(&icd->list);
+		rfree(icd);
+		return -EINVAL;
+	}
+
 	/* check core */
 	if (!cpu_is_me(icd->core))
 		return ipc_process_on_core(icd->core, false);
@@ -324,12 +331,16 @@ __cold int ipc_comp_free(struct ipc *ipc, uint32_t comp_id)
 		 * (which is an invalid list!) if the component's
 		 * lifecycle hasn't reached that point.  There's no
 		 * single place to ensure a valid/empty list, so we
-		 * have to do it here and eat the resulting memory
-		 * leak on error.  Bug-free host drivers won't do
-		 * this, this was found via fuzzing.
+		 * have to do it here.
+		 * Bug-free host drivers won't do this, this was found
+		 * via fuzzing.
 		 */
 		tr_err(&ipc_tr, "uninitialized buffer lists on comp 0x%x\n",
 		       icd->id);
+		list_item_del(&icd->list);
+		comp_free(icd->cd);
+		icd->cd = NULL;
+		rfree(icd);
 		return -EINVAL;
 	}
 
@@ -348,12 +359,14 @@ __cold int ipc_comp_free(struct ipc *ipc, uint32_t comp_id)
 
 	irq_local_enable(flags);
 
+	/* remove from list first so it cannot be found while being freed */
+	list_item_del(&icd->list);
+
 	/* free component and remove from list */
 	comp_free(icd->cd);
 
 	icd->cd = NULL;
 
-	list_item_del(&icd->list);
 	rfree(icd);
 
 	return 0;
