ipc: clear dangling pipeline comp refs on instance free

ipc_comp_free() freed a component that a completed pipeline
still referenced via source_comp/sink_comp/sched_comp,
so a later SET_PIPELINE_STATE dereferenced the freed comp_dev.
Clear those references on free and bail out of
pipeline_get_host_dev() when an endpoint is gone.

Signed-off-by: Adrian Bonislawski <adrian.bonislawski@intel.com>

Author: abonislawski

src/ipc/ipc-helper.c

@@ -291,6 +291,7 @@ __cold int ipc_comp_free(struct ipc *ipc, uint32_t comp_id)
 	struct ipc_comp_dev *icd;
 	struct comp_buffer *buffer;
 	struct comp_buffer *safe;
+	struct list_item *clist;
 	uint32_t flags;
 
 	assert_can_be_cold();
@@ -348,6 +349,24 @@ __cold int ipc_comp_free(struct ipc *ipc, uint32_t comp_id)
 
 	irq_local_enable(flags);
 
+	/*
+	 * A completed pipeline stores raw comp_dev pointers in its
+	 * source_comp/sink_comp/sched_comp fields.
+	 */
+	list_for_item(clist, &ipc->comp_list) {
+		struct ipc_comp_dev *ppl_icd = container_of(clist, struct ipc_comp_dev, list);
+
+		if (ppl_icd->type != COMP_TYPE_PIPELINE)
+			continue;
+
+		if (ppl_icd->pipeline->source_comp == icd->cd)
+			ppl_icd->pipeline->source_comp = NULL;
+		if (ppl_icd->pipeline->sink_comp == icd->cd)
+			ppl_icd->pipeline->sink_comp = NULL;
+		if (ppl_icd->pipeline->sched_comp == icd->cd)
+			ppl_icd->pipeline->sched_comp = NULL;
+	}
+
 	/* free component and remove from list */
 	comp_free(icd->cd);
 

src/ipc/ipc4/handler-user.c

@@ -149,6 +149,11 @@ static struct ipc_comp_dev *pipeline_get_host_dev(struct ipc_comp_dev *ppl_icd)
 	struct ipc *ipc = ipc_get();
 	int host_id;
 
+	if (!ppl_icd->pipeline->source_comp || !ppl_icd->pipeline->sink_comp) {
+		ipc_cmd_err(&ipc_tr, "pipeline %d: source/sink comp freed", ppl_icd->id);
+		return NULL;
+	}
+
 	/* If the source component's direction is not set but the sink's direction is,
 	 * this block will copy the direction from the sink to the source component and
 	 * mark the source's direction as set.