mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-04 09:59:32 +00:00
Code Issues Releases Wiki Activity

ASoC: qdsp6: fix a use after free bug in open()

Browse source 
This code frees "graph" and then dereferences to save the error code.
Save the error code first and then use gotos to unwind the allocation.

Fixes: 59716aa3f9 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211217150007.GB16611@kili
Signed-off-by: Mark Brown <broonie@kernel.org>
This commit is contained in:
Dan Carpenter 2021-12-17 18:00:07 +03:00 committed by Mark Brown
parent 2dc643cd75
commit ac1e6bc146
No known key found for this signature in database
GPG key ID: 24D68B725D5487D0
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
sound/soc/qcom/qdsp6/q6apm.c
View file

@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
graph = kzalloc(sizeof(*graph), GFP_KERNEL);
if (!graph) {
ret = -ENOMEM;
goto err;
goto put_ar_graph;
}
graph->apm = apm;
@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
if (IS_ERR(graph->port)) {
kfree(graph);
ret = PTR_ERR(graph->port);
goto err;
goto free_graph;
}
return graph;
err:
free_graph:
kfree(graph);
put_ar_graph:
kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph);
return ERR_PTR(ret);
}