Commit ac1e6bc1 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mark Brown

ASoC: qdsp6: fix a use after free bug in open()

This code frees "graph" and then dereferences to save the error code.
Save the error code first and then use gotos to unwind the allocation.

Fixes: 59716aa3 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211217150007.GB16611@kiliSigned-off-by: default avatarMark Brown <broonie@kernel.org>
parent 2dc643cd
...@@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb, ...@@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
graph = kzalloc(sizeof(*graph), GFP_KERNEL); graph = kzalloc(sizeof(*graph), GFP_KERNEL);
if (!graph) { if (!graph) {
ret = -ENOMEM; ret = -ENOMEM;
goto err; goto put_ar_graph;
} }
graph->apm = apm; graph->apm = apm;
...@@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb, ...@@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph); graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
if (IS_ERR(graph->port)) { if (IS_ERR(graph->port)) {
kfree(graph);
ret = PTR_ERR(graph->port); ret = PTR_ERR(graph->port);
goto err; goto free_graph;
} }
return graph; return graph;
err:
free_graph:
kfree(graph);
put_ar_graph:
kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph); kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph);
return ERR_PTR(ret); return ERR_PTR(ret);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment