ASoC: qdsp6: fix a use after free bug in open()

This code frees "graph" and then dereferences to save the error code. Save the error code first and then use gotos to unwind the allocation. Fixes: 59716aa3 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug") Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20211217150007.GB16611@kiliSigned-off-by: N Mark Brown <broonie@kernel.org>

ASoC: qdsp6: fix a use after free bug in open()
This code frees "graph" and then dereferences to save the error code. Save the error code first and then use gotos to unwind the allocation. Fixes: 59716aa3 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug") Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20211217150007.GB16611@kiliSigned-off-by: N Mark Brown <broonie@kernel.org>
ac1e6bc1 · Dan Carpenter · Mark Brown · 2dc643cd · ac1e6bc1
显示空白变更内容
内联并排

Showing with 6 addition and 4 deletion

sound/soc/qcom/qdsp6/q6apm.c sound/soc/qcom/qdsp6/q6apm.c +6 -4

未找到文件。
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
 	graph = kzalloc(sizeof(*graph), GFP_KERNEL);
 	if (!graph) {
 		ret = -ENOMEM;
-		goto err;
+		goto put_ar_graph;
 	}
 	graph->apm = apm;
@@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
 	graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
 	if (IS_ERR(graph->port)) {
-		kfree(graph);
 		ret = PTR_ERR(graph->port);
-		goto err;
+		goto free_graph;
 	}
 	return graph;
-err:
+free_graph:
+	kfree(graph);
+put_ar_graph:
 	kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph);
 	return ERR_PTR(ret);
 }