Unverified Commit ac1e6bc1 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mark Brown
Browse files

ASoC: qdsp6: fix a use after free bug in open() 



This code frees "graph" and then dereferences to save the error code.
Save the error code first and then use gotos to unwind the allocation.

Fixes: 59716aa3 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211217150007.GB16611@kili


Signed-off-by: default avatarMark Brown <broonie@kernel.org>
parent 2dc643cd

sound/soc/qcom/qdsp6/q6apm.c

+6 −4
Original line number Diff line number Diff line
@@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb, 
	graph = kzalloc(sizeof(*graph), GFP_KERNEL);

	if (!graph) {

		ret = -ENOMEM;

		goto err;

		goto put_ar_graph;

	}



	graph->apm = apm;
@@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb, 


	graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);

	if (IS_ERR(graph->port)) {

		kfree(graph);

		ret = PTR_ERR(graph->port);

		goto err;

		goto free_graph;

	}



	return graph;

err:



free_graph:

	kfree(graph);

put_ar_graph:

	kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph);

	return ERR_PTR(ret);

}