diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2020-11-05 15:51:54 +0300 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2020-11-10 17:28:25 +0000 |
| commit | 4e59dd249cd513a211e2ecce2cb31f4e29a5ce5b (patch) | |
| tree | db796adcaf177bf737bdae5182ab3e45c62b33c0 | |
| parent | 048751de568816de52dedf0fa967cceada7885f1 (diff) | |
| download | linux-stable-4e59dd249cd513a211e2ecce2cb31f4e29a5ce5b.tar.gz linux-stable-4e59dd249cd513a211e2ecce2cb31f4e29a5ce5b.tar.bz2 linux-stable-4e59dd249cd513a211e2ecce2cb31f4e29a5ce5b.zip | |
ASoC: qcom: common: Fix refcounting in qcom_snd_parse_of()
There are two issues in this function.
1) We can't drop the refrences on "cpu", "codec" and "platform" before
we take the reference. This doesn't cause a problem on the first
iteration because those pointers start as NULL so the of_node_put()
is a no-op. But on the subsequent iterations, it will lead to a use
after free.
2) If the devm_kzalloc() allocation failed then the code returned
directly instead of cleaning up.
Fixes: c1e6414cdc37 ("ASoC: qcom: common: Fix refcount imbalance on error")
Fixes: 1e36ea360ab9 ("ASoC: qcom: common: use modern dai_link style")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20201105125154.GA176426@mwanda
Signed-off-by: Mark Brown <broonie@kernel.org>
| -rw-r--r-- | sound/soc/qcom/common.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/sound/soc/qcom/common.c b/sound/soc/qcom/common.c index 54660f126d09..09af00700700 100644 --- a/sound/soc/qcom/common.c +++ b/sound/soc/qcom/common.c @@ -58,7 +58,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card) dlc = devm_kzalloc(dev, 2 * sizeof(*dlc), GFP_KERNEL); if (!dlc) { ret = -ENOMEM; - goto err; + goto err_put_np; } link->cpus = &dlc[0]; @@ -70,7 +70,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card) ret = of_property_read_string(np, "link-name", &link->name); if (ret) { dev_err(card->dev, "error getting codec dai_link name\n"); - goto err; + goto err_put_np; } cpu = of_get_child_by_name(np, "cpu"); @@ -130,8 +130,10 @@ int qcom_snd_parse_of(struct snd_soc_card *card) } else { /* DPCM frontend */ dlc = devm_kzalloc(dev, sizeof(*dlc), GFP_KERNEL); - if (!dlc) - return -ENOMEM; + if (!dlc) { + ret = -ENOMEM; + goto err; + } link->codecs = dlc; link->num_codecs = 1; @@ -158,10 +160,11 @@ int qcom_snd_parse_of(struct snd_soc_card *card) return 0; err: - of_node_put(np); of_node_put(cpu); of_node_put(codec); of_node_put(platform); +err_put_np: + of_node_put(np); return ret; } EXPORT_SYMBOL(qcom_snd_parse_of); |