projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 718c406)
ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 9 Dec 2020 06:54:09 +0000 (09:54 +0300)
committerMark Brown <broonie@kernel.org>
Fri, 11 Dec 2020 13:21:35 +0000 (13:21 +0000)
The error handling frees "ctl" but it's still on the "dsp->ctl_list"
list so that could result in a use after free.  Remove it from the list
before returning.

Fixes: 2323736dca72 ("ASoC: wm_adsp: Add basic support for rev 1 firmware file format")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/X9B0keV/02wrx9Xs@mwanda
Signed-off-by: Mark Brown <broonie@kernel.org>
sound/soc/codecs/wm_adsp.c patch | blob | history

diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
index e61d004..dec8716 100644 (file)
--- a/sound/soc/codecs/wm_adsp.c
+++ b/sound/soc/codecs/wm_adsp.c
@@ -1519,7 +1519,7 @@ static int wm_adsp_create_control(struct wm_adsp *dsp,
        ctl_work = kzalloc(sizeof(*ctl_work), GFP_KERNEL);
        if (!ctl_work) {
                ret = -ENOMEM;
-               goto err_ctl_cache;
+               goto err_list_del;
        }
 
        ctl_work->dsp = dsp;
@@ -1529,7 +1529,8 @@ static int wm_adsp_create_control(struct wm_adsp *dsp,
 
        return 0;
 
-err_ctl_cache:
+err_list_del:
+       list_del(&ctl->list);
        kfree(ctl->cache);
 err_ctl_subname:
        kfree(ctl->subname);
MicroBlaze GIT Repository