| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250505221419.2672473-623-sashal@kernel.org>
Date: Mon, 5 May 2025 18:13:59 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Cc: Dan Carpenter <dan.carpenter@...aro.org>,
Mark Brown <broonie@...nel.org>,
Sasha Levin <sashal@...nel.org>,
kiseok.jo@...ndevice.com,
lgirdwood@...il.com,
perex@...ex.cz,
tiwai@...e.com,
chenyuan0y@...il.com,
linux-sound@...r.kernel.org
Subject: [PATCH AUTOSEL 6.14 623/642] ASoC: sma1307: Fix error handling in sma1307_setting_loaded()
From: Dan Carpenter <dan.carpenter@...aro.org>
[ Upstream commit 012a6efcc805308b1d90a1056ba963eb08858645 ]
There are a couple bugs in this code:
1) The cleanup code calls kfree(sma1307->set.header) and
kfree(sma1307->set.def) but those functions were allocated using
devm_kzalloc(). It results in a double free. Delete all these
kfree() calls.
2) A missing call to kfree(data) if the checksum was wrong on this error
path:
if ((sma1307->set.checksum >> 8) != SMA1307_SETTING_CHECKSUM) {
Since the "data" pointer is supposed to be freed on every return, I
changed that to use the __free(kfree) cleanup attribute.
Fixes: 0ec6bd16705f ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
Link: https://patch.msgid.link/8d32dd96-1404-4373-9b6c-c612a9c18c4c@stanley.mountain
Signed-off-by: Mark Brown <broonie@...nel.org>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
sound/soc/codecs/sma1307.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/sound/soc/codecs/sma1307.c b/sound/soc/codecs/sma1307.c
index b9d8136fe3dc1..793abec56dd27 100644
--- a/sound/soc/codecs/sma1307.c
+++ b/sound/soc/codecs/sma1307.c
@@ -1710,7 +1710,7 @@ static void sma1307_check_fault_worker(struct work_struct *work)
static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *file)
{
const struct firmware *fw;
- int *data, size, offset, num_mode;
+ int size, offset, num_mode;
int ret;
ret = request_firmware(&fw, file, sma1307->dev);
@@ -1727,7 +1727,7 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
return;
}
- data = kzalloc(fw->size, GFP_KERNEL);
+ int *data __free(kfree) = kzalloc(fw->size, GFP_KERNEL);
if (!data) {
release_firmware(fw);
sma1307->set.status = false;
@@ -1747,7 +1747,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
sma1307->set.header_size,
GFP_KERNEL);
if (!sma1307->set.header) {
- kfree(data);
sma1307->set.status = false;
return;
}
@@ -1768,8 +1767,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
= devm_kzalloc(sma1307->dev,
sma1307->set.def_size * sizeof(int), GFP_KERNEL);
if (!sma1307->set.def) {
- kfree(data);
- kfree(sma1307->set.header);
sma1307->set.status = false;
return;
}
@@ -1787,9 +1784,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
sma1307->set.mode_size * 2 * sizeof(int),
GFP_KERNEL);
if (!sma1307->set.mode_set[i]) {
- kfree(data);
- kfree(sma1307->set.header);
- kfree(sma1307->set.def);
for (int j = 0; j < i; j++)
kfree(sma1307->set.mode_set[j]);
sma1307->set.status = false;
@@ -1804,7 +1798,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
}
}
- kfree(data);
sma1307->set.status = true;
}
--
2.39.5
Powered by blists - more mailing lists