ASoC: qcom: common: Fix refcounting in qcom_snd_parse_of() (4e59dd24) · Commits · 戴 / test

There are two issues in this function. 1) We can't drop the refrences on "cpu", "codec" and "platform" before we take the reference. This doesn't cause a problem on the first iteration because those pointers start as NULL so the of_node_put() is a no-op. But on the subsequent iterations, it will lead to a use after free. 2) If the devm_kzalloc() allocation failed then the code returned directly instead of cleaning up. Fixes: ("ASoC: qcom: common: Fix refcount imbalance on error") Fixes: ("ASoC: qcom: common: use modern dai_link style") Signed-off-by:

Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20201105125154.GA176426@mwanda Signed-off-by:

Mark Brown <broonie@kernel.org>

sound/soc/qcom/common.c

+8 −5

Original line number	Diff line number	Diff line
		@@ -58,7 +58,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
		dlc = devm_kzalloc(dev, 2 * sizeof(*dlc), GFP_KERNEL);
		if (!dlc) {
		ret = -ENOMEM;
		goto err;
		goto err_put_np;
		}

		link->cpus = &dlc[0];
		@@ -70,7 +70,7 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
		ret = of_property_read_string(np, "link-name", &link->name);
		if (ret) {
		dev_err(card->dev, "error getting codec dai_link name\n");
		goto err;
		goto err_put_np;
		}

		cpu = of_get_child_by_name(np, "cpu");
		@@ -130,8 +130,10 @@ int qcom_snd_parse_of(struct snd_soc_card *card)
		} else {
		/* DPCM frontend */
		dlc = devm_kzalloc(dev, sizeof(*dlc), GFP_KERNEL);
		if (!dlc)
		return -ENOMEM;
		if (!dlc) {
		ret = -ENOMEM;
		goto err;
		}

		link->codecs = dlc;
		link->num_codecs = 1;
		@@ -158,10 +160,11 @@ int qcom_snd_parse_of(struct snd_soc_card *card)

		return 0;
		err:
		of_node_put(np);
		of_node_put(cpu);
		of_node_put(codec);
		of_node_put(platform);
		err_put_np:
		of_node_put(np);
		return ret;
		}
		EXPORT_SYMBOL(qcom_snd_parse_of);

Admin message