ASoC: qdsp6: fix a use after free bug in open()

This code frees "graph" and then dereferences to save the error code.
Save the error code first and then use gotos to unwind the allocation.

Fixes: 59716aa3f976 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211217150007.GB16611@kili
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c
index 3e007d609a9bb4ccb56f28df19d02afc4ff2a717..f424d7aa389a2fa3202f63fdc5ab4e086fc56cf4 100644 (file)
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
        graph = kzalloc(sizeof(*graph), GFP_KERNEL);
        if (!graph) {
                ret = -ENOMEM;
-               goto err;
+               goto put_ar_graph;
        }
 
        graph->apm = apm;
@@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
 
        graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
        if (IS_ERR(graph->port)) {
-               kfree(graph);
                ret = PTR_ERR(graph->port);
-               goto err;
+               goto free_graph;
        }
 
        return graph;
-err:
+
+free_graph:
+       kfree(graph);
+put_ar_graph:
        kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph);
        return ERR_PTR(ret);
 }