media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs()

[ Upstream commit ba11bbf303fafb33989e95473e409f6ab412b18d ]

The "s3a_buf" is freed along with all the other items on the
"asd->s3a_stats" list.  It leads to a double free and a use after free.

Link: https://lore.kernel.org/linux-media/X9dSO3RGf7r0pq2k@mwanda
Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
index 2ae50decfc8bdb7b5b155e118addf47d5a9932ae..9da82855552dec0c65b80c1aeb35e12940b5c4a9 100644 (file)
--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
@@ -948,10 +948,8 @@ int atomisp_alloc_css_stat_bufs(struct atomisp_sub_device *asd,
                dev_dbg(isp->dev, "allocating %d dis buffers\n", count);
                while (count--) {
                        dis_buf = kzalloc(sizeof(struct atomisp_dis_buf), GFP_KERNEL);
-                       if (!dis_buf) {
-                               kfree(s3a_buf);
+                       if (!dis_buf)
                                goto error;
-                       }
                        if (atomisp_css_allocate_stat_buffers(
                                asd, stream_id, NULL, dis_buf, NULL)) {
                                kfree(dis_buf);