ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 9 Dec 2020 06:54:09 +0000 (09:54 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 30 Dec 2020 10:53:50 +0000 (11:53 +0100)
[ Upstream commit 85a7555575a0e48f9b73db310d0d762a08a46d63 ]

The error handling frees "ctl" but it's still on the "dsp->ctl_list"
list so that could result in a use after free.  Remove it from the list
before returning.

Fixes: 2323736dca72 ("ASoC: wm_adsp: Add basic support for rev 1 firmware file format")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/X9B0keV/02wrx9Xs@mwanda
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
sound/soc/codecs/wm_adsp.c

index e61d00486c65370c9908414cc8d52988b567e284..dec8716aa8ef5ebe92410027b9996ddab5bbadd6 100644 (file)
@@ -1519,7 +1519,7 @@ static int wm_adsp_create_control(struct wm_adsp *dsp,
        ctl_work = kzalloc(sizeof(*ctl_work), GFP_KERNEL);
        if (!ctl_work) {
                ret = -ENOMEM;
-               goto err_ctl_cache;
+               goto err_list_del;
        }
 
        ctl_work->dsp = dsp;
@@ -1529,7 +1529,8 @@ static int wm_adsp_create_control(struct wm_adsp *dsp,
 
        return 0;
 
-err_ctl_cache:
+err_list_del:
+       list_del(&ctl->list);
        kfree(ctl->cache);
 err_ctl_subname:
        kfree(ctl->subname);