From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 17 Dec 2021 15:00:07 +0000 (+0300)
Subject: ASoC: qdsp6: fix a use after free bug in open()
X-Git-Tag: v6.6.17~6759^2~152^2~78
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ac1e6bc146d45e15f0a5c0908338f918f6261388;p=platform%2Fkernel%2Flinux-rpi.git

ASoC: qdsp6: fix a use after free bug in open()

This code frees "graph" and then dereferences to save the error code.
Save the error code first and then use gotos to unwind the allocation.

Fixes: 59716aa3f976 ("ASoC: qdsp6: Fix an IS_ERR() vs NULL bug")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211217150007.GB16611@kili
Signed-off-by: Mark Brown <broonie@kernel.org>
---

diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c
index 3e007d609a9b..f424d7aa389a 100644
--- a/sound/soc/qcom/qdsp6/q6apm.c
+++ b/sound/soc/qcom/qdsp6/q6apm.c
@@ -615,7 +615,7 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
 	graph = kzalloc(sizeof(*graph), GFP_KERNEL);
 	if (!graph) {
 		ret = -ENOMEM;
-		goto err;
+		goto put_ar_graph;
 	}
 
 	graph->apm = apm;
@@ -631,13 +631,15 @@ struct q6apm_graph *q6apm_graph_open(struct device *dev, q6apm_cb cb,
 
 	graph->port = gpr_alloc_port(apm->gdev, dev, graph_callback, graph);
 	if (IS_ERR(graph->port)) {
-		kfree(graph);
 		ret = PTR_ERR(graph->port);
-		goto err;
+		goto free_graph;
 	}
 
 	return graph;
-err:
+
+free_graph:
+	kfree(graph);
+put_ar_graph:
 	kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph);
 	return ERR_PTR(ret);
 }