Skip to content

Commit 42c0d41

Browse files
Dan CarpenterSasha Levin
Dan Carpenter
authored and
Sasha Levin
committed
ASoC: sma1307: Fix error handling in sma1307_setting_loaded()
[ Upstream commit 012a6ef ] There are a couple bugs in this code: 1) The cleanup code calls kfree(sma1307->set.header) and kfree(sma1307->set.def) but those functions were allocated using devm_kzalloc(). It results in a double free. Delete all these kfree() calls. 2) A missing call to kfree(data) if the checksum was wrong on this error path: if ((sma1307->set.checksum >> 8) != SMA1307_SETTING_CHECKSUM) { Since the "data" pointer is supposed to be freed on every return, I changed that to use the __free(kfree) cleanup attribute. Fixes: 0ec6bd1 ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()") Signed-off-by: Dan Carpenter <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
1 parent a042af2 commit 42c0d41

File tree

1 file changed

+2
-9
lines changed

1 file changed

+2
-9
lines changed

sound/soc/codecs/sma1307.c

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1710,7 +1710,7 @@ static void sma1307_check_fault_worker(struct work_struct *work)
17101710
static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *file)
17111711
{
17121712
const struct firmware *fw;
1713-
int *data, size, offset, num_mode;
1713+
int size, offset, num_mode;
17141714
int ret;
17151715

17161716
ret = request_firmware(&fw, file, sma1307->dev);
@@ -1727,7 +1727,7 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
17271727
return;
17281728
}
17291729

1730-
data = kzalloc(fw->size, GFP_KERNEL);
1730+
int *data __free(kfree) = kzalloc(fw->size, GFP_KERNEL);
17311731
if (!data) {
17321732
release_firmware(fw);
17331733
sma1307->set.status = false;
@@ -1747,7 +1747,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
17471747
sma1307->set.header_size,
17481748
GFP_KERNEL);
17491749
if (!sma1307->set.header) {
1750-
kfree(data);
17511750
sma1307->set.status = false;
17521751
return;
17531752
}
@@ -1768,8 +1767,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
17681767
= devm_kzalloc(sma1307->dev,
17691768
sma1307->set.def_size * sizeof(int), GFP_KERNEL);
17701769
if (!sma1307->set.def) {
1771-
kfree(data);
1772-
kfree(sma1307->set.header);
17731770
sma1307->set.status = false;
17741771
return;
17751772
}
@@ -1787,9 +1784,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
17871784
sma1307->set.mode_size * 2 * sizeof(int),
17881785
GFP_KERNEL);
17891786
if (!sma1307->set.mode_set[i]) {
1790-
kfree(data);
1791-
kfree(sma1307->set.header);
1792-
kfree(sma1307->set.def);
17931787
for (int j = 0; j < i; j++)
17941788
kfree(sma1307->set.mode_set[j]);
17951789
sma1307->set.status = false;
@@ -1804,7 +1798,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
18041798
}
18051799
}
18061800

1807-
kfree(data);
18081801
sma1307->set.status = true;
18091802

18101803
}

0 commit comments

Comments
 (0)