This is a note to let you know that I've just added the patch titled
ASoC: soc-dapm: fix use after free
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
asoc-soc-dapm-fix-use-after-free.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From e5092c96c9c28f4d12811edcd02ca8eec16e748e Mon Sep 17 00:00:00 2001
From: Daniel Mack <[email protected]>
Date: Tue, 7 Oct 2014 13:41:24 +0200
Subject: ASoC: soc-dapm: fix use after free
From: Daniel Mack <[email protected]>
commit e5092c96c9c28f4d12811edcd02ca8eec16e748e upstream.
Coverity spotted the following possible use-after-free condition in
dapm_create_or_share_mixmux_kcontrol():
If kcontrol is NULL, and (wname_in_long_name && kcname_in_long_name)
validates to true, 'name' will be set to an allocated string, and be
freed a few lines later via the 'long_name' alias. 'name', however,
is used by dev_err() in case snd_ctl_add() fails.
Fix this by adding a jump label that frees 'long_name' at the end of
the function.
Signed-off-by: Daniel Mack <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/soc/soc-dapm.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -689,9 +689,9 @@ static int dapm_create_or_share_mixmux_k
int shared;
struct snd_kcontrol *kcontrol;
bool wname_in_long_name, kcname_in_long_name;
- char *long_name;
+ char *long_name = NULL;
const char *name;
- int ret;
+ int ret = 0;
if (dapm->codec)
prefix = dapm->codec->name_prefix;
@@ -756,15 +756,17 @@ static int dapm_create_or_share_mixmux_k
kcontrol = snd_soc_cnew(&w->kcontrol_news[kci], NULL, name,
prefix);
- kfree(long_name);
- if (!kcontrol)
- return -ENOMEM;
+ if (!kcontrol) {
+ ret = -ENOMEM;
+ goto exit_free;
+ }
+
kcontrol->private_free = dapm_kcontrol_free;
ret = dapm_kcontrol_data_alloc(w, kcontrol);
if (ret) {
snd_ctl_free_one(kcontrol);
- return ret;
+ goto exit_free;
}
ret = snd_ctl_add(card, kcontrol);
@@ -772,17 +774,18 @@ static int dapm_create_or_share_mixmux_k
dev_err(dapm->dev,
"ASoC: failed to add widget %s dapm kcontrol
%s: %d\n",
w->name, name, ret);
- return ret;
+ goto exit_free;
}
}
ret = dapm_kcontrol_add_widget(kcontrol, w);
- if (ret)
- return ret;
+ if (ret == 0)
+ w->kcontrols[kci] = kcontrol;
- w->kcontrols[kci] = kcontrol;
+exit_free:
+ kfree(long_name);
- return 0;
+ return ret;
}
/* create new dapm mixer control */
Patches currently in stable-queue which might be from [email protected] are
queue-3.14/asoc-soc-dapm-fix-use-after-free.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
