Unverified Commit 012a6efc authored by Dan Carpenter's avatar Dan Carpenter Committed by Mark Brown
Browse files

ASoC: sma1307: Fix error handling in sma1307_setting_loaded() 



There are a couple bugs in this code:

1) The cleanup code calls kfree(sma1307->set.header) and
   kfree(sma1307->set.def) but those functions were allocated using
   devm_kzalloc().  It results in a double free.  Delete all these
   kfree() calls.

2) A missing call to kfree(data) if the checksum was wrong on this error
   path:
	if ((sma1307->set.checksum >> 8) != SMA1307_SETTING_CHECKSUM) {
   Since the "data" pointer is supposed to be freed on every return, I
   changed that to use the __free(kfree) cleanup attribute.

Fixes: 0ec6bd16 ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/8d32dd96-1404-4373-9b6c-c612a9c18c4c@stanley.mountain


Signed-off-by: default avatarMark Brown <broonie@kernel.org>
parent 2593f7e0

sound/soc/codecs/sma1307.c

+2 −9
Original line number Diff line number Diff line
@@ -1705,7 +1705,7 @@ static void sma1307_check_fault_worker(struct work_struct *work) 
static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *file)

{

	const struct firmware *fw;

	int *data, size, offset, num_mode;

	int size, offset, num_mode;

	int ret;



	ret = request_firmware(&fw, file, sma1307->dev);
@@ -1722,7 +1722,7 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil 
		return;

	}



	data = kzalloc(fw->size, GFP_KERNEL);

	int *data __free(kfree) = kzalloc(fw->size, GFP_KERNEL);

	if (!data) {

		release_firmware(fw);

		sma1307->set.status = false;
@@ -1742,7 +1742,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil 
					   sma1307->set.header_size,

					   GFP_KERNEL);

	if (!sma1307->set.header) {

		kfree(data);

		sma1307->set.status = false;

		return;

	}
@@ -1763,8 +1762,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil 
	    = devm_kzalloc(sma1307->dev,

			   sma1307->set.def_size * sizeof(int), GFP_KERNEL);

	if (!sma1307->set.def) {

		kfree(data);

		kfree(sma1307->set.header);

		sma1307->set.status = false;

		return;

	}
@@ -1782,9 +1779,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil 
				   sma1307->set.mode_size * 2 * sizeof(int),

				   GFP_KERNEL);

		if (!sma1307->set.mode_set[i]) {

			kfree(data);

			kfree(sma1307->set.header);

			kfree(sma1307->set.def);

			for (int j = 0; j < i; j++)

				kfree(sma1307->set.mode_set[j]);

			sma1307->set.status = false;
@@ -1799,7 +1793,6 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil 
		}

	}



	kfree(data);

	sma1307->set.status = true;



}