ASoC: simple-card: fix an use-after-free in simple_dai_link_of_dpcm()
authorWen Yang <wen.yang99@zte.com.cn>
Wed, 10 Jul 2019 07:25:06 +0000 (15:25 +0800)
committerMark Brown <broonie@kernel.org>
Wed, 10 Jul 2019 15:33:49 +0000 (16:33 +0100)
The node variable is still being used after the of_node_put() call,
which may result in use-after-free.

Fixes: cfc652a73331 ("ASoC: simple-card: tidyup prefix for snd_soc_codec_conf")
Link: https://lore.kernel.org/r/1562743509-30496-2-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
sound/soc/generic/simple-card.c

index e5cde0d5e63c991b37878c88787fed8262484bb1..4117e54884e56da517b4af300eb6cd60a1b83d65 100644 (file)
@@ -124,8 +124,6 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
        li->link++;
 
-       of_node_put(node);
-
        /* For single DAI link & old style of DT node */
        if (is_top)
                prefix = PREFIX;
@@ -147,17 +145,17 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
                ret = asoc_simple_parse_cpu(np, dai_link, &is_single_links);
                if (ret)
-                       return ret;
+                       goto out_put_node;
 
                ret = asoc_simple_parse_clk_cpu(dev, np, dai_link, dai);
                if (ret < 0)
-                       return ret;
+                       goto out_put_node;
 
                ret = asoc_simple_set_dailink_name(dev, dai_link,
                                                   "fe.%s",
                                                   cpus->dai_name);
                if (ret < 0)
-                       return ret;
+                       goto out_put_node;
 
                asoc_simple_canonicalize_cpu(dai_link, is_single_links);
        } else {
@@ -180,17 +178,17 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
                ret = asoc_simple_parse_codec(np, dai_link);
                if (ret < 0)
-                       return ret;
+                       goto out_put_node;
 
                ret = asoc_simple_parse_clk_codec(dev, np, dai_link, dai);
                if (ret < 0)
-                       return ret;
+                       goto out_put_node;
 
                ret = asoc_simple_set_dailink_name(dev, dai_link,
                                                   "be.%s",
                                                   codecs->dai_name);
                if (ret < 0)
-                       return ret;
+                       goto out_put_node;
 
                /* check "prefix" from top node */
                snd_soc_of_parse_node_prefix(top, cconf, codecs->of_node,
@@ -208,19 +206,21 @@ static int simple_dai_link_of_dpcm(struct asoc_simple_priv *priv,
 
        ret = asoc_simple_parse_tdm(np, dai);
        if (ret)
-               return ret;
+               goto out_put_node;
 
        ret = asoc_simple_parse_daifmt(dev, node, codec,
                                       prefix, &dai_link->dai_fmt);
        if (ret < 0)
-               return ret;
+               goto out_put_node;
 
        dai_link->dpcm_playback         = 1;
        dai_link->dpcm_capture          = 1;
        dai_link->ops                   = &simple_ops;
        dai_link->init                  = asoc_simple_dai_init;
 
-       return 0;
+out_put_node:
+       of_node_put(node);
+       return ret;
 }
 
 static int simple_dai_link_of(struct asoc_simple_priv *priv,