Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c97d96b4 authored by Phil Elwell's avatar Phil Elwell Committed by Greg Kroah-Hartman
Browse files

staging: bcm2835-audio: Fix memory corruption 



The previous commit (0adbfd46) fixed a memory leak but also freed a
block in the success case, causing a stale pointer to be used with
potentially fatal results. Only free the vchi_instance block in the
case that vchi_connect fails; once connected, the instance is
retained for subsequent connections.

Simplifying the code by removing a bunch of gotos and returning errors
directly.

Signed-off-by: default avatarPhil Elwell <phil@raspberrypi.org>
Fixes: 0adbfd46 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()")
Cc: stable <stable@vger.kernel.org> # 4.12+
Tested-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent aa444bd2

drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c

+7 −12
Original line number Diff line number Diff line
@@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream 
			__func__, instance);

		instance->alsa_stream = alsa_stream;

		alsa_stream->instance = instance;

		ret = 0; // xxx todo -1;

		goto err_free_mem;

		return 0;

	}



	/* Initialize and create a VCHI connection */
@@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream 
			LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n",

				__func__, ret);



			ret = -EIO;

			goto err_free_mem;

			return -EIO;

		}

		ret = vchi_connect(NULL, 0, vchi_instance);

		if (ret) {

			LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n",

				__func__, ret);



			ret = -EIO;

			goto err_free_mem;

			kfree(vchi_instance);

			return -EIO;

		}

		initted = 1;

	}
@@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream 
	if (IS_ERR(instance)) {

		LOG_ERR("%s: failed to initialize audio service\n", __func__);



		ret = PTR_ERR(instance);

		goto err_free_mem;

		/* vchi_instance is retained for use the next time. */

		return PTR_ERR(instance);

	}



	instance->alsa_stream = alsa_stream;

	alsa_stream->instance = instance;



	LOG_DBG(" success !\n");

	ret = 0;

err_free_mem:

	kfree(vchi_instance);



	return ret;

	return 0;

}



int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream)