ASoC: Resolve use after free in listen sound client (e27cdae8) · Commits · e / devices / android_kernel_oneplus_sm7250

asoc/msm-lsm-client.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -2113,6 +2113,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
		case SNDRV_LSM_GET_MODULE_PARAMS_32: {
		struct lsm_params_get_info_32 p_info_32, *param_info_rsp = NULL;
		struct lsm_params_get_info *p_info = NULL;
		prtd->lsm_client->get_param_payload = NULL;

		memset(&p_info_32, 0 , sizeof(p_info_32));
		if (!prtd->lsm_client->use_topology) {
		@@ -2163,6 +2164,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
		__func__, err);
		kfree(p_info);
		kfree(prtd->lsm_client->get_param_payload);
		prtd->lsm_client->get_param_payload = NULL;
		goto done;
		}

		@@ -2173,6 +2175,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
		err = -ENOMEM;
		kfree(p_info);
		kfree(prtd->lsm_client->get_param_payload);
		prtd->lsm_client->get_param_payload = NULL;
		goto done;
		}

		@@ -2197,6 +2200,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
		kfree(p_info);
		kfree(param_info_rsp);
		kfree(prtd->lsm_client->get_param_payload);
		prtd->lsm_client->get_param_payload = NULL;
		break;
		}
		case SNDRV_LSM_REG_SND_MODEL_V2:
		@@ -2408,6 +2412,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,

		case SNDRV_LSM_GET_MODULE_PARAMS: {
		struct lsm_params_get_info temp_p_info, *p_info = NULL;
		prtd->lsm_client->get_param_payload = NULL;

		memset(&temp_p_info, 0, sizeof(temp_p_info));
		if (!prtd->lsm_client->use_topology) {
		@@ -2488,6 +2493,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
		free:
		kfree(p_info);
		kfree(prtd->lsm_client->get_param_payload);
		prtd->lsm_client->get_param_payload = NULL;
		break;
		}
		case SNDRV_LSM_EVENT_STATUS: