Skip to content

Commit c97d96b

Browse files
Phil Elwellgregkh
Phil Elwell
authored and
gregkh
committed
staging: bcm2835-audio: Fix memory corruption
The previous commit (0adbfd4) fixed a memory leak but also freed a block in the success case, causing a stale pointer to be used with potentially fatal results. Only free the vchi_instance block in the case that vchi_connect fails; once connected, the instance is retained for subsequent connections. Simplifying the code by removing a bunch of gotos and returning errors directly. Signed-off-by: Phil Elwell <phil@raspberrypi.org> Fixes: 0adbfd4 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()") Cc: stable <stable@vger.kernel.org> # 4.12+ Tested-by: Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent aa444bd commit c97d96b

File tree

1 file changed

+7
-12
lines changed

1 file changed

+7
-12
lines changed

drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream
390390
__func__, instance);
391391
instance->alsa_stream = alsa_stream;
392392
alsa_stream->instance = instance;
393-
ret = 0; // xxx todo -1;
394-
goto err_free_mem;
393+
return 0;
395394
}
396395

397396
/* Initialize and create a VCHI connection */
@@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream
401400
LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n",
402401
__func__, ret);
403402

404-
ret = -EIO;
405-
goto err_free_mem;
403+
return -EIO;
406404
}
407405
ret = vchi_connect(NULL, 0, vchi_instance);
408406
if (ret) {
409407
LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n",
410408
__func__, ret);
411409

412-
ret = -EIO;
413-
goto err_free_mem;
410+
kfree(vchi_instance);
411+
return -EIO;
414412
}
415413
initted = 1;
416414
}
@@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream
421419
if (IS_ERR(instance)) {
422420
LOG_ERR("%s: failed to initialize audio service\n", __func__);
423421

424-
ret = PTR_ERR(instance);
425-
goto err_free_mem;
422+
/* vchi_instance is retained for use the next time. */
423+
return PTR_ERR(instance);
426424
}
427425

428426
instance->alsa_stream = alsa_stream;
429427
alsa_stream->instance = instance;
430428

431429
LOG_DBG(" success !\n");
432-
ret = 0;
433-
err_free_mem:
434-
kfree(vchi_instance);
435430

436-
return ret;
431+
return 0;
437432
}
438433

439434
int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream)

0 commit comments

Comments
 (0)