staging: bcm2835-audio: Fix memory corruption

The previous commit (0adbfd46) fixed a memory leak but also freed a block in the success case, causing a stale pointer to be used with potentially fatal results. Only free the vchi_instance block in the case that vchi_connect fails; once connected, the instance is retained for subsequent connections. Simplifying the code by removing a bunch of gotos and returning errors directly. Signed-off-by: Phil Elwell <phil@raspberrypi.org> Fixes: 0adbfd4694c2 ("staging: bcm2835-audio: fix memory leak in bcm2835_audio_open_connection()") Cc: stable <stable@vger.kernel.org> # 4.12+ Tested-by: Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Phil Elwell <phil@raspberrypi.org> 2017-09-24 10:20:49 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-18 09:09:45 -0400
commit: c97d96b4e612c7dc1b37d7afc61b598a9a25994d (patch)
tree: 0e6b16525e082f13bf06a31c9a4fb5e09e9655a0
parent: aa444bd230f832d4e75cfac826255cfd66f545c3 (diff)
1 files changed, 7 insertions, 12 deletions
diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
index 5f3d8f2339e3..4be864dbd41c 100644
--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
+++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
@@ -390,8 +390,7 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream
                        __func__, instance);
                instance->alsa_stream = alsa_stream;
                alsa_stream->instance = instance;
-                ret = 0; // xxx todo -1;
+                return 0;
-                goto err_free_mem;
        }
        /* Initialize and create a VCHI connection */
@@ -401,16 +400,15 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream
                        LOG_ERR("%s: failed to initialise VCHI instance (ret=%d)\n",
                                __func__, ret);
-                        ret = -EIO;
+                        return -EIO;
-                        goto err_free_mem;
                }
                ret = vchi_connect(NULL, 0, vchi_instance);
                if (ret) {
                        LOG_ERR("%s: failed to connect VCHI instance (ret=%d)\n",
                                __func__, ret);
-                        ret = -EIO;
+                        kfree(vchi_instance);
-                        goto err_free_mem;
+                        return -EIO;
                }
                initted = 1;
        }
@@ -421,19 +419,16 @@ static int bcm2835_audio_open_connection(struct bcm2835_alsa_stream *alsa_stream
        if (IS_ERR(instance)) {
                LOG_ERR("%s: failed to initialize audio service\n", __func__);
-                ret = PTR_ERR(instance);
+                /* vchi_instance is retained for use the next time. */
-                goto err_free_mem;
+                return PTR_ERR(instance);
        }
        instance->alsa_stream = alsa_stream;
        alsa_stream->instance = instance;
        LOG_DBG(" success !\n");
-        ret = 0;
-err_free_mem:
-        kfree(vchi_instance);
-        return ret;
+        return 0;
 }
 int bcm2835_audio_open(struct bcm2835_alsa_stream *alsa_stream)
author	Phil Elwell <phil@raspberrypi.org>	2017-09-24 10:20:49 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-10-18 09:09:45 -0400
commit	c97d96b4e612c7dc1b37d7afc61b598a9a25994d (patch)
tree	0e6b16525e082f13bf06a31c9a4fb5e09e9655a0
parent	aa444bd230f832d4e75cfac826255cfd66f545c3 (diff)