commit 598e8ee7a25df36d352e311f29667351f03ef6ef
author Bubble Fang <bubblefang@google.com> Tue Oct 31 04:02:32 2023 +0000
committer Bubble Fang <bubblefang@google.com> Tue Oct 31 05:54:28 2023 +0000
tree 505c337d579bef47b2d7edafca074e83ae3ddecc
parent ac5704c3dbd3b43eeb2366598bdab01a361a349f

ASoC: dsp: q6core: Avoid use after free

Add check for AVCS_CMD_RSP_LOAD_MODULE response payload
to avoid its access after free.

Bug: 303101067
Change-Id: Ie3991640394d761525afc2e9c1e17955bd4cf355
Signed-off-by: Bubble Fang <bubblefang@google.com>

dsp/q6core.c

diff --git a/dsp/q6core.c b/dsp/q6core.c
index a58a03b..9d9fc97 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -475,6 +475,8 @@
 	case AVCS_CMD_RSP_LOAD_MODULES:
 		pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",
 			 __func__);
+		if (!rsp_payload)
+			return -EINVAL;
 		if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)
 			* rsp_payload->num_modules) + sizeof(uint32_t))) {
 			pr_err("%s: payload size not equal to expected size %d\n",
@@ -1061,6 +1063,7 @@
 done:
 	kfree(mod);
 	kfree(rsp_payload);
+	rsp_payload = NULL;
 	mutex_unlock(&(q6core_lcl.cmd_lock));
 	return ret;
 }