ASoC: dsp: q6core: Avoid use after free
Add check for AVCS_CMD_RSP_LOAD_MODULE response payload
to avoid its access after free.
Bug: 303101067
Change-Id: Ie3991640394d761525afc2e9c1e17955bd4cf355
Signed-off-by: Bubble Fang <bubblefang@google.com>
diff --git a/dsp/q6core.c b/dsp/q6core.c
index a58a03b..9d9fc97 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -475,6 +475,8 @@
case AVCS_CMD_RSP_LOAD_MODULES:
pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",
__func__);
+ if (!rsp_payload)
+ return -EINVAL;
if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)
* rsp_payload->num_modules) + sizeof(uint32_t))) {
pr_err("%s: payload size not equal to expected size %d\n",
@@ -1061,6 +1063,7 @@
done:
kfree(mod);
kfree(rsp_payload);
+ rsp_payload = NULL;
mutex_unlock(&(q6core_lcl.cmd_lock));
return ret;
}