Patch "mISDN: Fix memory leak in dsp_pipeline_build()" has been added to the 5.16-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 12 Mar 2022 03:53:11 -0500

This is a note to let you know that I've just added the patch titled

    mISDN: Fix memory leak in dsp_pipeline_build()

to the 5.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     misdn-fix-memory-leak-in-dsp_pipeline_build.patch
and it can be found in the queue-5.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a8c743ada9d641c63b023c9730d0bc0022599aac
Author: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
Date:   Fri Mar 4 21:25:36 2022 +0300

    mISDN: Fix memory leak in dsp_pipeline_build()
    
    [ Upstream commit c6a502c2299941c8326d029cfc8a3bc8a4607ad5 ]
    
    dsp_pipeline_build() allocates dup pointer by kstrdup(cfg),
    but then it updates dup variable by strsep(&dup, "|").
    As a result when it calls kfree(dup), the dup variable contains NULL.
    
    Found by Linux Driver Verification project (linuxtesting.org) with SVACE.
    
    Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
    Fixes: 960366cf8dbb ("Add mISDN DSP")
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c
index e11ca6bbc7f4..c3b2c99b5cd5 100644
--- a/drivers/isdn/mISDN/dsp_pipeline.c
+++ b/drivers/isdn/mISDN/dsp_pipeline.c
@@ -192,7 +192,7 @@ void dsp_pipeline_destroy(struct dsp_pipeline *pipeline)
 int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg)
 {
 	int found = 0;
-	char *dup, *tok, *name, *args;
+	char *dup, *next, *tok, *name, *args;
 	struct dsp_element_entry *entry, *n;
 	struct dsp_pipeline_entry *pipeline_entry;
 	struct mISDN_dsp_element *elem;
@@ -203,10 +203,10 @@ int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg)
 	if (!list_empty(&pipeline->list))
 		_dsp_pipeline_destroy(pipeline);
 
-	dup = kstrdup(cfg, GFP_ATOMIC);
+	dup = next = kstrdup(cfg, GFP_ATOMIC);
 	if (!dup)
 		return 0;
-	while ((tok = strsep(&dup, "|"))) {
+	while ((tok = strsep(&next, "|"))) {
 		if (!strlen(tok))
 			continue;
 		name = strsep(&tok, "(");






