Patch "ASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes" has been added to the 5.18-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 13 Aug 2022 17:57:47 -0400

This is a note to let you know that I've just added the patch titled

    ASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes

to the 5.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     asoc-sof-ipc3-topology-prevent-double-freeing-of-ipc.patch
and it can be found in the queue-5.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ca9344fd4d2447daa1aa5b822b1558f7602c8f49
Author: Peter Ujfalusi <peter.ujfalusi@xxxxxxxxxxxxxxx>
Date:   Tue Jul 12 16:01:03 2022 +0300

    ASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes
    
    [ Upstream commit d5bd47f3ca124058a8e87eae4508afeda2132611 ]
    
    We have sanity checks for byte controls and if any of the fail the locally
    allocated scontrol->ipc_control_data is freed up, but not set to NULL.
    
    On a rollback path of the error the higher level code will also try to free
    the scontrol->ipc_control_data which will eventually going to lead to
    memory corruption as double freeing memory is not a good thing.
    
    Fixes: b5cee8feb1d4 ("ASoC: SOF: topology: Make control parsing IPC agnostic")
    Reported-by: Seppo Ingalsuo <seppo.ingalsuo@xxxxxxxxxxxxxxx>
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@xxxxxxxxxxxxxxx>
    Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo@xxxxxxxxxxxxxxx>
    Reviewed-by: Ranjani Sridharan <ranjani.sridharan@xxxxxxxxxxxxxxx>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220712130103.31514-1-peter.ujfalusi@xxxxxxxxxxxxxxx
    Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c
index 80fb82ece38d..74c230fbcf68 100644
--- a/sound/soc/sof/ipc3-topology.c
+++ b/sound/soc/sof/ipc3-topology.c
@@ -1629,6 +1629,7 @@ static int sof_ipc3_control_load_bytes(struct snd_sof_dev *sdev, struct snd_sof_
 	return 0;
 err:
 	kfree(scontrol->ipc_control_data);
+	scontrol->ipc_control_data = NULL;
 	return ret;
 }
 






