This is a note to let you know that I've just added the patch titled
firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 13a8a8d212bc7d1a30c49b927e894b898c9f7f7e
Author: Hao Ge <gehao@xxxxxxxxxx>
Date: Sun Oct 8 11:29:08 2023 +0800
firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ]
dsp_chan->name and chan_name points to same block of memory,
because dev_err still needs to be used it,so we need free
it's memory after use to avoid use_after_free.
Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()")
Signed-off-by: Hao Ge <gehao@xxxxxxxxxx>
Reviewed-by: Daniel Baluta <daniel.baluta@xxxxxxx>
Signed-off-by: Shawn Guo <shawnguo@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/firmware/imx/imx-dsp.c b/drivers/firmware/imx/imx-dsp.c
index 1f410809d3ee4..0f656e4191d5c 100644
--- a/drivers/firmware/imx/imx-dsp.c
+++ b/drivers/firmware/imx/imx-dsp.c
@@ -115,11 +115,11 @@ static int imx_dsp_setup_channels(struct imx_dsp_ipc *dsp_ipc)
dsp_chan->idx = i % 2;
dsp_chan->ch = mbox_request_channel_byname(cl, chan_name);
if (IS_ERR(dsp_chan->ch)) {
- kfree(dsp_chan->name);
ret = PTR_ERR(dsp_chan->ch);
if (ret != -EPROBE_DEFER)
dev_err(dev, "Failed to request mbox chan %s ret %d\n",
chan_name, ret);
+ kfree(dsp_chan->name);
goto out;
}
