From: Kamil Duljas <kamil.duljas@xxxxxxxxx> [ Upstream commit 8c91ca76f44804868d12aed20ebdbc2f89aa7d60 ] trace_filter_parse() allocs memory for *out and when -ENOMEM is returned, caller function, dfsentry_trace_filter_write() trying to freed this memory. After this patch, the memory is freed in trace_filter_parse() before -EINVAL returned. In caller function removed kfree(elms) from error label Signed-off-by: Kamil Duljas <kamil.duljas@xxxxxxxxx> Link: https://lore.kernel.org/r/20231116220102.2097-2-kamil.duljas@xxxxxxxxx Signed-off-by: Mark Brown <broonie@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- sound/soc/sof/ipc3-dtrace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c index 0dca139322f3..93b189c2d2ee 100644 --- a/sound/soc/sof/ipc3-dtrace.c +++ b/sound/soc/sof/ipc3-dtrace.c @@ -137,6 +137,7 @@ static int trace_filter_parse(struct snd_sof_dev *sdev, char *string, dev_err(sdev->dev, "Parsing filter entry '%s' failed with %d\n", entry, entry_len); + kfree(*out); return -EINVAL; } } @@ -208,13 +209,13 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user ret = ipc3_trace_update_filter(sdev, num_elems, elems); if (ret < 0) { dev_err(sdev->dev, "Filter update failed: %d\n", ret); + kfree(elems); goto error; } } ret = count; error: kfree(string); - kfree(elems); return ret; } -- 2.43.0