summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJared Kangas <kangas.jd@gmail.com>2022-06-05 16:18:06 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-06-06 08:08:03 +0200
commit80c968a04a381dc0e690960c60ffd6b6aee7e157 (patch)
treec0efeb5922c96df54f8c827f930abbd916c815c3
parent79053469559d0cf0d4106fb8b3784b8cd9fa4f61 (diff)
downloadlinux-80c968a04a381dc0e690960c60ffd6b6aee7e157.tar.bz2
staging: greybus: audio: fix loop cursor use after iteration
gbaudio_dapm_free_controls() iterates over widgets using list_for_each_entry_safe(), which leaves the loop cursor pointing to a meaningless structure if it completes a traversal of the list. The cursor was set to NULL at the end of the loop body, but would be overwritten by the final loop cursor update. Because of this behavior, the widget could be non-null after the loop even if the widget wasn't found, and the cleanup logic would treat the pointer as a valid widget to free. To fix this, introduce a temporary variable to act as the loop cursor and copy it to a variable that can be accessed after the loop finishes. This was detected with the help of Coccinelle. Signed-off-by: Jared Kangas <kangas.jd@gmail.com> Link: https://lore.kernel.org/r/20220605231806.720085-1-kangas.jd@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/staging/greybus/audio_helper.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/drivers/staging/greybus/audio_helper.c b/drivers/staging/greybus/audio_helper.c
index 843760675876..07461a5d97c7 100644
--- a/drivers/staging/greybus/audio_helper.c
+++ b/drivers/staging/greybus/audio_helper.c
@@ -115,7 +115,7 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
int num)
{
int i;
- struct snd_soc_dapm_widget *w, *next_w;
+ struct snd_soc_dapm_widget *w, *next_w, *tmp_w;
#ifdef CONFIG_DEBUG_FS
struct dentry *parent = dapm->debugfs_dapm;
struct dentry *debugfs_w = NULL;
@@ -124,13 +124,14 @@ int gbaudio_dapm_free_controls(struct snd_soc_dapm_context *dapm,
mutex_lock(&dapm->card->dapm_mutex);
for (i = 0; i < num; i++) {
/* below logic can be optimized to identify widget pointer */
- list_for_each_entry_safe(w, next_w, &dapm->card->widgets,
+ w = NULL;
+ list_for_each_entry_safe(tmp_w, next_w, &dapm->card->widgets,
list) {
- if (w->dapm != dapm)
- continue;
- if (!strcmp(w->name, widget->name))
+ if (tmp_w->dapm == dapm &&
+ !strcmp(tmp_w->name, widget->name)) {
+ w = tmp_w;
break;
- w = NULL;
+ }
}
if (!w) {
dev_err(dapm->dev, "%s: widget not found\n",