ASoC: dsp: q6core: Avoid use after freeandroid-u-qpr3-beta-2_r0.1 android-u-qpr3-beta-1_r0.6 android-u-qpr2-beta-3_r0.1 android-14.0.0_r0.46 android-14.0.0_r0.32 android-msm-redbull-4.19-android14-qpr1

Add check for AVCS_CMD_RSP_LOAD_MODULE response payload to avoid its access after free. Bug: 303101067 Change-Id: Ie3991640394d761525afc2e9c1e17955bd4cf355 Signed-off-by: Bubble Fang <bubblefang@google.com>
author: Bubble Fang <bubblefang@google.com> 2023-10-31 04:02:32 +0000
committer: Bubble Fang <bubblefang@google.com> 2023-10-31 05:54:28 +0000
commit: 598e8ee7a25df36d352e311f29667351f03ef6ef (patch)
tree: 505c337d579bef47b2d7edafca074e83ae3ddecc
parent: ac5704c3dbd3b43eeb2366598bdab01a361a349f (diff)
download: msm-extra-android-msm-redbull-4.19-android14-qpr1.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/dsp/q6core.c b/dsp/q6core.c
index a58a03b3..9d9fc97f 100644
--- a/dsp/q6core.c
+++ b/dsp/q6core.c
@@ -475,6 +475,8 @@ static int32_t aprv2_core_fn_q(struct apr_client_data *data, void *priv)
 	case AVCS_CMD_RSP_LOAD_MODULES:
 		pr_debug("%s: Received AVCS_CMD_RSP_LOAD_MODULES\n",
 			 __func__);
+		if (!rsp_payload)
+			return -EINVAL;
 		if (data->payload_size != ((sizeof(struct avcs_load_unload_modules_sec_payload)
 			* rsp_payload->num_modules) + sizeof(uint32_t))) {
 			pr_err("%s: payload size not equal to expected size %d\n",
@@ -1061,6 +1063,7 @@ int32_t q6core_avcs_load_unload_modules(struct avcs_load_unload_modules_payload
 done:
 	kfree(mod);
 	kfree(rsp_payload);
+	rsp_payload = NULL;
 	mutex_unlock(&(q6core_lcl.cmd_lock));
 	return ret;
 }
author	Bubble Fang <bubblefang@google.com>	2023-10-31 04:02:32 +0000
committer	Bubble Fang <bubblefang@google.com>	2023-10-31 05:54:28 +0000
commit	598e8ee7a25df36d352e311f29667351f03ef6ef (patch)
tree	505c337d579bef47b2d7edafca074e83ae3ddecc
parent	ac5704c3dbd3b43eeb2366598bdab01a361a349f (diff)
download	msm-extra-android-msm-redbull-4.19-android14-qpr1.tar.gz