dsp: fix dangling pointer access

Assign the circular buffer address to port buffer only after ION
allocation is succesful to fix dangling pointer access.
Also, lock the circular buffer memory allocation in order to
avoid multiple allocations for a port.

CRs-Fixed: 2096407
Change-Id: I22c1d55ea611ac59cdca51924787f6831bad8c2b
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>

1 files changed, 11 insertions, 11 deletions

diff --git a/dsp/q6asm.c b/dsp/q6asm.c
index 28b3f733..0a4216a0 100644
--- a/dsp/q6asm.c
+++ b/dsp/q6asm.c
@@ -3350,6 +3350,15 @@ int q6asm_set_shared_circ_buff(struct audio_client *ac,
 	int bytes_to_alloc, rc;
 	size_t len;
 
+	mutex_lock(&ac->cmd_lock);
+
+	if (ac->port[dir].buf) {
+		pr_err("%s: Buffer already allocated\n", __func__);
+		rc = -EINVAL;
+		mutex_unlock(&ac->cmd_lock);
+		goto done;
+	}
+
 	buf_circ = kzalloc(sizeof(struct audio_buffer), GFP_KERNEL);
 
 	if (!buf_circ) {
@@ -3357,10 +3366,6 @@ int q6asm_set_shared_circ_buff(struct audio_client *ac,
 		goto done;
 	}
 
-	mutex_lock(&ac->cmd_lock);
-
-	ac->port[dir].buf = buf_circ;
-
 	bytes_to_alloc = bufsz * bufcnt;
 	bytes_to_alloc = PAGE_ALIGN(bytes_to_alloc);
 
@@ -3372,11 +3377,12 @@ int q6asm_set_shared_circ_buff(struct audio_client *ac,
 	if (rc) {
 		pr_err("%s: Audio ION alloc is failed, rc = %d\n", __func__,
 				rc);
-		mutex_unlock(&ac->cmd_lock);
 		kfree(buf_circ);
+		mutex_unlock(&ac->cmd_lock);
 		goto done;
 	}
 
+	ac->port[dir].buf = buf_circ;
 	buf_circ->used = dir ^ 1;
 	buf_circ->size = bytes_to_alloc;
 	buf_circ->actual_size = bytes_to_alloc;
@@ -3541,12 +3547,6 @@ int q6asm_open_shared_io(struct audio_client *ac,
 		goto done;
 	}
 
-	if (ac->port[dir].buf) {
-		pr_err("%s: Buffer already allocated\n", __func__);
-		rc = -EINVAL;
-		goto done;
-	}
-
 	rc = q6asm_set_shared_circ_buff(ac, open, bufsz, bufcnt, dir);
 
 	if (rc)