From b6fdfbcf64e42eba8f70717d14b69cbe86e17b00 Mon Sep 17 00:00:00 2001 From: Daniel Baluta Date: Thu, 26 Jul 2018 17:58:10 +0300 Subject: MLK-19063: ASoC: fsl_dsp: Fix use after free Move client freeing later when no one needs it. This fixes Coverity Issue 3344686. Note that this also fixes a potential memory leak, if proxy happens to be NULL. Reported-by: Ioan-alexandru Palalau Signed-off-by: Daniel Baluta Reviewed-by: Shengjiu Wang (cherry picked from commit a0bb3e2d5a0517e46bdf1eb35eb94ff46fd5b709) --- sound/soc/fsl/fsl_dsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'sound/soc/fsl/fsl_dsp.c') diff --git a/sound/soc/fsl/fsl_dsp.c b/sound/soc/fsl/fsl_dsp.c index 33e19f80327a..7d5a686f4e8d 100644 --- a/sound/soc/fsl/fsl_dsp.c +++ b/sound/soc/fsl/fsl_dsp.c @@ -401,18 +401,18 @@ static int fsl_dsp_close(struct inode *inode, struct file *file) return PTR_ERR(client); proxy = client->proxy; - if (proxy) { - /* ...release all pending messages */ - xf_msg_free_all(proxy, &client->queue); - /* ...recycle client id and release memory */ - xf_client_free(client); - } + /* release all pending messages */ + if (proxy) + xf_msg_free_all(proxy, &client->queue); dsp_priv = (struct fsl_dsp *)client->global; dev = dsp_priv->dev; pm_runtime_put_sync(dev); + /* ...recycle client id and release memory */ + xf_client_free(client); + mutex_lock(&dsp_priv->dsp_mutex); /* decrease reference counter when closing device */ atomic_long_dec(&dsp_priv->refcnt); -- cgit v1.2.3