Coverity spotted an use-after-free condition in snd_soc_remove_platform(). Fix this by moving snd_soc_component_cleanup() after the debug print statement which uses the component's string.

Signed-off-by: Daniel Mack daniel@zonque.org --- sound/soc/soc-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index 3d8cff6..4c8f8a2 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -4192,10 +4192,10 @@ void snd_soc_remove_platform(struct snd_soc_platform *platform) snd_soc_component_del_unlocked(&platform->component); mutex_unlock(&client_mutex);

- snd_soc_component_cleanup(&platform->component); - dev_dbg(platform->dev, "ASoC: Unregistered platform '%s'\n", platform->component.name); + + snd_soc_component_cleanup(&platform->component); } EXPORT_SYMBOL_GPL(snd_soc_remove_platform);

Coverity spotted the following possible use-after-free condition in dapm_create_or_share_mixmux_kcontrol():

If kcontrol is NULL, and (wname_in_long_name && kcname_in_long_name) validates to true, 'name' will be set to an allocated string, and be freed a few lines later via the 'long_name' alias. 'name', however, is used by dev_err() in case snd_ctl_add() fails.

Fix this by adding a jump label that frees 'long_name' at the end of the function.

Signed-off-by: Daniel Mack daniel@zonque.org --- sound/soc/soc-dapm.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 2c456a3..c61cb9c 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -592,9 +592,9 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, int shared; struct snd_kcontrol *kcontrol; bool wname_in_long_name, kcname_in_long_name; - char *long_name; + char *long_name = NULL; const char *name; - int ret; + int ret = 0;

prefix = soc_dapm_prefix(dapm); if (prefix) @@ -653,15 +653,17 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w,

kcontrol = snd_soc_cnew(&w->kcontrol_news[kci], NULL, name, prefix); - kfree(long_name); - if (!kcontrol) - return -ENOMEM; + if (!kcontrol) { + ret = -ENOMEM; + goto exit_free; + } + kcontrol->private_free = dapm_kcontrol_free;

ret = dapm_kcontrol_data_alloc(w, kcontrol); if (ret) { snd_ctl_free_one(kcontrol); - return ret; + goto exit_free; }

ret = snd_ctl_add(card, kcontrol); @@ -669,17 +671,18 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w, dev_err(dapm->dev, "ASoC: failed to add widget %s dapm kcontrol %s: %d\n", w->name, name, ret); - return ret; + goto exit_free; } }

ret = dapm_kcontrol_add_widget(kcontrol, w); - if (ret) - return ret; + if (ret == 0) + w->kcontrols[kci] = kcontrol;

- w->kcontrols[kci] = kcontrol; +exit_free: + kfree(long_name);

- return 0; + return ret; }

/* create new dapm mixer control */

Coverity spotted an issue with strncpy() in pm860x_codec_probe() which does not take the \0 termination byte into account. Fix this by making the buffers one byte larger so the can really accommodate MAX_NAME_LEN bytes long strings.

Signed-off-by: Daniel Mack daniel@zonque.org --- sound/soc/codecs/88pm860x-codec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/codecs/88pm860x-codec.c b/sound/soc/codecs/88pm860x-codec.c index 4c3b0af..e88a6b6 100644 --- a/sound/soc/codecs/88pm860x-codec.c +++ b/sound/soc/codecs/88pm860x-codec.c @@ -146,7 +146,7 @@ struct pm860x_priv { struct pm860x_det det;

int irq[4]; - unsigned char name[4][MAX_NAME_LEN]; + unsigned char name[4][MAX_NAME_LEN+1]; };

/* -9450dB to 0dB in 150dB steps ( mute instead of -9450dB) */