public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] ASoC: sma1307: fix double free of devm_kzalloc() memory
@ 2026-03-13  4:06 Guangshuo Li
  2026-03-16  1:19 ` Mark Brown
  2026-03-16 17:52 ` Mark Brown
  0 siblings, 2 replies; 3+ messages in thread
From: Guangshuo Li @ 2026-03-13  4:06 UTC (permalink / raw)
  To: Kiseok Jo, Liam Girdwood, Mark Brown, Jaroslav Kysela,
	Takashi Iwai, Chenyuan Yang, linux-sound, linux-kernel
  Cc: Guangshuo Li, stable

A previous change added NULL checks and cleanup for allocation
failures in sma1307_setting_loaded().

However, the cleanup for mode_set entries is wrong. Those entries are
allocated with devm_kzalloc(), so they are device-managed resources and
must not be freed with kfree(). Manually freeing them in the error path
can lead to a double free when devres later releases the same memory.

Drop the manual kfree() loop and let devres handle the cleanup.

Fixes: 0ec6bd16705fe ("ASoC: sma1307: Add NULL check in sma1307_setting_loaded()")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
v2:
  - Replace kfree() with devm_kfree() for mode_set[] error cleanup.
  - Clear released mode_set[] pointers after devm_kfree().

 sound/soc/codecs/sma1307.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/sma1307.c b/sound/soc/codecs/sma1307.c
index 4bb59e5c0891..5850bf6e71ca 100644
--- a/sound/soc/codecs/sma1307.c
+++ b/sound/soc/codecs/sma1307.c
@@ -1759,8 +1759,10 @@ static void sma1307_setting_loaded(struct sma1307_priv *sma1307, const char *fil
 				   sma1307->set.mode_size * 2 * sizeof(int),
 				   GFP_KERNEL);
 		if (!sma1307->set.mode_set[i]) {
-			for (int j = 0; j < i; j++)
-				kfree(sma1307->set.mode_set[j]);
+			for (int j = 0; j < i; j++) {
+				devm_kfree(sma1307->dev, sma1307->set.mode_set[j]);
+				sma1307->set.mode_set[j] = NULL;
+			}
 			sma1307->set.status = false;
 			return;
 		}
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] ASoC: sma1307: fix double free of devm_kzalloc() memory
  2026-03-13  4:06 [PATCH v2] ASoC: sma1307: fix double free of devm_kzalloc() memory Guangshuo Li
@ 2026-03-16  1:19 ` Mark Brown
  2026-03-16 17:52 ` Mark Brown
  1 sibling, 0 replies; 3+ messages in thread
From: Mark Brown @ 2026-03-16  1:19 UTC (permalink / raw)
  To: Kiseok Jo, Liam Girdwood, Jaroslav Kysela, Takashi Iwai,
	Chenyuan Yang, linux-sound, linux-kernel, Guangshuo Li
  Cc: stable

On Fri, 13 Mar 2026 12:06:11 +0800, Guangshuo Li wrote:
> ASoC: sma1307: fix double free of devm_kzalloc() memory

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-7.0

Thanks!

[1/1] ASoC: sma1307: fix double free of devm_kzalloc() memory
      https://git.kernel.org/broonie/sound/c/fe757092d232

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] ASoC: sma1307: fix double free of devm_kzalloc() memory
  2026-03-13  4:06 [PATCH v2] ASoC: sma1307: fix double free of devm_kzalloc() memory Guangshuo Li
  2026-03-16  1:19 ` Mark Brown
@ 2026-03-16 17:52 ` Mark Brown
  1 sibling, 0 replies; 3+ messages in thread
From: Mark Brown @ 2026-03-16 17:52 UTC (permalink / raw)
  To: Kiseok Jo, Liam Girdwood, Jaroslav Kysela, Takashi Iwai,
	Chenyuan Yang, linux-sound, linux-kernel, Guangshuo Li
  Cc: stable

On Fri, 13 Mar 2026 12:06:11 +0800, Guangshuo Li wrote:
> A previous change added NULL checks and cleanup for allocation
> failures in sma1307_setting_loaded().
> 
> However, the cleanup for mode_set entries is wrong. Those entries are
> allocated with devm_kzalloc(), so they are device-managed resources and
> must not be freed with kfree(). Manually freeing them in the error path
> can lead to a double free when devres later releases the same memory.
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next

Thanks!

[1/1] ASoC: sma1307: fix double free of devm_kzalloc() memory
      https://git.kernel.org/broonie/misc/c/fe757092d232

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-16 17:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-13  4:06 [PATCH v2] ASoC: sma1307: fix double free of devm_kzalloc() memory Guangshuo Li
2026-03-16  1:19 ` Mark Brown
2026-03-16 17:52 ` Mark Brown

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox