Coverity spotted an use-after-free condition in snd_soc_remove_platform().
Fix this by moving snd_soc_component_cleanup() after the debug print
statement which uses the component's string.

Signed-off-by: Daniel Mack <***@zonque.org>
---
sound/soc/soc-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 3d8cff6..4c8f8a2 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -4192,10 +4192,10 @@ void snd_soc_remove_platform(struct snd_soc_platform *platform)
snd_soc_component_del_unlocked(&platform->component);
mutex_unlock(&client_mutex);

- snd_soc_component_cleanup(&platform->component);
-
dev_dbg(platform->dev, "ASoC: Unregistered platform '%s'\n",
platform->component.name);
+
+ snd_soc_component_cleanup(&platform->component);
}
EXPORT_SYMBOL_GPL(snd_soc_remove_platform);

Coverity spotted the following possible use-after-free condition in
dapm_create_or_share_mixmux_kcontrol():

If kcontrol is NULL, and (wname_in_long_name && kcname_in_long_name)
validates to true, 'name' will be set to an allocated string, and be
freed a few lines later via the 'long_name' alias. 'name', however,
is used by dev_err() in case snd_ctl_add() fails.

Fix this by adding a jump label that frees 'long_name' at the end of
the function.

Signed-off-by: Daniel Mack <***@zonque.org>
---
sound/soc/soc-dapm.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 2c456a3..c61cb9c 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -592,9 +592,9 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w,
int shared;
struct snd_kcontrol *kcontrol;
bool wname_in_long_name, kcname_in_long_name;
- char *long_name;
+ char *long_name = NULL;
const char *name;
- int ret;
+ int ret = 0;

prefix = soc_dapm_prefix(dapm);
if (prefix)
@@ -653,15 +653,17 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w,

kcontrol = snd_soc_cnew(&w->kcontrol_news[kci], NULL, name,
prefix);
- kfree(long_name);
- if (!kcontrol)
- return -ENOMEM;
+ if (!kcontrol) {
+ ret = -ENOMEM;
+ goto exit_free;
+ }
+
kcontrol->private_free = dapm_kcontrol_free;

ret = dapm_kcontrol_data_alloc(w, kcontrol);
if (ret) {
snd_ctl_free_one(kcontrol);
- return ret;
+ goto exit_free;
}

ret = snd_ctl_add(card, kcontrol);
@@ -669,17 +671,18 @@ static int dapm_create_or_share_mixmux_kcontrol(struct snd_soc_dapm_widget *w,
dev_err(dapm->dev,
"ASoC: failed to add widget %s dapm kcontrol %s: %d\n",
w->name, name, ret);
- return ret;
+ goto exit_free;
}
}

ret = dapm_kcontrol_add_widget(kcontrol, w);
- if (ret)
- return ret;
+ if (ret == 0)
+ w->kcontrols[kci] = kcontrol;

- w->kcontrols[kci] = kcontrol;
+exit_free:
+ kfree(long_name);

- return 0;
+ return ret;
}

/* create new dapm mixer control */

Coverity spotted an issue with strncpy() in pm860x_codec_probe()
which does not take the \0 termination byte into account. Fix this
by making the buffers one byte larger so the can really accommodate
MAX_NAME_LEN bytes long strings.

Signed-off-by: Daniel Mack <***@zonque.org>
---
sound/soc/codecs/88pm860x-codec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/codecs/88pm860x-codec.c b/sound/soc/codecs/88pm860x-codec.c
index 4c3b0af..e88a6b6 100644
--- a/sound/soc/codecs/88pm860x-codec.c
+++ b/sound/soc/codecs/88pm860x-codec.c
@@ -146,7 +146,7 @@ struct pm860x_priv {
struct pm860x_det det;

int irq[4];
- unsigned char name[4][MAX_NAME_LEN];
+ unsigned char name[4][MAX_NAME_LEN+1];
};

/* -9450dB to 0dB in 150dB steps ( mute instead of -9450dB) */