On Sun, Jun 05, 2022 at 04:18:06PM -0700, Jared Kangas wrote:
gbaudio_dapm_free_controls() iterates over widgets using list_for_each_entry_safe(), which leaves the loop cursor pointing to a meaningless structure if it completes a traversal of the list. The cursor was set to NULL at the end of the loop body, but would be overwritten by the final loop cursor update.
Because of this behavior, the widget could be non-null after the loop even if the widget wasn't found, and the cleanup logic would treat the pointer as a valid widget to free.
To fix this, introduce a temporary variable to act as the loop cursor and copy it to a variable that can be accessed after the loop finishes.
This was detected with the help of Coccinelle.
This needs a Fixes tag.
Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules")
Otherwise, looks good!
Reviewed-by: Dan Carpenter dan.carpenter@oracle.com
regards, dan carpenter