On Wed, 2025-12-03 at 16:23 +0100, Greg Kroah-Hartman wrote:
5.10-stable review patch. If anyone has any objections, please let me know.
From: Srinivas Kandagatla srinivas.kandagatla@oss.qualcomm.com
commit fdbb53d318aa94a094434e5f226617f0eb1e8f22 upstream.
For some reason we ended up kfree between spinlock lock and unlock, which can sleep.
move the kfree out of spinlock section.
Fixes: a2a5d30218fd ("ASoC: qdsp6: q6asm: Add support to memory map and unmap") Cc: Stable@vger.kernel.org Signed-off-by: Srinivas Kandagatla srinivas.kandagatla@oss.qualcomm.com Link: https://patch.msgid.link/20251017085307.4325-2-srinivas.kandagatla@oss.qualc... Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
sound/soc/qcom/qdsp6/q6asm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6asm.c +++ b/sound/soc/qcom/qdsp6/q6asm.c @@ -376,9 +376,9 @@ static void q6asm_audio_client_free_buf( spin_lock_irqsave(&ac->lock, flags); port->num_periods = 0;
- spin_unlock_irqrestore(&ac->lock, flags); kfree(port->buf); port->buf = NULL;
- spin_unlock_irqrestore(&ac->lock, flags);
You are right to move the kfree(), but are you sure it's safe to also move the clearing of port->buf? It seems like this introduces a potential data race and UAF in q6asm_stream_callback().
Ben.
} /**