ASoC: msm-lsm-client: free lsm client data in msm_lsm_close

Currently lsm client data is deallocated when q6lsm_open() fails
which can cause memory corruption if lsm client data is accessed
after freed. Fix this issue by deallocating the client data only
in msm_lsm_close().

Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
CVE-2015-8951
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>

include/sound/q6lsm.h

@@ -46,6 +46,7 @@ struct lsm_client {
 	uint16_t	connect_to_port;
 	uint16_t	user_sensitivity;
 	uint16_t	kw_sensitivity;
+	bool		opened;
 	bool		started;
 	dma_addr_t	lsm_cal_phy_addr;
 	uint32_t	lsm_cal_size;

sound/soc/msm/qdsp6v2/msm-lsm-client.c

@@ -262,13 +262,13 @@ static int msm_lsm_open(struct snd_pcm_substream *substream)
 		kfree(prtd);
 		return -ENOMEM;
 	}
+	prtd->lsm_client->opened = false;
 	ret = q6lsm_open(prtd->lsm_client);
 	if (ret < 0) {
 		pr_err("%s: lsm open failed, %d\n", __func__, ret);
-		q6lsm_client_free(prtd->lsm_client);
-		kfree(prtd);
 		return ret;
 	}
+	prtd->lsm_client->opened = true;
 
 	pr_debug("%s: Session ID %d\n", __func__, prtd->lsm_client->session);
 	prtd->lsm_client->started = false;
@@ -311,7 +311,10 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
 				 __func__);
 	}
 
-	q6lsm_close(prtd->lsm_client);
+	if (prtd->lsm_client->opened) {
+		q6lsm_close(prtd->lsm_client);
+		prtd->lsm_client->opened = false;
+	}
 	q6lsm_client_free(prtd->lsm_client);
 
 	spin_lock_irqsave(&prtd->event_lock, flags);
@@ -319,6 +322,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
 	prtd->event_status = NULL;
 	spin_unlock_irqrestore(&prtd->event_lock, flags);
 	kfree(prtd);
+	runtime->private_data = NULL;
 
 	return 0;
 }