dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
but then it updates dup variable by strsep(&dup, ",").
As a result when it calls kfree(dup), the dup variable may be
a modified pointer that no longer points to the original allocated
memory, causing a memory leak.

The issue is the same pattern as fixed in commit c6a502c22999
("mISDN: Fix memory leak in dsp_pipeline_build()").

Fixes: 9a4381618262 ("mISDN: Remove VLAs")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
 drivers/isdn/mISDN/dsp_hwec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c
index 0b3f29195330..0cd216e28f00 100644
--- a/drivers/isdn/mISDN/dsp_hwec.c
+++ b/drivers/isdn/mISDN/dsp_hwec.c
@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg)
 		goto _do;
 
 	{
-		char *dup, *tok, *name, *val;
+		char *dup, *next, *tok, *name, *val;
 		int tmp;
 
-		dup = kstrdup(arg, GFP_ATOMIC);
+		dup = next = kstrdup(arg, GFP_ATOMIC);
 		if (!dup)
 			return;
 
-		while ((tok = strsep(&dup, ","))) {
+		while ((tok = strsep(&next, ","))) {
 			if (!strlen(tok))
 				continue;
 			name = strsep(&tok, "=");
-- 
2.39.5 (Apple Git-154)

On Thu, Aug 28, 2025 at 04:14:57PM +0800, Miaoqian Lin wrote:
> dsp_hwec_enable() allocates dup pointer by kstrdup(arg),
> but then it updates dup variable by strsep(&dup, ",").
> As a result when it calls kfree(dup), the dup variable may be
> a modified pointer that no longer points to the original allocated
> memory, causing a memory leak.
> 
> The issue is the same pattern as fixed in commit c6a502c22999
> ("mISDN: Fix memory leak in dsp_pipeline_build()").

Thanks for noting this, it was quite helpful to me.

> 
> Fixes: 9a4381618262 ("mISDN: Remove VLAs")
> Signed-off-by: Miaoqian Lin <linmq006@gmail.com>

Reviewed-by: Simon Horman <horms@kernel.org>