| Message ID | 20200807071229.9533-1-dinghao.liu@zju.edu.cn (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ALSA: usb-audio: Fix memleak in scarlett2_add_new_ctl | expand |
On Fri, 07 Aug 2020 09:12:27 +0200, Dinghao Liu wrote: > > When snd_usb_mixer_add_control() fails, elem needs to be > freed just like when snd_ctl_new1() fails. However, current > code is returning directly and ends up leaking memory. No, this would lead to double-free. snd_ctl_add() shows a kind of special behavior, it already releases the object at its error path. thanks, Takashi > > Fixes: 9e4d5c1be21f0 ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") > Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> > --- > sound/usb/mixer_scarlett_gen2.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c > index 74c00c905d24..4b2da0866cdc 100644 > --- a/sound/usb/mixer_scarlett_gen2.c > +++ b/sound/usb/mixer_scarlett_gen2.c > @@ -964,8 +964,10 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer, > strlcpy(kctl->id.name, name, sizeof(kctl->id.name)); > > err = snd_usb_mixer_add_control(&elem->head, kctl); > - if (err < 0) > + if (err < 0) { > + kfree(elem); > return err; > + } > > if (kctl_return) > *kctl_return = kctl; > -- > 2.17.1 >
"Takashi Iwai" <tiwai@suse.de>写道: > On Fri, 07 Aug 2020 09:12:27 +0200, > Dinghao Liu wrote: > > > > When snd_usb_mixer_add_control() fails, elem needs to be > > freed just like when snd_ctl_new1() fails. However, current > > code is returning directly and ends up leaking memory. > > No, this would lead to double-free. snd_ctl_add() shows a kind of > special behavior, it already releases the object at its error path. > It's clear to me, thanks! Regards, Dinghao
diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c index 74c00c905d24..4b2da0866cdc 100644 --- a/sound/usb/mixer_scarlett_gen2.c +++ b/sound/usb/mixer_scarlett_gen2.c @@ -964,8 +964,10 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer, strlcpy(kctl->id.name, name, sizeof(kctl->id.name)); err = snd_usb_mixer_add_control(&elem->head, kctl); - if (err < 0) + if (err < 0) { + kfree(elem); return err; + } if (kctl_return) *kctl_return = kctl;
When snd_usb_mixer_add_control() fails, elem needs to be freed just like when snd_ctl_new1() fails. However, current code is returning directly and ends up leaking memory. Fixes: 9e4d5c1be21f0 ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> --- sound/usb/mixer_scarlett_gen2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)