diff mbox series

sound:Fix a memory leak in snd_ctl_elem_add_compat function

Message ID 20240323092712.685675-1-lumingyindetect@163.com (mailing list archive)
State New, archived
Headers show
Series sound:Fix a memory leak in snd_ctl_elem_add_compat function | expand

Commit Message

LuMingYin March 23, 2024, 9:27 a.m. UTC 
In the function snd_ctl_elem_add_compat defined in /linux/sound/core/control_compat.c, a pointer named data is declared. This pointer allocates a block of dynamic memory using the kzalloc function at line 354. When the if statement at line 355 returns false, it indicates successful allocation of the dynamic memory area pointed to by data. However, when the if statements at lines 359 or 362 are true, the program will not execute the snd_ctl_elem_add(file, data, replace); operation at line 389 and will return directly. During this process, the dynamic memory area pointed to by data is neither freed nor used, leading to a memory leak bug. This commit fixes the aforementioned memory leak issue.

Signed-off-by: LuMingYin <lumingyindetect@163.com>
---
 sound/core/control_compat.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

Comments

Takashi Iwai March 23, 2024, 9:31 a.m. UTC | #1 
On Sat, 23 Mar 2024 10:27:12 +0100,
LuMingYin wrote:
> 
> In the function snd_ctl_elem_add_compat defined in /linux/sound/core/control_compat.c, a pointer named data is declared. This pointer allocates a block of dynamic memory using the kzalloc function at line 354. When the if statement at line 355 returns false, it indicates successful allocation of the dynamic memory area pointed to by data. However, when the if statements at lines 359 or 362 are true, the program will not execute the snd_ctl_elem_add(file, data, replace); operation at line 389 and will return directly. During this process, the dynamic memory area pointed to by data is neither freed nor used, leading to a memory leak bug. This commit fixes the aforementioned memory leak issue.
> 
> Signed-off-by: LuMingYin <lumingyindetect@163.com>

Ditto as another mail, it's automatically freed.


Takashi
diff mbox series

Patch

diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c
index 934bb945e702..685f88e2835a 100644
--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c
@@ -357,29 +357,39 @@  static int snd_ctl_elem_add_compat(struct snd_ctl_file *file,
 
 	/* id, type, access, count */ \
 	if (copy_from_user(&data->id, &data32->id, sizeof(data->id)) ||
-	    copy_from_user(&data->type, &data32->type, 3 * sizeof(u32)))
+	    copy_from_user(&data->type, &data32->type, 3 * sizeof(u32))){
+		kfree(data);
 		return -EFAULT;
-	if (get_user(data->owner, &data32->owner))
+		}
+	if (get_user(data->owner, &data32->owner)){
+		kfree(data);
 		return -EFAULT;
+	}
 	switch (data->type) {
 	case SNDRV_CTL_ELEM_TYPE_BOOLEAN:
 	case SNDRV_CTL_ELEM_TYPE_INTEGER:
 		if (get_user(data->value.integer.min, &data32->value.integer.min) ||
 		    get_user(data->value.integer.max, &data32->value.integer.max) ||
-		    get_user(data->value.integer.step, &data32->value.integer.step))
+		    get_user(data->value.integer.step, &data32->value.integer.step)){
+			kfree(data);
 			return -EFAULT;
+		}
 		break;
 	case SNDRV_CTL_ELEM_TYPE_INTEGER64:
 		if (copy_from_user(&data->value.integer64,
 				   &data32->value.integer64,
-				   sizeof(data->value.integer64)))
+				   sizeof(data->value.integer64))){
+			kfree(data);
 			return -EFAULT;
+		}
 		break;
 	case SNDRV_CTL_ELEM_TYPE_ENUMERATED:
 		if (copy_from_user(&data->value.enumerated,
 				   &data32->value.enumerated,
-				   sizeof(data->value.enumerated)))
+				   sizeof(data->value.enumerated))){
+			kfree(data);
 			return -EFAULT;
+		}
 		data->value.enumerated.names_ptr =
 			(uintptr_t)compat_ptr(data->value.enumerated.names_ptr);
 		break;