| Message ID | YHBJ4frGxErWB182@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2,v2] ALSA: control - double free in snd_ctl_led_init() | expand |
Dne 09. 04. 21 v 14:34 Dan Carpenter napsal(a): > "group - 1" was intended here instead of "group". The current error > handling will double free the first item in the array and leak the last > item. > > Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Jaroslav Kysela <perex@perex.cz> > --- > v2: The first patch wasn't right. It fixed the leak but left the double > free. > > sound/core/control_led.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/core/control_led.c b/sound/core/control_led.c > index d756a52e58db..93b201063c7d 100644 > --- a/sound/core/control_led.c > +++ b/sound/core/control_led.c > @@ -734,7 +734,7 @@ static int __init snd_ctl_led_init(void) > if (device_add(&led->dev)) { > put_device(&led->dev); > for (; group > 0; group--) { > - led = &snd_ctl_leds[group]; > + led = &snd_ctl_leds[group - 1]; > device_del(&led->dev); > } > device_del(&snd_ctl_led_dev); >
On Fri, 09 Apr 2021 14:34:41 +0200, Dan Carpenter wrote: > > "group - 1" was intended here instead of "group". The current error > handling will double free the first item in the array and leak the last > item. > > Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: The first patch wasn't right. It fixed the leak but left the double > free. Applied now. Thanks. Takashi
diff --git a/sound/core/control_led.c b/sound/core/control_led.c index d756a52e58db..93b201063c7d 100644 --- a/sound/core/control_led.c +++ b/sound/core/control_led.c @@ -734,7 +734,7 @@ static int __init snd_ctl_led_init(void) if (device_add(&led->dev)) { put_device(&led->dev); for (; group > 0; group--) { - led = &snd_ctl_leds[group]; + led = &snd_ctl_leds[group - 1]; device_del(&led->dev); } device_del(&snd_ctl_led_dev);
"group - 1" was intended here instead of "group". The current error handling will double free the first item in the array and leak the last item. Fixes: cb17fe0045aa ("ALSA: control - add sysfs support to the LED trigger module") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: The first patch wasn't right. It fixed the leak but left the double free. sound/core/control_led.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)