Julia Lawall wrote:
The file sound/pci/ctxfi/ctpcm.c contains the functions ct_pcm_playback_open and ct_pcm_capture_open that contain the following pattern of code:
runtime->private_data = apcm;
... if (err < 0) { kfree(apcm); return err; }
I wonder if this leaves a dangling pointer to apcm in runtime?
The runtime structure contains data that is valid only while the substream is open; it is allocated by the ALSA framework before calling the open callback, and deallocated after calling the close callback (or if the open callback fails).
The function ct_atc_pcm_free_substream on the other hand does set the private_data field to NULL after freeing apcm.
This is superfluous.
But perhaps there is something in the calling context of open that ensures that if the open function fails, the private_data field of runtime will never be used?
If the open callback fails, the close callback will not be called. However, the runtime->private_free callback, if set, will be called.
So there is indeed a dangling pointer.
Regards, Clemens