On Sun, 27 Oct 2019 20:12:04 +0100, Navid Emamdoost wrote:
In the implementation of snd_korg1212_create() the allocated memory for korg1212 is leaked in cases of error. Release korg1212 via snd_korg1212_free() if either of these calls fail: snd_korg1212_downloadDSPCode(), snd_pcm_new(), or snd_ctl_add().
This also leads to the double-free. The code path is after snd_device_new() which has its own destructor callback.
thanks,
Takashi
Signed-off-by: Navid Emamdoost navid.emamdoost@gmail.com
sound/pci/korg1212/korg1212.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/sound/pci/korg1212/korg1212.c b/sound/pci/korg1212/korg1212.c index 0d81eac0a478..e976e857d915 100644 --- a/sound/pci/korg1212/korg1212.c +++ b/sound/pci/korg1212/korg1212.c @@ -2367,8 +2367,10 @@ static int snd_korg1212_create(struct snd_card *card, struct pci_dev *pci,
mdelay(CARD_BOOT_DELAY_IN_MS);
if (snd_korg1212_downloadDSPCode(korg1212))
if (snd_korg1212_downloadDSPCode(korg1212)) {
snd_korg1212_free(korg1212); return -EBUSY;
}
K1212_DEBUG_PRINTK("korg1212: dspMemPhy = %08x U[%08x], " "PlayDataPhy = %08x L[%08x]\n"
@@ -2383,8 +2385,11 @@ static int snd_korg1212_create(struct snd_card *card, struct pci_dev *pci, korg1212->RoutingTablePhy, LowerWordSwap(korg1212->RoutingTablePhy), korg1212->AdatTimeCodePhy, LowerWordSwap(korg1212->AdatTimeCodePhy));
if ((err = snd_pcm_new(korg1212->card, "korg1212", 0, 1, 1, &korg1212->pcm)) < 0)
err = snd_pcm_new(korg1212->card, "korg1212", 0, 1, 1, &korg1212->pcm);
if (err < 0) {
snd_korg1212_free(korg1212); return err;
}
korg1212->pcm->private_data = korg1212; korg1212->pcm->private_free = snd_korg1212_free_pcm;
@@ -2398,8 +2403,10 @@ static int snd_korg1212_create(struct snd_card *card, struct pci_dev *pci,
for (i = 0; i < ARRAY_SIZE(snd_korg1212_controls); i++) { err = snd_ctl_add(korg1212->card, snd_ctl_new1(&snd_korg1212_controls[i], korg1212));
if (err < 0)
if (err < 0) {
snd_korg1212_free(korg1212); return err;
} } snd_korg1212_proc_init(korg1212);
-- 2.17.1