[PATCH] ALSA: usb-audio: Fix memleak in scarlett2_add_new_ctl
When snd_usb_mixer_add_control() fails, elem needs to be freed just like when snd_ctl_new1() fails. However, current code is returning directly and ends up leaking memory.
Fixes: 9e4d5c1be21f0 ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn --- sound/usb/mixer_scarlett_gen2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c index 74c00c905d24..4b2da0866cdc 100644 --- a/sound/usb/mixer_scarlett_gen2.c +++ b/sound/usb/mixer_scarlett_gen2.c @@ -964,8 +964,10 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer, strlcpy(kctl->id.name, name, sizeof(kctl->id.name));
err = snd_usb_mixer_add_control(&elem->head, kctl); - if (err < 0) + if (err < 0) { + kfree(elem); return err; + }
if (kctl_return) *kctl_return = kctl;
On Fri, 07 Aug 2020 09:12:27 +0200, Dinghao Liu wrote:
When snd_usb_mixer_add_control() fails, elem needs to be freed just like when snd_ctl_new1() fails. However, current code is returning directly and ends up leaking memory.
No, this would lead to double-free. snd_ctl_add() shows a kind of special behavior, it already releases the object at its error path.
thanks,
Takashi
Fixes: 9e4d5c1be21f0 ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn
sound/usb/mixer_scarlett_gen2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c index 74c00c905d24..4b2da0866cdc 100644 --- a/sound/usb/mixer_scarlett_gen2.c +++ b/sound/usb/mixer_scarlett_gen2.c @@ -964,8 +964,10 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer, strlcpy(kctl->id.name, name, sizeof(kctl->id.name));
err = snd_usb_mixer_add_control(&elem->head, kctl);
- if (err < 0)
if (err < 0) {
kfree(elem);return err;
}
if (kctl_return) *kctl_return = kctl;
-- 2.17.1
"Takashi Iwai" <tiwai@suse.de>写道:
On Fri, 07 Aug 2020 09:12:27 +0200, Dinghao Liu wrote:
When snd_usb_mixer_add_control() fails, elem needs to be freed just like when snd_ctl_new1() fails. However, current code is returning directly and ends up leaking memory.
No, this would lead to double-free. snd_ctl_add() shows a kind of special behavior, it already releases the object at its error path.
It's clear to me, thanks!
Regards, Dinghao
participants (3)
-
Dinghao Liu -
dinghao.liu@zju.edu.cn
-
Takashi Iwai