In add_new_ctl(), a mixer element structure is allocated through kzalloc()
and the pointer is saved to 'elem'. Later on, a new alsa control element is
created and added to this structure. In case the add process fails, i.e.,
the return value of snd_usb_mixer_add_control() is less than 0, the
allocated structure is not freed, leading to a memory leak.
To fix the above issue, free 'elem' before returning the error.
Signed-off-by: Wenwen Wang <[email protected]>
---
sound/usb/mixer_scarlett.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett.c b/sound/usb/mixer_scarlett.c
index 83715fd..a6c028a 100644
--- a/sound/usb/mixer_scarlett.c
+++ b/sound/usb/mixer_scarlett.c
@@ -562,8 +562,10 @@ static int add_new_ctl(struct usb_mixer_interface *mixer,
strlcpy(kctl->id.name, name, sizeof(kctl->id.name));
err = snd_usb_mixer_add_control(&elem->head, kctl);
- if (err < 0)
+ if (err < 0) {
+ kfree(elem);
return err;
+ }
if (elem_ret)
*elem_ret = elem;
--
2.7.4
On Tue, 06 Aug 2019 08:13:06 +0200,
Wenwen Wang wrote:
>
> In add_new_ctl(), a mixer element structure is allocated through kzalloc()
> and the pointer is saved to 'elem'. Later on, a new alsa control element is
> created and added to this structure. In case the add process fails, i.e.,
> the return value of snd_usb_mixer_add_control() is less than 0, the
> allocated structure is not freed, leading to a memory leak.
>
> To fix the above issue, free 'elem' before returning the error.
>
> Signed-off-by: Wenwen Wang <[email protected]>
It's a false-positive. snd_ctl_add() behaves differently from others,
it releases the given kctl at the error. And in this case, elem
already gets freed by kctl->private_free callback.
thanks,
Takashi