2019-08-06 06:14:43

by Wenwen Wang

[permalink] [raw]
Subject: [PATCH] ALSA: usb-audio: fix a memory leak bug

In add_new_ctl(), a mixer element structure is allocated through kzalloc()
and the pointer is saved to 'elem'. Later on, a new alsa control element is
created and added to this structure. In case the add process fails, i.e.,
the return value of snd_usb_mixer_add_control() is less than 0, the
allocated structure is not freed, leading to a memory leak.

To fix the above issue, free 'elem' before returning the error.

Signed-off-by: Wenwen Wang <[email protected]>
---
sound/usb/mixer_scarlett.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sound/usb/mixer_scarlett.c b/sound/usb/mixer_scarlett.c
index 83715fd..a6c028a 100644
--- a/sound/usb/mixer_scarlett.c
+++ b/sound/usb/mixer_scarlett.c
@@ -562,8 +562,10 @@ static int add_new_ctl(struct usb_mixer_interface *mixer,
strlcpy(kctl->id.name, name, sizeof(kctl->id.name));

err = snd_usb_mixer_add_control(&elem->head, kctl);
- if (err < 0)
+ if (err < 0) {
+ kfree(elem);
return err;
+ }

if (elem_ret)
*elem_ret = elem;
--
2.7.4


2019-08-06 06:41:22

by Takashi Iwai

[permalink] [raw]
Subject: Re: [PATCH] ALSA: usb-audio: fix a memory leak bug

On Tue, 06 Aug 2019 08:13:06 +0200,
Wenwen Wang wrote:
>
> In add_new_ctl(), a mixer element structure is allocated through kzalloc()
> and the pointer is saved to 'elem'. Later on, a new alsa control element is
> created and added to this structure. In case the add process fails, i.e.,
> the return value of snd_usb_mixer_add_control() is less than 0, the
> allocated structure is not freed, leading to a memory leak.
>
> To fix the above issue, free 'elem' before returning the error.
>
> Signed-off-by: Wenwen Wang <[email protected]>

It's a false-positive. snd_ctl_add() behaves differently from others,
it releases the given kctl at the error. And in this case, elem
already gets freed by kctl->private_free callback.


thanks,

Takashi