2020-04-23 05:06:12

by Xiyu Yang

Subject: [PATCH] ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif

snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which
increases the refcount of the snd_usb_audio object "chip".

When snd_microii_spdif_default_get() returns, local variable "chip"
becomes invalid, so the refcount should be decreased to keep refcount
balanced.

The reference counting issue happens in several exception handling paths
of snd_microii_spdif_default_get(). When those error scenarios occur
such as usb_ifnum_to_if() returns NULL, the function forgets to decrease
the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak.

Fix this issue by jumping to "end" label when those error scenarios
occur.

Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
sound/usb/mixer_quirks.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index c237e24f08d9..0f072426b84c 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1508,11 +1508,15 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,

/* use known values for that card: interface#1 altsetting#1 */
iface = usb_ifnum_to_if(chip->dev, 1);
- if (!iface || iface->num_altsetting < 2)
- return -EINVAL;
+ if (!iface || iface->num_altsetting < 2) {
+ err = -EINVAL;
+ goto end;
+ }
alts = &iface->altsetting[1];
- if (get_iface_desc(alts)->bNumEndpoints < 1)
- return -EINVAL;
+ if (get_iface_desc(alts)->bNumEndpoints < 1) {
+ err = -EINVAL;
+ goto end;
+ }
ep = get_endpoint(alts, 0)->bEndpointAddress;

err = snd_usb_ctl_msg(chip->dev,
--
2.7.4

2020-04-23 07:13:11

by Takashi Iwai

Subject: Re: [PATCH] ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif

On Thu, 23 Apr 2020 06:54:19 +0200,
Xiyu Yang wrote:
>
> snd_microii_spdif_default_get() invokes snd_usb_lock_shutdown(), which
> increases the refcount of the snd_usb_audio object "chip".
>
> When snd_microii_spdif_default_get() returns, local variable "chip"
> becomes invalid, so the refcount should be decreased to keep refcount
> balanced.
>
> The reference counting issue happens in several exception handling paths
> of snd_microii_spdif_default_get(). When those error scenarios occur
> such as usb_ifnum_to_if() returns NULL, the function forgets to decrease
> the refcnt increased by snd_usb_lock_shutdown(), causing a refcnt leak.
>
> Fix this issue by jumping to "end" label when those error scenarios
> occur.
>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>

Applied now (with Cc-to-stable and Fixes tags).


thanks,

Takashi