When snd_usb_mixer_add_control() fails, elem needs to be
freed just like when snd_ctl_new1() fails. However, current
code is returning directly and ends up leaking memory.
Fixes: 9e4d5c1be21f0 ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
Signed-off-by: Dinghao Liu <[email protected]>
---
sound/usb/mixer_scarlett_gen2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c
index 74c00c905d24..4b2da0866cdc 100644
--- a/sound/usb/mixer_scarlett_gen2.c
+++ b/sound/usb/mixer_scarlett_gen2.c
@@ -964,8 +964,10 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer,
strlcpy(kctl->id.name, name, sizeof(kctl->id.name));
err = snd_usb_mixer_add_control(&elem->head, kctl);
- if (err < 0)
+ if (err < 0) {
+ kfree(elem);
return err;
+ }
if (kctl_return)
*kctl_return = kctl;
--
2.17.1
On Fri, 07 Aug 2020 09:12:27 +0200,
Dinghao Liu wrote:
>
> When snd_usb_mixer_add_control() fails, elem needs to be
> freed just like when snd_ctl_new1() fails. However, current
> code is returning directly and ends up leaking memory.
No, this would lead to double-free. snd_ctl_add() shows a kind of
special behavior, it already releases the object at its error path.
thanks,
Takashi
>
> Fixes: 9e4d5c1be21f0 ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
> Signed-off-by: Dinghao Liu <[email protected]>
> ---
> sound/usb/mixer_scarlett_gen2.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c
> index 74c00c905d24..4b2da0866cdc 100644
> --- a/sound/usb/mixer_scarlett_gen2.c
> +++ b/sound/usb/mixer_scarlett_gen2.c
> @@ -964,8 +964,10 @@ static int scarlett2_add_new_ctl(struct usb_mixer_interface *mixer,
> strlcpy(kctl->id.name, name, sizeof(kctl->id.name));
>
> err = snd_usb_mixer_add_control(&elem->head, kctl);
> - if (err < 0)
> + if (err < 0) {
> + kfree(elem);
> return err;
> + }
>
> if (kctl_return)
> *kctl_return = kctl;
> --
> 2.17.1
>
"Takashi Iwai" <[email protected]>写道:
> On Fri, 07 Aug 2020 09:12:27 +0200,
> Dinghao Liu wrote:
> >
> > When snd_usb_mixer_add_control() fails, elem needs to be
> > freed just like when snd_ctl_new1() fails. However, current
> > code is returning directly and ends up leaking memory.
>
> No, this would lead to double-free. snd_ctl_add() shows a kind of
> special behavior, it already releases the object at its error path.
>
It's clear to me, thanks!
Regards,
Dinghao