Received-SPF: pass (google.com: domain of linux-kernel+bounces-112277-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
From: LuMingYin <lumingyindetect@163.com>
To: linux-sound@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: perex@perex.cz,
	tiwai@suse.com,
	minhuadotchen@gmail.com,
	LuMingYin <lumingyindetect@163.com>
Subject: [PATCH] sound:Fix a memory leak in snd_ctl_elem_add_compat function
Date: Sat, 23 Mar 2024 17:27:12 +0800
Message-Id: <20240323092712.685675-1-lumingyindetect@163.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

In the function snd_ctl_elem_add_compat defined in /linux/sound/core/control_compat.c, a pointer named data is declared. This pointer allocates a block of dynamic memory using the kzalloc function at line 354. When the if statement at line 355 returns false, it indicates successful allocation of the dynamic memory area pointed to by data. However, when the if statements at lines 359 or 362 are true, the program will not execute the snd_ctl_elem_add(file, data, replace); operation at line 389 and will return directly. During this process, the dynamic memory area pointed to by data is neither freed nor used, leading to a memory leak bug. This commit fixes the aforementioned memory leak issue.

Signed-off-by: LuMingYin <lumingyindetect@163.com>
---
 sound/core/control_compat.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c
index 934bb945e702..685f88e2835a 100644
--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c
@@ -357,29 +357,39 @@ static int snd_ctl_elem_add_compat(struct snd_ctl_file *file,
 
 	/* id, type, access, count */ \
 	if (copy_from_user(&data->id, &data32->id, sizeof(data->id)) ||
-	    copy_from_user(&data->type, &data32->type, 3 * sizeof(u32)))
+	    copy_from_user(&data->type, &data32->type, 3 * sizeof(u32))){
+		kfree(data);
 		return -EFAULT;
-	if (get_user(data->owner, &data32->owner))
+		}
+	if (get_user(data->owner, &data32->owner)){
+		kfree(data);
 		return -EFAULT;
+	}
 	switch (data->type) {
 	case SNDRV_CTL_ELEM_TYPE_BOOLEAN:
 	case SNDRV_CTL_ELEM_TYPE_INTEGER:
 		if (get_user(data->value.integer.min, &data32->value.integer.min) ||
 		    get_user(data->value.integer.max, &data32->value.integer.max) ||
-		    get_user(data->value.integer.step, &data32->value.integer.step))
+		    get_user(data->value.integer.step, &data32->value.integer.step)){
+			kfree(data);
 			return -EFAULT;
+		}
 		break;
 	case SNDRV_CTL_ELEM_TYPE_INTEGER64:
 		if (copy_from_user(&data->value.integer64,
 				   &data32->value.integer64,
-				   sizeof(data->value.integer64)))
+				   sizeof(data->value.integer64))){
+			kfree(data);
 			return -EFAULT;
+		}
 		break;
 	case SNDRV_CTL_ELEM_TYPE_ENUMERATED:
 		if (copy_from_user(&data->value.enumerated,
 				   &data32->value.enumerated,
-				   sizeof(data->value.enumerated)))
+				   sizeof(data->value.enumerated))){
+			kfree(data);
 			return -EFAULT;
+		}
 		data->value.enumerated.names_ptr =
 			(uintptr_t)compat_ptr(data->value.enumerated.names_ptr);
 		break;
-- 
2.25.1