Commit fd0977d0 authored by Jesper Juhl's avatar Jesper Juhl Committed by Takashi Iwai

ALSA: asihpi - Unsafe memory management when allocating control cache

I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does
not check the return value from kmalloc(), which may fail.
If kmalloc() fails we'll dereference a null pointer and things will go bad
fast.
There are two memory allocations in that function and there's also the
problem that the first may succeed and the second may fail and nothing is
done about that either which will also go wrong down the line.
Signed-off-by: default avatarJesper Juhl <jj@chaosbits.net>
Acked-by: default avatarEliot Blennerhassett <linux@audioscience.com>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent f7467452
......@@ -625,6 +625,8 @@ static short create_adapter_obj(struct hpi_adapter_obj *pao,
control_cache_size, (struct hpi_control_cache_info *)
&phw->control_cache[0]
);
if (!phw->p_cache)
pao->has_control_cache = 0;
} else
pao->has_control_cache = 0;
......
......@@ -644,6 +644,8 @@ static u16 create_adapter_obj(struct hpi_adapter_obj *pao,
interface->control_cache.size_in_bytes,
(struct hpi_control_cache_info *)
p_control_cache_virtual);
if (!phw->p_cache)
err = HPI_ERROR_MEMORY_ALLOC;
}
if (!err) {
err = hpios_locked_mem_get_phys_addr(&phw->
......
......@@ -571,14 +571,20 @@ struct hpi_control_cache *hpi_alloc_control_cache(const u32
{
struct hpi_control_cache *p_cache =
kmalloc(sizeof(*p_cache), GFP_KERNEL);
if (!p_cache)
return NULL;
p_cache->p_info =
kmalloc(sizeof(*p_cache->p_info) * number_of_controls,
GFP_KERNEL);
if (!p_cache->p_info) {
kfree(p_cache);
return NULL;
}
p_cache->cache_size_in_bytes = size_in_bytes;
p_cache->control_count = number_of_controls;
p_cache->p_cache =
(struct hpi_control_cache_single *)pDSP_control_buffer;
p_cache->init = 0;
p_cache->p_info =
kmalloc(sizeof(*p_cache->p_info) * p_cache->control_count,
GFP_KERNEL);
return p_cache;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment