* [PATCH] ALSA: usx2y: fix a memory leak bug
@ 2019-04-28 6:42 ` Wenwen Wang
0 siblings, 0 replies; 7+ messages in thread
From: Wenwen Wang @ 2019-04-28 6:42 UTC (permalink / raw)
To: Wenwen Wang
Cc: Jaroslav Kysela, Takashi Iwai, Kees Cook, moderated list:SOUND,
open list
In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
sanity check is performed for the endpoint in the urb by invoking
usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
returned. In that case, however, the created urb and the allocated buffer
are not freed, leading to memory leaks.
To fix the above issue, free the urb and the buffer if the check fails.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
sound/usb/usx2y/usbusx2y.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index da4a5a5..0817018 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -303,8 +303,11 @@ int usX2Y_In04_init(struct usX2Ydev *usX2Y)
usX2Y->In04Buf, 21,
i_usX2Y_In04Int, usX2Y,
10);
- if (usb_urb_ep_type_check(usX2Y->In04urb))
+ if (usb_urb_ep_type_check(usX2Y->In04urb)) {
+ kfree(usX2Y->In04Buf);
+ usb_put_urb(usX2Y->In04urb);
return -EINVAL;
+ }
return usb_submit_urb(usX2Y->In04urb, GFP_KERNEL);
}
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH] ALSA: usx2y: fix a memory leak bug
@ 2019-04-28 6:42 ` Wenwen Wang
0 siblings, 0 replies; 7+ messages in thread
From: Wenwen Wang @ 2019-04-28 6:42 UTC (permalink / raw)
To: Wenwen Wang; +Cc: open list, moderated list:SOUND, Takashi Iwai, Kees Cook
In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
sanity check is performed for the endpoint in the urb by invoking
usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
returned. In that case, however, the created urb and the allocated buffer
are not freed, leading to memory leaks.
To fix the above issue, free the urb and the buffer if the check fails.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
sound/usb/usx2y/usbusx2y.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index da4a5a5..0817018 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -303,8 +303,11 @@ int usX2Y_In04_init(struct usX2Ydev *usX2Y)
usX2Y->In04Buf, 21,
i_usX2Y_In04Int, usX2Y,
10);
- if (usb_urb_ep_type_check(usX2Y->In04urb))
+ if (usb_urb_ep_type_check(usX2Y->In04urb)) {
+ kfree(usX2Y->In04Buf);
+ usb_put_urb(usX2Y->In04urb);
return -EINVAL;
+ }
return usb_submit_urb(usX2Y->In04urb, GFP_KERNEL);
}
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] ALSA: usx2y: fix a memory leak bug
2019-04-28 6:42 ` Wenwen Wang
(?)
@ 2019-04-28 7:18 ` Takashi Iwai
2019-04-29 5:36 ` Takashi Iwai
-1 siblings, 1 reply; 7+ messages in thread
From: Takashi Iwai @ 2019-04-28 7:18 UTC (permalink / raw)
To: Wenwen Wang; +Cc: moderated list:SOUND, Kees Cook, Jaroslav Kysela, open list
On Sun, 28 Apr 2019 08:42:32 +0200,
Wenwen Wang wrote:
>
> In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
> and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
> kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
> sanity check is performed for the endpoint in the urb by invoking
> usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
> returned. In that case, however, the created urb and the allocated buffer
> are not freed, leading to memory leaks.
>
> To fix the above issue, free the urb and the buffer if the check fails.
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Applied now, thanks.
Takashi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ALSA: usx2y: fix a memory leak bug
2019-04-28 7:18 ` Takashi Iwai
@ 2019-04-29 5:36 ` Takashi Iwai
2019-04-29 5:50 ` Wenwen Wang
0 siblings, 1 reply; 7+ messages in thread
From: Takashi Iwai @ 2019-04-29 5:36 UTC (permalink / raw)
To: Wenwen Wang; +Cc: moderated list:SOUND, Kees Cook, Jaroslav Kysela, open list
On Sun, 28 Apr 2019 09:18:40 +0200,
Takashi Iwai wrote:
>
> On Sun, 28 Apr 2019 08:42:32 +0200,
> Wenwen Wang wrote:
> >
> > In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
> > and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
> > kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
> > sanity check is performed for the endpoint in the urb by invoking
> > usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
> > returned. In that case, however, the created urb and the allocated buffer
> > are not freed, leading to memory leaks.
> >
> > To fix the above issue, free the urb and the buffer if the check fails.
> >
> > Signed-off-by: Wenwen Wang <wang6495@umn.edu>
>
> Applied now, thanks.
... and looking at the code again, this patch turned out to be wrong.
The in04 urb and transfer buffer are freed at card->private_free
callback (snd_usX2Y_card_private_free()) later, so this patch would
lead to double-free.
I dropped the patch now.
thanks,
Takashi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ALSA: usx2y: fix a memory leak bug
2019-04-29 5:36 ` Takashi Iwai
@ 2019-04-29 5:50 ` Wenwen Wang
2019-04-29 6:42 ` Takashi Iwai
0 siblings, 1 reply; 7+ messages in thread
From: Wenwen Wang @ 2019-04-29 5:50 UTC (permalink / raw)
To: Takashi Iwai; +Cc: moderated list:SOUND, Kees Cook, Jaroslav Kysela, open list
On Mon, Apr 29, 2019 at 12:36 AM Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sun, 28 Apr 2019 09:18:40 +0200,
> Takashi Iwai wrote:
> >
> > On Sun, 28 Apr 2019 08:42:32 +0200,
> > Wenwen Wang wrote:
> > >
> > > In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
> > > and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
> > > kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
> > > sanity check is performed for the endpoint in the urb by invoking
> > > usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
> > > returned. In that case, however, the created urb and the allocated buffer
> > > are not freed, leading to memory leaks.
> > >
> > > To fix the above issue, free the urb and the buffer if the check fails.
> > >
> > > Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> >
> > Applied now, thanks.
>
> ... and looking at the code again, this patch turned out to be wrong.
> The in04 urb and transfer buffer are freed at card->private_free
> callback (snd_usX2Y_card_private_free()) later, so this patch would
> lead to double-free.
Thanks for your comment! Does that mean we should remove
usb_free_urb() in the if statement of allocating 'usX2Y->In04Buf',
because it may also lead to double free?
Wenwen
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ALSA: usx2y: fix a memory leak bug
2019-04-29 5:50 ` Wenwen Wang
@ 2019-04-29 6:42 ` Takashi Iwai
2019-04-29 6:44 ` Wenwen Wang
0 siblings, 1 reply; 7+ messages in thread
From: Takashi Iwai @ 2019-04-29 6:42 UTC (permalink / raw)
To: Wenwen Wang; +Cc: moderated list:SOUND, Kees Cook, Jaroslav Kysela, open list
On Mon, 29 Apr 2019 07:50:11 +0200,
Wenwen Wang wrote:
>
> On Mon, Apr 29, 2019 at 12:36 AM Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Sun, 28 Apr 2019 09:18:40 +0200,
> > Takashi Iwai wrote:
> > >
> > > On Sun, 28 Apr 2019 08:42:32 +0200,
> > > Wenwen Wang wrote:
> > > >
> > > > In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
> > > > and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
> > > > kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
> > > > sanity check is performed for the endpoint in the urb by invoking
> > > > usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
> > > > returned. In that case, however, the created urb and the allocated buffer
> > > > are not freed, leading to memory leaks.
> > > >
> > > > To fix the above issue, free the urb and the buffer if the check fails.
> > > >
> > > > Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> > >
> > > Applied now, thanks.
> >
> > ... and looking at the code again, this patch turned out to be wrong.
> > The in04 urb and transfer buffer are freed at card->private_free
> > callback (snd_usX2Y_card_private_free()) later, so this patch would
> > lead to double-free.
>
> Thanks for your comment! Does that mean we should remove
> usb_free_urb() in the if statement of allocating 'usX2Y->In04Buf',
> because it may also lead to double free?
Yes, that's another superfluous code.
Takashi
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ALSA: usx2y: fix a memory leak bug
2019-04-29 6:42 ` Takashi Iwai
@ 2019-04-29 6:44 ` Wenwen Wang
0 siblings, 0 replies; 7+ messages in thread
From: Wenwen Wang @ 2019-04-29 6:44 UTC (permalink / raw)
To: Takashi Iwai
Cc: moderated list:SOUND, Kees Cook, Jaroslav Kysela, open list, Wenwen Wang
On Mon, Apr 29, 2019 at 1:42 AM Takashi Iwai <tiwai@suse.de> wrote:
>
> On Mon, 29 Apr 2019 07:50:11 +0200,
> Wenwen Wang wrote:
> >
> > On Mon, Apr 29, 2019 at 12:36 AM Takashi Iwai <tiwai@suse.de> wrote:
> > >
> > > On Sun, 28 Apr 2019 09:18:40 +0200,
> > > Takashi Iwai wrote:
> > > >
> > > > On Sun, 28 Apr 2019 08:42:32 +0200,
> > > > Wenwen Wang wrote:
> > > > >
> > > > > In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
> > > > > and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
> > > > > kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
> > > > > sanity check is performed for the endpoint in the urb by invoking
> > > > > usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
> > > > > returned. In that case, however, the created urb and the allocated buffer
> > > > > are not freed, leading to memory leaks.
> > > > >
> > > > > To fix the above issue, free the urb and the buffer if the check fails.
> > > > >
> > > > > Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> > > >
> > > > Applied now, thanks.
> > >
> > > ... and looking at the code again, this patch turned out to be wrong.
> > > The in04 urb and transfer buffer are freed at card->private_free
> > > callback (snd_usX2Y_card_private_free()) later, so this patch would
> > > lead to double-free.
> >
> > Thanks for your comment! Does that mean we should remove
> > usb_free_urb() in the if statement of allocating 'usX2Y->In04Buf',
> > because it may also lead to double free?
>
> Yes, that's another superfluous code.
Thanks! I will rework the patch.
Wenwen
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-04-29 6:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-28 6:42 [PATCH] ALSA: usx2y: fix a memory leak bug Wenwen Wang
2019-04-28 6:42 ` Wenwen Wang
2019-04-28 7:18 ` Takashi Iwai
2019-04-29 5:36 ` Takashi Iwai
2019-04-29 5:50 ` Wenwen Wang
2019-04-29 6:42 ` Takashi Iwai
2019-04-29 6:44 ` Wenwen Wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.